Site icon Graylog

An Introduction to the OWASP API Security Top 10

If you ever watched Stargate, then you have some understanding of how application programming interfaces (APIs) work. While APIs don’t give you the ability to traverse the galaxy using an alien wormhole, they do act as digital portals that allow data to travel between applications. However, as sensitive data moves from one application to another, each API becomes a potential access point that threat actors can exploit. As attackers increasingly target APIs, securing them becomes critical to your company’s overarching data protection program.

 

Whether you’re a developer or a systems architect, knowing the OWASP API Security Top 10 can help you protect data.

Who is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization whose mission is to secure software through education, tools, and collaboration. Some of the community-led projects include:

 

What is the OWASP API Security Top 10?

Originally published as an awareness document in 2019, the OWASP API Security Top 10 identifies the ten most critical API security risks based on a review and analysis of:

 

An Overview of the OWASP Top 10 API Security Risks

Since compiling the Top 10 is a rigorous process, the OWASP Top 10 API Security Risks list considers the current threat landscape and the potential future state. Ultimately, OWASP hopes that the lists generated will last three or four years before requiring an update. OWASP published the most current iteration in 2023.

API1:2023 Broken Object Level Authorization (BOLA)

Object level authorization is a code-level user access validation mechanism. With BOLA, the API shares information about the endpoint that attackers can use to gain unauthorized access to data, resulting in data disclosure, loss, or manipulation.

 

OWASP notes that this security threat is:

 

Developers should engage in object level authorizations checks for every function that accesses a data source with a user ID.

API2:2023 Broken Authentication

With incorrectly implemented authentication mechanisms, attackers can gain unauthorized access through credential-based attacks. Vulnerable APIs enable attackers to assume someone’s identity.

 

OWASP notes that this security threat is:

 

Developers should know all possible flows to authenticate to the API and implement multi-factor authentication when possible.

 

API3:2023 Broken Object Property Level Authorization

This threat combines two threats:

 

While the object level may have the appropriate authentication, the flow leaves properties visible.

 

OWASP notes that this security threat is:

 

Developers should limit users’ access to an object’s properties and limit the data that the API returns.

 

API4:2023 Unrestricted Resource Consumption

Answering API requests takes up resources like network bandwidth, CPU, memory, and storage. An API is vulnerable to this security threat if limits are set incorrectly or missing, creating a Denial of Service (DoS) risk.

 

OWASP notes that this security threat is:

 

Developers should consider rate limiting and throttling to prevent an API from using too many resources at any given time.

API5:2023 Broken Function Level Authorization (BFLA)

While BOLA sits at the code level, BFLA is at the user-access level. With BFLA, the user’s roles or permissions have too much access, like:

 

OWASP notes that this security threat is:

 

Developers should ensure that they configure and monitor the application’s authorization module that begins with a deny-all-by-default model.

API6:2023 Unrestricted Access to Sensitive Business Flows

APIs often drive the business logic layer (BLL), the rules that define and restrict how the application uses a database. Excessive access to business flows can often expose sensitive data or change how the application manages data by automating access to these flows.

 

OWASP notes that this security threat is:

 

Developers should identify all business flows that could harm the organization and choose protection mechanisms like device fingerprinting, CAPTCHAs, bot detection tool, or IP blocking.

API7:2023 Server Side Request Forgery (SSRF)

With an SSRF, the API fetches from a remote source without validating the user-supplied URL, meaning that an attacker can “fake” the requested source, sending data to an unintended location.

 

OWASP notes that this security threat is:

 

Developers should isolate resource fetching mechanisms and define accepted remote resources clearly in allow lists.

API8:2023 Security Misconfiguration

 

APIs often have insecure default or complex security configurations that attackers can exploit. Typically, attackers also look for unpatched flaws, common endpoints, or unprotected file and directories.

 

OWASP notes that this security threat it:

 

At minimum, developers should ensure that the API life cycle includes repeatable hardening processes, configuration monitoring, and automated processes for assessing configurations’ security effectiveness.

API9:2023 Improper Inventory Management

The proliferation of APIs often leads organizations to lose visibility into the number of API and API endpoints as well as API data storage and sharing. APIs can have two types of “blindspots”:

 

OWASP notes that this security threat is:

 

Developers should inventory and document all API hosts, integrated services, and aspects of the API using automation to build documentation into the CI/CD pipeline.

API10:2023 Unsafe Consumption of APIs

 

Sometimes security standards become lax when receiving data from trusted third-party APIs, like weaker standards for input validation and sanitization or interacting over unencrypted channels. Attackers identify the third-party services to compromise the targeted API.

 

OWASP notes that this security vulnerability is:

 

Developers should engage in appropriate service provider API security due diligence, always use secure communication channels (TLS), validate and sanitize received data, and maintain an appropriate allow list.

 

Graylog API Security: Continuous scanning for attack detection and triage

 

Graylog API Security enables you to continuously scan API traffic at runtime or detection and alerts before attackers can extract data or proceed with an exploit. Using our pre-configured signatures to identify common threats like the OWASP API Security Top 10, you can proactively understand and expose potentially malicious traffic. Graylog API Security captures request and response details so you have a readily accessible datastore that includes aggregated and individual API call details across all your APIs.

 

To see how Graylog API Security can help you build continuous API threat detection and incident response, contact us today!

 

Exit mobile version