What is the OWASP API Security Top 10?

What is the OWASP API Security Top 10?
What is the OWASP API Security Top 10?

APIs have become essential components in modern software development, enabling seamless communication between different systems. However, their widespread use also brings security challenges. The OWASP API Security Top 10 addresses these concerns by highlighting critical vulnerabilities specific to APIs. 

This resource helps developers and security professionals identify and mitigate potential risks, ensuring more robust and secure API implementations. By focusing on these top threats, organisations can better protect their APIs from malicious attacks and maintain the integrity of their interconnected systems.

Understanding OWASP and Its Importance

OWASP, which stands for the Open Web Application Security Project, is a non-profit organisation dedicated to improving software security. One of their most well-known projects is the OWASP Top 10, which lists the most critical security risks for web applications. Similarly, the OWASP API Security Top 10 focuses specifically on the security risks associated with APIs.

OWASP Top 10 API Vulnerabilities

The OWASP API Security Top 10 was first introduced in 2019 to address the growing concerns around API security. As the technology landscape evolves, so do the security risks. In 2023, OWASP released the next version of the API Security Top 10 to reflect the current threat landscape.

Risk Name

Description

Broken Object Level Authorisation (BOLA)

Occurs when an API fails to properly verify user permissions for accessing data objects. This could allow unauthorised data or resource manipulation.

Broken Authentication

Arises from improperly implemented authentication mechanisms in APIs. It allows attackers to impersonate legitimate users and gain unauthorised access.

Broken Object Property Level Authorisation

Happens when an API permits unauthorised access or modification of object properties. It combines aspects of excessive data exposure and mass assignment vulnerabilities.

Unrestricted Resource Consumption

Occurs when an API doesn't properly limit the amount or size of resources a client can request. This can lead to denial of service and excessive resource consumption.

Broken Function Level Authorisation

Appears when an API fails to restrict access to certain functions based on user roles or permissions. It can result in unauthorised users accessing administrative or sensitive functions.

Unrestricted Access to Sensitive Business Flows

Arises when an API exposes sensitive business processes without proper restrictions. This allows attackers to abuse these processes through automation.

Server Side Request Forgery (SSRF)

Occurs when a hacker is able to manipulate the server to send requests to random IP addresses. This can potentially expose sensitive internal resources.

Security Misconfiguration

Encompasses a wide range of security issues resulting from improper configuration of API components. It can lead to various vulnerabilities and potential entry points for attackers.

Improper Inventory Management

Happens when organisations fail to maintain an up-to-date inventory of their APIs and associated documentation. This can result in forgotten or outdated APIs remaining accessible and potentially vulnerable.

Unsafe Consumption of APIs

Refers to the risks associated with consuming external APIs without proper security measures. It can lead to various security issues, including injection attacks and data leaks.

Let's dive into each of the top 10 API security risks identified by OWASP in detail:

Broken Object Level Authorisation (BOLA)

Broken Object Level Authorisation, or BOLA, retains its position at the top of the OWASP API Security Top 10 list in 2023. This critical vulnerability occurs when an API fails to properly verify that a user has the necessary permissions to see or change certain data objects.

How to Prevent BOLA:

To mitigate this OWASP API vulnerability:

  • Implement robust access controls for each API endpoint
  • Always verify the user's permissions before granting access to any data object
  • Use unpredictable, random IDs for resources to prevent easy guessing
  • Implement logging and monitoring to detect potential BOLA attacks

Broken Authentication

Broken Authentication maintains its second position from the 2019 list. This vulnerability arises when an API's authentication mechanisms are improperly implemented, allowing attackers to impersonate legitimate users.

How to Prevent Broken Authentication:

  • Implement strong authentication mechanisms, like multi-factor authentication
  • Use secure password hashing algorithms
  • Implement proper session management
  • Set strong password policies

Broken Object Property Level Authorisation

This is a new entry in the list, combining aspects of "Excessive Data Exposure" and "Mass Assignment" from the 2019 list. It happens when an API permits unauthorised access or modification of object properties.

How to Prevent Broken Object Level Authorisation:

  • Implement fine-grained access controls at the object property level
  • Validate user permissions before allowing any changes to object properties
  • Use a whitelist approach to specify which properties a user can modify

Unrestricted Resource Consumption

This vulnerability, previously known as "Lack of Resources & Rate Limiting" in the 2019 list, occurs when an API doesn't properly limit the amount or size of resources a client can request.

