background image


OWASP API Security Top 10


What is API Security?

An application programming interface (API) allows for communication between and connectivity among applications while sharing data and enabling the integration of application software and services. Web-based APIs ultimately make the development of applications and services easier and more innovative by streamlining the delivery of requests and responses but leave several potential entry points to the backend services susceptible to attack. Furthermore, with this transferring of data, some API endpoints may be vulnerable to exposing sensitive information such as personal, medical, and financial information, making them a great target for compromising data and systems.

With the fast-growing implementation of APIs, API Security is becoming more and more prevalent. This focuses on mitigating the risks associated with utilizing APIs and protecting the information being communicated.

What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) API Security Project is a generated list of the Top 10 vulnerabilities associated with APIs. See the following table for the identified vulnerabilities and a corresponding description.

  • API1 Broken Object Level Authorization: Though a legitimate API call may be made to view or access a data source, some may fail to validate whether the user requesting the resource has authorization to access it. Performing object-level authorization checks on each call that accesses data is a minimum requirement.

  • API2 Broken Authentication: This vulnerability can allow adversaries to bypass or take control of the authentication methods and compromise user accounts. Inadequate authentication can be mitigated by enforcing the use of access tokens and implementing lockout mechanisms, to name a few.

  • API3 Excessive Data Exposure: APIs may expose more data than required by the user, thus exposing potentially sensitive information. Applications should never rely on clients to perform data filtering before displaying it to the user.

  • API4 Lack of Resources & Rate Limiting: APIs often don’t enforce protection against excessive requests for resources or payload sizes. Attackers can exploit this for Denial of Service (DoS) attacks, hinder API server performance, and can lead to brute force attacks.

  • API5 Broken Function Level Authorization: Authorization flaws due to lack of separation of roles and functions can be exploited to view other users’ data and gain access to higher-privileged functions. It is important to ensure that operations are restricted based on the appropriate group or role.

  • API6 Mass Assignment: Attackers can attempt to modify data objects they aren’t permitted to by abusing lack of proper data filtering; for example, by guessing object properties and searching for other API endpoints. Define and whitelist parameters that are to be included within object properties.

  • API7 Security Misconfiguration: Insecure configurations, unpatched systems, missing CORS policy, error messages with excess/sensitive information disclosed, etc. provide more avenues of vulnerabilities to be exploited by attackers.

  • API8 Injection: Attackers can manipulate API calls that include SQL, OS, or other commands/queries that are sent to the backend and thus execute the untrusted data and malicious commands issued by the attacker.

  • API9 Improper Assets Management: Migrating to production-ready APIs and removing previously deployed, vulnerable API endpoints ensures attackers can’t attempt to exploit these pre-existing ones. This can be supported by providing sufficient documentation and monitoring of deprecated API versions.

  • API10 Insufficient Logging & Monitoring: Lack of proper logging and monitoring can allow for breaches to go undetected, especially if there are missing incident detection mechanisms. This can further permit attackers to maintain persistence within systems and extract critical company data.

How to Strengthen Your API Security

Since APIs are widely used, securing their implementation is critical to your overall security. There are multiple ways to help further strengthen your API security and mitigate some of the vulnerabilities that may exist in your application development, some of which have been mentioned above. However, the following are an overview of a few controls you can put in place to harden your API security:

  • Implement authorization tokens and enforce strict access controls as well as a strong authentication mechanism.

  • Filter data being transferred and ensure encryption is being employed.

  • Keep up to date on your overall security and stay informed about potential vulnerabilities within your business.

  • Make use of API gateways which help to organize and control data by establishing rules for traffic.

  • Limit the number and size of requests based on what is required.

If your company or business is interested in learning more about whether your applications are vulnerable, please contact us for more information.