Cat: All Your APIs Are Belong To Us
Cats: All Your APIs Are Belong To Us

Proliferation of Application Programming Interfaces (APIs) and associated API security risks is increasingly common. As a result, the Open Web Application Security Project (OWASP), known for their venerable Top Ten Web Application Security Risks framework, introduced a complementary Top Ten API Security Risks in 2019. In this blog post, we will discuss the newly released 2023 standards and what can be considered as common vulnerabilities in APIs.

Why the OWASP API Top Ten is Important

APIs are used in modern software as a means to allow different software components to communicate with one another. While APIs make building complex applications easier, they also create broader data security risks. These risks can manifest in different ways, from data breaches to denial-of-service attacks.

The OWASP API Top Ten API Security Risks framework is important for several reasons. First, it serves as a guide for developers who want to build secure APIs in an increasingly 'Shift Left' world, where the onus for security is increasingly on developers. By understanding the risks associated with APIs, developers can endeavor to mitigate those risks from the outset. 

Second, the OWASP API Top Ten is useful for security professionals who want to assess the security of existing APIs. By identifying common API security risks, security professionals can better evaluate the security posture of an organization's APIs and allow for effective prioritization of vulnerabilities based upon true risk.

OWASP 2023 - What's Changed

There are 4 major changes to the OWASP Top Ten API Security Risks:

  1. OWASP combined Excessive Data Exposure and Mass Assignment and called it Broken Object Property Level Authorization, which makes a lot of sense as both Excessive Data Exposure and Mass Assignment vulnerabilities share this common root causality.
  2. More focus has been put on resource consumption than in 2019 which was more focused on the rate or pace API were being consumed.
  3. A new category of Unrestricted Access to Sensitive Business Flows was added because attacks are evolving and this category addresses these and covers those traditionally dealt with by rate limiting, i.e., scraping.
  4. OWASP has also created a category for emerging threats which they call Unsafe Consumption of APIs; this addresses attacks that don't attack an API directly but through an integrated service, such as a 3rd party API.

The 2023 OWASP Top Ten API Security Risks

CategoryDescription
Broken Level Object AuthorizationAPIs have a lot of endpoints that deal with object identifiers and this creates an extremely wide attack surface object level ACL issues.
Broken AuthenticationIncorrect implementation of authentication allows attackers to compromise auth tokens or exploit implementation flaws to assume another users identity.
Broken Object Property Level AuthorizationThis is the category that combined Excessive Data Exposure and Mass Assignment from the OWASP 2019 API Top Ten. This is improper authorization (or a complete lack thereof) allows for the improper exposure or manipulation of data.
Unrestricted Resource ConsumptionNot only do APIs require compute and network resources, but often APIs are tied to other services that have a cost associated with usage. Attackers exploit this to create denial of service or increased costs.
Broken Function Level AuthorizationComplexity and lack of clear delineation of admin and regular function lead to flaws attackers use to gain access to data or administrative functions.
Unrestricted Access to Sensitive Business FlowsAPIs exposing business flow (such as e-commerce) without understanding what unrestricted access could do to the business or reputation.
Server Side Request ForgerySSRF happens when an API calls a remote URL provided by the client without proper validation.
Security MisconfigurationHuman error and not following security best practices leaves the door open to different attacks.
Improper Inventory ManagementAPIs expose a plethora of endpoints, often with multiple versions exposed, and many aren't documented or the documentation is wrong, allowing attackers to exploit.
Unsafe Consumption of APIsDevelopers have a bias to more implicitly trust data received from machine versus human input, and therefore tend to have lessor controls over data received from 3rd party APIs leading to vulnerability via those APIs.

Conclusion

The release of the OWASP API Top Ten 2023 standards is a significant milestone in the burgeoning API security market, showing its evolving importance and maturity. With the increasing use of APIs in modern software development, it is becoming more crucial for developers and security professionals to understand the risks associated with APIs and take steps to mitigate them. The OWASP Top Ten API Security Risks serves as an essential guide for both developers and security professionals, providing a comprehensive list of common API security risks and vulnerabilities.

The changes made in the OWASP Top Ten API Security Risks for 2023 show a shift in focus towards resource consumption and access to sensitive business flows. By identifying these emerging threats, the OWASP Top Ten API Security Risks framework provides developers and security professionals with a better understanding of the risks associated with APIs. The standards also emphasize the importance of proper authentication, authorization and inventory management, which are common areas where vulnerabilities can arise.

Overall, the OWASP Top Ten API Security Risks 2023 standards serve as a valuable resource for anyone involved in the development or security of APIs. By following these best practices, organizations can better protect themselves against the risks associated with APIs and ensure that their APIs are secure and reliable.

Keep an eye out here for deep dive posts on each of these categories.

Technologies