How to Prevent Unrestricted Resource Consumption:

  • Implement rate limiting on API endpoints
  • Set maximum limits on request size, number of requests per time period, and resource allocation
  • Use pagination for large data sets to limit the amount of data returned in a single request

Broken Function Level Authorisation

Maintaining its fifth position from the 2019 OWASP API top 10, this vulnerability occurs when an API fails to restrict access to certain functions based on the user's role or permissions.

How to Prevent BFLA:

  • Implement role-based access control (RBAC) for all API functions
  • Regularly audit and test access controls
  • Use the principle of least privilege

Unrestricted Access to Sensitive Business Flows

This is a new entry in the list. It occurs when an API exposes sensitive business processes without proper restrictions, allowing attackers to abuse these processes through automation.

How to Prevent Unrestricted Access to Sensitive Business Flows:

  • Implement rate limiting and throttling on sensitive business flows
  • Use CAPTCHAs or other anti-automation techniques for critical processes
  • Monitor and alert on unusual patterns of API usage

Server Side Request Forgery (SSRF)

SSRF is another new addition to the list. This vulnerability occurs when an attacker can make the server send requests to unintended locations, potentially exposing sensitive internal resources.

How to Prevent SSRF:

  • Validate and sanitise all user-supplied URLs
  • Use a whitelist of allowed domains and IP ranges
  • Segment networks to reduce SSRF attacks 

Security Misconfiguration

Security misconfiguration remains on the OWASP API top 10 list, moving from the seventh position in 2019 to the eighth. This risk encompasses a wide range of security issues resulting from improper configuration of API components.

How to Prevent Security Misconfiguration :

  • Use secure default configurations
  • Regularly audit and update API configurations
  • Disable unnecessary features and remove unused dependencies
  • Implement proper error handling to avoid exposing sensitive information

Improper Inventory Management

Previously known as "Improper Assets Management" in 2019, this vulnerability occurs when organisations fail to maintain an up-to-date inventory of their APIs and associated documentation.

How to Prevent Improper Inventory Management:

  • Maintain an up-to-date inventory of all API versions and endpoints
  • Implement proper versioning for APIs
  • Regularly review and retire outdated or unnecessary APIs
  • Ensure all APIs are properly documented

Unsafe Consumption of APIs

This is a new OWASP API Security entry in the list, replacing "Insufficient Logging & Monitoring" from 2019. It refers to the risks associated with consuming external APIs without proper security measures.

How to Prevent Unsafe Consumption of APIs:

  • Always validate and sanitise data received from external APIs
  • Implement proper error handling for API consumption
  • Use secure communication protocols (HTTPS) when consuming APIs
  • Regularly audit and test the security of consumed APIs

Key Changes from 2019 to 2023

The 2023 OWASP API Security Top 10 list reflects the changing landscape of API security threats. Here are the main changes from the 2019 list:

2019

2023

1. Broken Object Level Authorisation

1. Broken Object Level Authorisation

2. Broken User Authentication

2. Broken Authentication

3. Excessive Data Exposure

3. Broken Object Property Level Authorisation

4. Lack of Resources & Rate Limiting

4. Unrestricted Resource Consumption

5. Broken Function Level Authorisation

5. Broken Function Level Authorisation

6. Mass Assignment

6. Server Side Request Forgery

7. Security Misconfiguration

7. Security Misconfiguration

8. Injection

8. Lack of Protection From Automated Threats

9. Improper Assets Management

9. Improper Asset Management

10. Insufficient Logging & Monitoring

10. Unsafe Consumption of APIs

Three Vulnerabilities Remained Unchanged: Broken Object Level Authorisation, Broken Function Level Authorisation, and Security Misconfiguration.

Two Were Updated:

  • "Lack of Resources & Rate Limiting" became "Unrestricted Resource Consumption"
  • "Injection" was replaced by "Lack of Protection From Automated Threats"

Three New Vulnerabilities Were Introduced:

  • Broken Object Property Level Authorisation (replacing Excessive Data Exposure)
  • Server Side Request Forgery (replacing Mass Assignment)
  • Unsafe Consumption of APIs (replacing Insufficient Logging & Monitoring)

"Broken User Authentication" was slightly renamed to "Broken Authentication"

These changes reflect the evolving nature of API security threats and highlight the importance of staying updated with the latest OWASP API security guidance.

