What Is The OWASP API Security Top 10

OWASP API Security Top 10
The Open Web Application Security Project has been around since 2001 and is best known for the OWASP Web Application Security Top 10 which has set the standard for how organizations have approached security to protect traditional web applications. The OWASP Top 10 projects are community driven and experts from across the community come together to put out an updated version of this flagship Top 10 list every 3 years with the current version released in 2017.

In addition to the Flagship Top 10 the OWASP community drives a number of other projects and publishes Top 10 lists that focus on specific areas of technology and security. One such project is the OWASP API Security Project announced in 2019.

Why Do We Need The OWASP API Security Project?

Simply put, because threats to APIs are different when compared to what we’ll classify as traditional applications. This is true even if those traditional applications are delivered from more modern cloud infrastructure. We have a good writeup on this with more details in the post How Modern Web Applications Changed the Way Enterprises Should Handle Security.

 

The other factor is that we’re seeing a huge increase in the adoption of APIs and API-based applications. Open your phone and any application making a call for data is doing so over an API. This is also true of any single-page application (SPA) that might front end SaaS apps or other popular sites that you visit from a laptop. Also consider microservices and IoT environments are all driven by APIs. Basically, APIs are just about everywhere you look in modern application environments.

 

The fact that APIs are becoming more prevalent means that attackers will also take notice and shift their focus to this new battleground. We’ve seen proof of this in many of the recent high profile breaches and analysts like Gartner predicting “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.”

 

What is The OWASP API Security Top 10?

As of October 2019 the release candidate for the OWASP API Security Top 10 includes the following 10 items in rank order of severity and importance. 

 

API1 Broken Object Level Authorization

APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.

 

API2 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.

 

API3 Excessive Data Exposure

Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.

 

API4 Lack of Resources & Rate Limiting

Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

 

API5 Broken Function Level Authorization

Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.

 

API6 Mass Assignment

Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.

 

API7 Security Misconfiguration

Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

 

API8 Injection

Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

 

API9 Improper Assets Management

APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.

 

API10 Insufficient Logging & Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

 

How Is The API Security Top 10 Different From The Web Application Security Top 10?

The following table highlights the differences between the API Security Top 10 and the Web Application Security Top 10. As you can see:

  • Only 2 of the items from the Web Application Security Top 10 are relevant to API Security.

  • 3 of the items have moved down in rank of importance and severity.

  • The remaining 5 items in the Web Application Security Top 10 have been deemed not relevant to API security.

 

OWASP API Security Top 10 – 2019 

OWASP Top 10 2017

A1:2019 – Broken Object Level Authorization

A1:2017 Injections (Reduced in rank – moved to A8:2019) 

A2:2019 – Broken Authentication

A2:2017 – Broken Authentication

A3:2019 – Excessive Data Exposure

A3:2017 – Sensitive Data Exposure (Not Included)

A4:2019 – Lack of Resources & Rate Limiting

A4:2017 – XML External Entities (XXE) (Not Included)

A5:2019 – Broken Function Level Authorization

A5:2017 – Broken Access Control (Modified for APIs)

A6:2019 – Mass Assignment

A6:2017 – Security Misconfiguration (Reduced in rank – moved to A7:2019)

A7:2019 – Security Misconfiguration

A7:2017 – Cross-Site Scripting (XSS) (Included in A8)

A8:2019 – Injection

A8:2017 – Insecure Deserialization (Not Included)

A9:2019 – Improper Assets Management

A9:2017 – Using Components with Known Vulnerabilities (Not Included)

A10:2019 – Insufficient Logging & Monitoring

A10:2017 – Insufficient Logging & Monitoring

 

Remained the same in the 2019 API Security Top 10

 

Moved or modified in the 2019 API Security Top 10

 

Not included in the 2019 API Security Top 10

More Information On The OWASP API Security Top 10

Since launching in early 2019 the OWASP API Security Top 10 has been gaining a lot of momentum. The latest release candidate was announced at the OWASP Global AppSec Amsterdam event in September 2019 and the community has been busy providing feedback. The project leaders, Erez Yaron and Inon Shkedy have also been busy promoting the project and educating the community. Here are some links to learn more about the API SecurityTop 10 and get involved with the project.

 

Learn More

Find more on the OWASP API Security Project and the API Security Top 10 on the project page:

https://www.owasp.org/index.php/OWASP_API_Security_Project 

 

Read the OWASP API Security Top 10 Release Candidate

https://www.owasp.org/index.php/File:API_Security_Top_10_RC_-_Global_AppSec_AMS.pdf 

 

Get additional details on the project and each of the top 10 in this webinar:

https://salt.security/owasp-api-security-top-10 

 

Get Involved

Learn how to participate and provide feedback to the project here:

https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Join 

 

Join the mailing list:

https://groups.google.com/a/owasp.org/d/forum/api-security-project 

 

Join the effort:

https://github.com/OWASP/API-Security/tree/develop/ 

https://github.com/OWASP/API-Security/issues 

 

Articles

Why You Need to Think About API Security

By project co-leader Erez Yalon

Dark Reading 09/26/2019

https://www.darkreading.com/application-security/why-you-need-to-think-about-api-security/a/d-id/1335861

 

OWASP reveals top 10 security threats facing API ecosystem

By Ben Dickson 

The Daily Swig 09/24/19

https://portswigger.net/daily-swig/owasp-reveals-top-10-security-threats-facing-api-ecosystem

 

API Security Project Identifies Top 10 Vulnerabilities

By Richard Seeley

Application Development Trends (ADT) Magazine 10/02/2019

https://adtmag.com/articles/2019/10/02/api-security-report.aspx

 

New OWASP List Highlights API Security Holes

by Joan Goodchild 

Security Boulevard 09/20/19

https://securityboulevard.com/2019/09/new-owasp-list-highlights-api-security-holes/

 

OWASP API Security Top 10: Get your dev team up to speed

by Chris Romeo 

TechBeacon 09/30/19

https://techbeacon.com/security/owasp-api-security-top-10-get-your-dev-team-speed

 

 

Videos

 

OWASP API Security Top 10

By Erez Yalon & Inon Shkedy

OWASP Global App Sec Amsterdam 09/27/19

https://youtu.be/Jmyl6GoTaao

 

Do you want to address the new OWASP API Security Top 10 and protect your APIs? Head over to the Salt Security website to learn more.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email