OWASP Top 10 API Security Risks – 2023

1. Broken Object Level Authorization

• Object level authorization, commonly implemented in code for user validation, is a control mechanism to limit object access.
• Attack vectors: Exploits target API endpoints by manipulating object IDs sent in requests.
• Security Risks: Despite proper protocols, developers may overlook authorization checks when accessing sensitive objects.

2. Broken Authentication

• Authentication endpoints face risks such as brute force attacks, credential stuffing, weak encryption keys, and unauthenticated connections to other microservices.
• Security Risks: OWASP identifies two specific issues related to endpoint authentication.

3. Broken Object Property Level Authorization

• Accessing objects via an API requires user validation to ensure authority for specific object properties.
• Security Risks: Despite developers validating user access to functions and objects.

4. Unrestricted Resource Consumption

• Unrestricted API requests allow attackers to flood resources, implementing denial of service (DoS) attacks.
• