In addition to the Flagship Top 10 the OWASP community drives a number of other projects and publishes Top 10 lists that focus on specific areas of technology and security. One such project is the OWASP API Security Project announced in 2019.
Why Do We Need The OWASP API Security Project?
Simply put, because threats to APIs are different when compared to what we’ll classify as traditional applications. This is true even if those traditional applications are delivered from more modern cloud infrastructure. We have a good writeup on this with more details in the post How Modern Web Applications Changed the Way Enterprises Should Handle Security.
The other factor is that we’re seeing a huge increase in the adoption of APIs and API-based applications. Open your phone and any application making a call for data is doing so over an API. This is also true of any single-page application (SPA) that might front end SaaS apps or other popular sites that you visit from a laptop. Also consider microservices and IoT environments are all driven by APIs. Basically, APIs are just about everywhere you look in modern application environments.
The fact that APIs are becoming more prevalent means that attackers will also take notice and shift their focus to this new battleground. We’ve seen proof of this in many of the recent high profile breaches and analysts like Gartner predicting “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.”
What is The OWASP API Security Top 10?
As of October 2019 the release candidate for the OWASP API Security Top 10 includes the following 10 items in rank order of severity and importance.
API1 Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
API2 Broken Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
API3 Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.
API4 Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
API5 Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
API6 Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
API7 Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
API9 Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
API10 Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
How Is The API Security Top 10 Different From The Web Application Security Top 10?
The following table highlights the differences between the API Security Top 10 and the Web Application Security Top 10. As you can see:
Only 2 of the items from the Web Application Security Top 10 are relevant to API Security.
3 of the items have moved down in rank of importance and severity.
The remaining 5 items in the Web Application Security Top 10 have been deemed not relevant to API security.
More Information On The OWASP API Security Top 10
Since launching in early 2019 the OWASP API Security Top 10 has been gaining a lot of momentum. The latest release candidate was announced at the OWASP Global AppSec Amsterdam event in September 2019 and the community has been busy providing feedback. The project leaders, Erez Yaron and Inon Shkedy have also been busy promoting the project and educating the community. Here are some links to learn more about the API SecurityTop 10 and get involved with the project.
Find more on the OWASP API Security Project and the API Security Top 10 on the project page:
Read the OWASP API Security Top 10 Release Candidate
Get additional details on the project and each of the top 10 in this webinar:
Learn how to participate and provide feedback to the project here:
Join the mailing list:
Join the effort:
Why You Need to Think About API Security
By project co-leader Erez Yalon
Dark Reading 09/26/2019
OWASP reveals top 10 security threats facing API ecosystem
By Ben Dickson
The Daily Swig 09/24/19
API Security Project Identifies Top 10 Vulnerabilities
By Richard Seeley
Application Development Trends (ADT) Magazine 10/02/2019
New OWASP List Highlights API Security Holes
by Joan Goodchild
Security Boulevard 09/20/19
OWASP API Security Top 10: Get your dev team up to speed
by Chris Romeo
OWASP API Security Top 10
By Erez Yalon & Inon Shkedy
OWASP Global App Sec Amsterdam 09/27/19
Do you want to address the new OWASP API Security Top 10 and protect your APIs? Head over to the Salt Security website to learn more.