Why the OWASP API Security Top 10 Matters

Understanding and addressing the OWASP API Security Top 10 is crucial for several reasons:

  • Growing Reliance on APIs: As businesses increasingly rely on APIs for their operations, the potential impact of API vulnerabilities grows. The OWASP API Top 10 helps organisations focus on the most critical risks.
  • Evolving Threat Landscape: The OWASP API Security Top 10 helps organisations stay up-to-date with the most critical and current API security threats, ensuring their defences remain effective.
  • Guide For Security Efforts: It provides a prioritised list of risks, helping organisations focus their API security efforts where they matter most.
  • Awareness and Education: The OWASP API Top 10 serves as an educational tool for developers, security professionals, and decision-makers about API security risks.
  • Compliance and Best Practices: Many industries and regulatory frameworks reference OWASP guidelines, including the API Security Top 10, as part of their security requirements.
  • Cost-Effective Security: By focusing on the most critical OWASP Top 10 API vulnerabilities, organisations can make the most efficient use of their security resources.
  • Improved API Design: Understanding the OWASP API Security Top 10 can lead to better API design practices, reducing vulnerabilities from the outset.

Implementing API Security Best Practices

To protect against the vulnerabilities listed in the OWASP API Security Top 10, organisations should consider implementing the following best practices:

  1. Implement Strong Authentication And Authorisation: Use robust authentication mechanisms and implement fine-grained access controls at both the function and object levels. This addresses several OWASP Top 10 API vulnerabilities, including BOLA and Broken Authentication.
  2. Input Validation And Sanitisation: Always validate and sanitise user inputs and data received from external sources, including other APIs. This helps prevent injection attacks and mitigates risks associated with unsafe API consumption.
  3. Rate Limiting and Resource Management: Implement rate limiting, throttling, and set appropriate resource quotas to prevent abuse and ensure fair usage of API resources. This directly addresses the Unrestricted Resource Consumption vulnerability in the OWASP API Security Top 10.
  4. Secure Configurations: Ensure all API components are securely configured, regularly updated and unnecessary features are disabled. This helps mitigate the Security Misconfiguration risk in the OWASP API Top 10.
  5. API Inventory and Lifecycle Management: Maintain an up-to-date inventory of all APIs, their versions, and associated documentation. Implement a proper API lifecycle management process. This addresses the Improper Inventory Management vulnerability.
  6. Monitoring and Logging: While no longer in the OWASP API Security Top 10, comprehensive logging and monitoring remain crucial for detecting and responding to security incidents across all API vulnerabilities.

Conclusion

With the world becoming more connected, the OWASP API Top 10 is an essential tool for companies trying to protect their APIs. By understanding these top risks and implementing appropriate security measures, organisations can significantly improve their API security posture.

At InstaSafe, we understand the critical importance of API security. Our Zero Trust Network Access (ZTNA) solution directly addresses many of the vulnerabilities outlined in the OWASP API Security Top 10, providing robust protection against unauthorised access, broken authentication and improper resource consumption across your API ecosystem. Secure your APIs with Instasafe’s ZTNA solution today!

Frequently Asked Questions (FAQs)

  1. Does the OWASP Top 10 change frequently? 

The OWASP API Top 10 is typically updated every 3-4 years. This allows time for significant changes in the security landscape while ensuring the list remains relevant to current threats and vulnerabilities.

  1. What do developers use the OWASP Top 10 for?

Developers use the OWASP Top 10 as a crucial reference for prioritising security efforts. It helps them focus on the most critical vulnerabilities, guide security testing, and improve overall application security during the development process.

  1. Is OWASP a framework? 

OWASP is not a framework. It's a non-profit foundation that works to improve software security. OWASP provides various resources, including guidelines, tools, and documentation, but it's not a structured framework for implementing security measures.

  1. What role does OWASP play in API security? 

OWASP plays a vital role in API security by providing the API Security Top 10 list. This resource helps developers and security professionals identify and mitigate the most critical API security risks, promoting better security practices in API development.

  1. What is the difference between OWASP Top 10 and OWASP ASVS?

The OWASP Top 10 is an awareness document listing the most critical web application security risks. OWASP ASVS (Application Security Verification Standard) is a more comprehensive framework for testing web application technical security controls and defining security requirements.