The Open Web Application Security Project has been around since 2001 and is best known for the OWASP Web Application Security Top 10 which has set the standard for how organizations have approached security to protect traditional web applications. The OWASP Top 10 projects are community driven and experts from across the community come together to put out an updated version of this flagship Top 10 list every 3 years with the current version released in 2017.
In addition to the Flagship Top 10 the OWASP community drives a number of other projects and publishes Top 10 lists that focus on specific areas of technology and security. One such project is the OWASP API Security Project announced in 2019.
Simply put, because threats to APIs are different when compared to what we’ll classify as traditional applications. This is true even if those traditional applications are delivered from more modern cloud infrastructure. We have a good writeup on this with more details in the post How Modern Web Applications Changed the Way Enterprises Should Handle Security.
The other factor is that we’re seeing a huge increase in the adoption of APIs and API-based applications. Open your phone and any application making a call for data is doing so over an API. This is also true of any single-page application (SPA) that might front end SaaS apps or other popular sites that you visit from a laptop. Also consider microservices and IoT environments are all driven by APIs. Basically, APIs are just about everywhere you look in modern application environments.
The fact that APIs are becoming more prevalent means that attackers will also take notice and shift their focus to this new battleground. We’ve seen proof of this in many of the recent high profile breaches and analysts like Gartner predicting “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.”
As of October 2019 the release candidate for the OWASP API Security Top 10 includes the following 10 items in rank order of severity and importance.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
The following table highlights the differences between the API Security Top 10 and the Web Application Security Top 10. As you can see:
Since launching in early 2019 the OWASP API Security Top 10 has been gaining a lot of momentum. The latest release candidate was announced at the OWASP Global AppSec Amsterdam event in September 2019 and the community has been busy providing feedback. The project leaders, Erez Yaron and Inon Shkedy have also been busy promoting the project and educating the community. Here are some links to learn more about the API SecurityTop 10 and get involved with the project.
Find more on the OWASP API Security Project and the API Security Top 10 on the project page:
OWASP API Security Top 10 Explained - Blog Series
Learn how to participate and provide feedback to the project here:
Join the mailing list:
Join the effort:
Why You Need to Think About API Security
By project co-leader Erez Yalon
Dark Reading 09/26/2019
OWASP reveals top 10 security threats facing API ecosystem
By Ben Dickson
The Daily Swig 09/24/19
API Security Project Identifies Top 10 Vulnerabilities
By Richard Seeley
Application Development Trends (ADT) Magazine 10/02/2019
New OWASP List Highlights API Security Holes
by Joan Goodchild
Security Boulevard 09/20/19
OWASP API Security Top 10: Get your dev team up to speed
by Chris Romeo
OWASP API Security Top 10
By Erez Yalon & Inon Shkedy
OWASP Global App Sec Amsterdam 09/27/19
Do you want to address the new OWASP API Security Top 10 and protect your APIs? Head over to the Salt Security website to learn more.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.