The Open Web Application Security Project (OWASP) is a non-profit foundation devoted to web application security. One of OWASP's guiding principles is that all of their resources should be freely available and simple to find on their website, enabling anyone to increase the security of their own web applications. They provide forums, tools, videos, and documentation among other things. The OWASP Top 10, a report outlining security concerns for web application security, and the OWASP API Security Top 10, which lists the most prevalent API security risks, are two key projects the OWASP is known for.
With API-related security incidents and breaches increasing at a fast pace in recent years, it’s no surprise that application programming interfaces security - commonly known as API security - has become top of mind for organizations and media outlets alike.
At the end of 2019, OWASP released the first-ever API Security Top 10 to raise awareness about the most common API security risks plaguing organizations. The list served as a point of reference for the industry for the past four years, but the speed at which the API security landscape has evolved made the need for some key changes to the OWASP API Security Top 10 abundantly clear. The updated list was published in June 2023.
In March 2023, the Salt Labs research team unveiled a 400% increase in unique API attackers targeting Salt customers within just six months in its State of API Q1 2023 report. But API attacks have not only grown in number, they have also changed in nature. Bad actors are now targeting the business logic behind APIs and often take a low and slow approach and employ sophisticated methods to perpetrate attacks throughout long periods of time. In fact, today’s API attacks can last days, weeks or even months.
With that in mind, OWASP has released a new OWASP API Security Top 10 in 2023. The 2023 list compiles and explains the most recent and pressing security threats facing today’s complex API ecosystem.
In this blog series, we will dig into each of the OWASP API Security Top 10 vulnerabilities in detail and provide real-life examples and industry insights to help you understand how to protect your organization from the threats targeting APIs and API-based applications.
Broken object level authorization stems from a lack of proper access controls on API endpoints allowing unauthorized users to access and modify sensitive data. BOLA is represented in about 40% of all API attacks and is the most common API security threat. Broken object level authorization API vulnerabilities have been number one on the OWASP list since 2019 and have kept their top spot in the 2023 version.
Broken authentication enables attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications. This API authentication security vulnerability has kept its number two spot on the OWASP list since 2019.
Broken Object Property Level Authorization merges attacks that happen by gaining unauthorized access to sensitive information by way of Excessive Data Exposure (previously listed as number 3 in the 2019 OWASP API Security Top 10) or Mass Assignment (previously in sixth place in the 2019 list). Both techniques are based on API endpoint manipulation to gain access to sensitive data.
This vulnerability originates in APIs that improperly implement or neglect to implement limits on resource consumption, leaving them highly susceptible to brute-force attacks. Unrestricted Resource Consumption has replaced the previous number 4 in the OWASP API Security Top 10, Lack of Resources and Rate Limiting. However, while the name changed, this vulnerability remains the same overall.
This threat takes shape when authorization is not properly implemented, leading to unauthorized users being able to execute API functions such as adding, updating, or deleting a customer record or a user role. BFLA has kept its fifth spot on the list since 2019.
This new threat, which has replaced Mass Assignment as number 6 on the OWASP API Security Top 10, manifests when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation. To exploit this vulnerability, an attacker will need to understand the business logic behind the API in question, find sensitive business flows and automate access to them in order to cause harm to the business.
Server Side Request Forgery can occur when a user-controlled URL is passed over an API and is honored and processed by the back-end server. The API security risks materialize if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF. This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list.
Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce API vulnerabilities inadvertently. This threat has been number 7 on the OWASP API Security Top 10 list released in 2019 and it has remained in the same position in 2023.
This threat is the result of an outdated or incomplete inventory which can create unknown gaps in the API attack surface, making it difficult to identify older versions of APIs that should be decommissioned. Improper Inventory Management has replaced Improper Assets Management as number 9 in the OWASP API Security Top 10 and, while the name has been changed to emphasize the importance of an accurate and up-to-date API inventory, the threat remains the same.
The Unsafe Consumption of APIs vulnerability stems from the improper usage of APIs by API clients, such as bypassing API authentication security controls or manipulating API responses, which can lead to unauthorized access and data exposure. This API vulnerability can be exploited via the consumption of API data itself or by abusing third-party integration issues. Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10.
APIs connect today’s modern applications, power business innovation and allow companies to meet their customers’ increasingly high expectations for digitalization and speed. But, by becoming an invaluable asset to organizations, they have also become a primary target for attackers.
Understanding the main issues that threaten your APIs means you’ll be better equipped to put a robust and mature API security strategy in place. If you’d like to know how the Salt Security API Protection Platform can help you build that strategy, contact us for a customized demo today.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.