Although OWASP Top 10 lists are useful, they are not known for being easy to understand or enjoyable to read. While we have a serious post discussing the methodology, categories, and missed opportunities of the OWASP API Security Top 10 for 2023, this time we wanted to take a more light-hearted look at the top ten risks for APIs. By simplifying the formal language, we hope to provide a better understanding of each API risk category.
API risk #1: Ask and you shall receive
API1:2023 Broken Object-Level Authorization (aka BOLA aka IDOR)
The main purpose of APIs is to automate access to application data and functionality. Ensuring that data is only accessible to authorized users and systems is crucial. If an object in your application can be accessed by anyone just by knowing the right URL and object ID, it can lead to data breaches like the Optus hack.
API risk #2: You don’t need to see his identification
API2:2023 Broken Authentication
Proving your identity is essential when using APIs. If the authentication process is weak or easily bypassed, attackers can gain unauthorized access using methods like credential stuffing or tampering with JWT tokens. Once inside, they can exploit the remaining top nine risks.
API risk #3: Promise me you won’t look inside
API3:2023 Broken Object Property-Level Authorization
Different users require different levels of data access in most business applications. Enforcing this for API access can be challenging, leading to situations where an attacker gaining access to a customer account object also gets access to all the data for that account.
API risk #4: I don’t expect you to talk, Mr. API. I expect you to die
API4:2023 Unrestricted Resource Consumption
Denial of service attacks can target APIs, causing them and the associated applications to go offline. APIs designed for silent and automated access may be vulnerable to resource exhaustion if they accept and process incoming requests without any limits.
API risk #5: Are they allowed to do that?
API5:2023 Broken Function-Level Authorization
API endpoints expose data and operations on that data. Allowing unauthorized access to operations like DELETE can pose a significant risk. Secure access to admin operations is crucial to prevent unauthorized actions.
API risk #6: Hey, that’s cheating!
API6:2023 Unrestricted Access to Sensitive Business Flows
Abusing automated access to operations can lead to serious business consequences. Unfair advantages, like automatic bidding or flooding systems with requests, can disrupt businesses and cause financial losses.
API risk #7: Give them a fake address; they never check anyway
API7:2023 Server-Side Request Forgery (SSRF)
Fetching resources from external sites through APIs can be risky if proper validation is not in place. Attackers could exploit this vulnerability to access internal systems through your API server.
…
