The Latest Trends in API Security: The 2023 OWASP API Security Top Ten
The Open Web Application Security Project (OWASP) has published the latest edition of its API Security Top Ten, which was first published in 2019. The Top Ten is a significant daughter list of the OWASP Top Ten, which is one of the most definitive lists of the most severe web application risks. Why is this important? What are its main findings? And what does this mean for application security?
Why is the OWASP API Security Top Ten important?
The API Security Top Ten focuses on application-programming interfaces (APIs), the bits of software that let two or more separate computer programs communicate and exchange information with each other. It sets out the categories of common flaws and weaknesses in APIs, particularly web-based APIs that communicate across the internet rather than through a closed network. It provides developers and security teams with an up-to-date guide to the most common and dangerous mistakes they could encounter that can cause vulnerabilities when building and maintaining web applications. APIs are vital to the development of software functions, and APIs for web applications are frequently sources of security vulnerabilities.
According to the foreword of the 2023 edition of the API Security Top Ten, “APIs are a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications. . . By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII) and because of this, APIs have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”
As APIs are a significant part of building web applications, reinforcing their security has become increasingly important to maintaining the integrity of organizations’ apps. So, the list is a useful reference for the DevSecOps community to know what to avoid during their builds.
Main findings
The report lists the top ten categories of weaknesses and then drills down into how exploitable, prevalent, detectable, and impactful each weakness is. It provides additional information on how each of these issues may arise, the sorts of problems each may cause, and the extent of its potential damage. It also provides ways to determine if an API might be vulnerable, examples of possible attack scenarios, and suggestions for how to prevent them.
The leading API security issues on the list are authorization and authentication, followed by access issues and unrestricted and unsafe consumption issues. The list identifies the full top ten as follows:
1. Broken Object Level Authorization
Exposure of the endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues.
Exploitability: Easy. Prevalence: Widespread. Detectability: Easy. Impact: Moderate
2. Broken Authentication
Authentication mechanisms implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users’ identities.
Exploitability: Easy. Prevalence: Common. Detectability: Easy. Impact: Severe
3. Broken Object Property Level Authorization
Lack of or improper authorization validation at the object property level, leading to information exposure or manipulation by unauthorized parties.
Exploitability: Easy. Prevalence: Common. Detectability: Easy. Impact: Moderate
4. Unrestricted Resource Consumption
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations. Successful attacks can lead to Denial of Service or an increase in operational costs.
Exploitability: Easy. Prevalence: Common. Detectability: Easy. Impact: Severe
5. Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. Attackers exploit these issues to gain access to users’ resources and/or administrative functions.
Exploitability: Easy. Prevalence: Common. Detectability: Easy. Impact: Severe
6. Unrestricted Access to Sensitive Business Flows
APIs vulnerable to this risk expose a business flow — such as buying a ticket or posting a comment — without compensating for how the functionality could harm the business if used excessively in an automated manner.
Exploitability: Easy. Prevalence: Widespread. Detectability: Average. Impact: Moderate
7. Server-Side Request Forgery
These can occur when an API fetches a remote resource without validating the user-supplied URI. This enables attackers to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.
Exploitability: Easy. Prevalence: Common. Detectability: Easy. Impact: Moderate
8. Security Misconfiguration
APIs and the systems supporting them typically contain complex configurations to make the APIs more customizable. Software engineers can miss these configurations, or don’t follow security best practices when it comes to configuration, opening the door for attacks.
Exploitability: Easy. Prevalence: Widespread. Detectability: Easy. Impact: Severe
9. Improper Inventory Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation, and an inventory of hosts and deployed API versions highly important. Security can be compromised without it.
Exploitability: Easy. Prevalence: Widespread. Detectability: Average. Impact: Moderate
10. Unsafe Consumption of APIs
Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. To compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly.
Exploitability: Easy. Prevalence: Common. Detectability: Average. Impact: Severe
For further details of the main findings, visit the 2023 OWASP API Security Top Ten here.
What does this mean for application security?
APIs are critical to the digital transformation that huge numbers of organizations have undergone in recent years. Nevertheless, when it comes to application security best practices, they are often overlooked even though they are one of the biggest cybersecurity attack vectors. That’s because API security is commonly seen as separate from the overall application security posture of an organization.
APIs are vulnerable because they are exposed to the outside world and a lot of data that passes through the application layer, which makes it attractive to malicious actors. Plus, hacking APIs isn’t particularly difficult, so attackers can easily exploit APIs to perform a variety of damaging actions such as denial of service attacks on critical applications.
APIs are a way for attackers to get into your applications, and seriously disrupt them. Knowing what application risks and vulnerabilities to avoid is key to protecting them and helps you reinforce your application security.
