If you ever watched Stargate, then you have some understanding of how application programming interfaces (APIs) work. While APIs don’t give you the ability to traverse the galaxy using an alien wormhole, they do act as digital portals that allow data to travel between applications. However, as sensitive data moves from one application to another, each API becomes a potential access point that threat actors can exploit. As attackers increasingly target APIs, securing them becomes critical to your company’s overarching data protection program.
Whether you’re a developer or a systems architect, knowing the OWASP API Security Top 10 can help you protect data.
Who is OWASP?
The Open Web Application Security Project (OWASP) is a non-profit organization whose mission is to secure software through education, tools, and collaboration. Some of the community-led projects include:
- OWASP Top Ten series: list of critical security risks to web applications across cloud-native, desktop, Docker, low-code/no-code, machine learning, mobile, CI/CD, client side, privacy, and serverless
- Mobile Application Security: security standard for mobile apps and comprehensive mobile app security testing guide
- ModSecurity Core Rule Set: generic attack detection rules for protection against common attack categories
- Software Assurance Maturity Model: framework to formulate and implement a software security strategy
- Web Security Testing Guide: comprehensive guide to testing web application and web service security
What is the OWASP API Security Top 10?
Originally published as an awareness document in 2019, the OWASP API Security Top 10 identifies the ten most critical API security risks based on a review and analysis of:
- Publicly available data about API security incidents
- Discussions and feedback from the community that includes new trends in API security
- Meetings with professionals for insight into impact and threat mitigation
- Review and discussion of the Top 10 security threats prior to final publication
An Overview of the OWASP Top 10 API Security Risks
Since compiling the Top 10 is a rigorous process, the OWASP Top 10 API Security Risks list considers the current threat landscape and the potential future state. Ultimately, OWASP hopes that the lists generated will last three or four years before requiring an update. OWASP published the most current iteration in 2023.
API1:2023 Broken Object Level Authorization (BOLA)
Object level authorization is a code-level user access validation mechanism. With BOLA, the API shares information about the endpoint that attackers can use to gain unauthorized access to data, resulting in data disclosure, loss, or manipulation.
OWASP notes that this security threat is:
- Easily exploitable
- Widespread
- Easily detected
- Moderate in its business impact
Developers should engage in object level authorizations checks for every function that accesses a data source with a user ID.
API2:2023 Broken Authentication
With incorrectly implemented authentication mechanisms, attackers can gain unauthorized access through credential-based attacks. Vulnerable APIs enable attackers to assume someone’s identity.
OWASP notes that this security threat is:
- Easily exploitable
- Common
- Easily detectable
- Severe in its business impact
Developers should know all possible flows to authenticate to the API and implement multi-factor authentication when possible.
API3:2023 Broken Object Property Level Authorization
This threat combines two threats:
- Excessive Data Exposure: object properties that should not be shared with a user
- Mass Assignment: ability to change, add, and/or delete the value of a sensitive object’s property
While the object level may have the appropriate authentication, the flow leaves properties visible.
OWASP notes that this security threat is:
- Easily exploitable
- Common
- Easily detectable
- Moderate in its business impact
Developers should limit users’ access to an object’s properties and limit the data that the API returns.
API4:2023 Unrestricted Resource Consumption
Answering API requests takes up resources like network bandwidth, CPU, memory, and storage. An API is vulnerable to this security threat if limits are set incorrectly or missing, creating a Denial of Service (DoS) risk.
OWASP notes that this security threat is:
- Average exploitability
- Widespread
- Easily detectable
- Severe in its business impact
Developers should consider rate limiting and throttling to prevent an API from using too many resources at any given time.
API5:2023 Broken Function Level Authorization (BFLA)
While BOLA sits at the code level, BFLA is at the user-access level. With BFLA, the user’s roles or permissions have too much access, like:
- a standard user accessing administrative endpoints,
- A standard user performing sensitive actions by changing the HTTP method
- Guessing the endpoint URL and parameters.
OWASP notes that this security threat is:
- Easily exploitable
- Common
- Easily detectable
- Severe in its business impact
Developers should ensure that they configure and monitor the application’s authorization module that begins with a deny-all-by-default model.
API6:2023 Unrestricted Access to Sensitive Business Flows
APIs often drive the business logic layer (BLL), the rules that define and restrict how the application uses a database. Excessive access to business flows can often expose sensitive data or change how the application manages data by automating access to these flows.
OWASP notes that this security threat is:
- Easily exploited
- Widespread
- Average for detectability
- Moderate in its business impact
Developers should identify all business flows that could harm the organization and choose protection mechanisms like device fingerprinting, CAPTCHAs, bot detection tool, or IP blocking.
API7:2023 Server Side Request Forgery (SSRF)
With an SSRF, the API fetches from a remote source without validating the user-supplied URL, meaning that an attacker can “fake” the requested source, sending data to an unintended location.
OWASP notes that this security threat is:
- Easily exploitable
- Common
- Easily detectable
- Moderate in its business impact
Developers should isolate resource fetching mechanisms and define accepted remote resources clearly in allow lists.
API8:2023 Security Misconfiguration
APIs often have insecure default or complex security configurations that attackers can exploit. Typically, attackers also look for unpatched flaws, common endpoints, or unprotected file and directories.
OWASP notes that this security threat it:
- Easily exploitable
- Widespread
- Easily detectable
- Severe in its business impact
At minimum, developers should ensure that the API life cycle includes repeatable hardening processes, configuration monitoring, and automated processes for assessing configurations’ security effectiveness.
API9:2023 Improper Inventory Management
The proliferation of APIs often leads organizations to lose visibility into the number of API and API endpoints as well as API data storage and sharing. APIs can have two types of “blindspots”:
- Documentation blindspot: lack of information about purpose, environment, network access, version, retirement plan, or inventory
- Data flow blindspot: lack visibility into where APIs share sensitive data combined with lack of business justification, inventory of flow, and/or visibility into sensitive data type
OWASP notes that this security threat is:
- Easily exploitable
- Widespread
- Average for detectability
- Moderate in business impact
Developers should inventory and document all API hosts, integrated services, and aspects of the API using automation to build documentation into the CI/CD pipeline.
API10:2023 Unsafe Consumption of APIs
Sometimes security standards become lax when receiving data from trusted third-party APIs, like weaker standards for input validation and sanitization or interacting over unencrypted channels. Attackers identify the third-party services to compromise the targeted API.
OWASP notes that this security vulnerability is:
- Easily exploited
- Common
- Average for detectability
- Severe in its business impact
Developers should engage in appropriate service provider API security due diligence, always use secure communication channels (TLS), validate and sanitize received data, and maintain an appropriate allow list.
Graylog API Security: Continuous scanning for attack detection and triage
Graylog API Security enables you to continuously scan API traffic at runtime or detection and alerts before attackers can extract data or proceed with an exploit. Using our pre-configured signatures to identify common threats like the OWASP API Security Top 10, you can proactively understand and expose potentially malicious traffic. Graylog API Security captures request and response details so you have a readily accessible datastore that includes aggregated and individual API call details across all your APIs.
To see how Graylog API Security can help you build continuous API threat detection and incident response, contact us today!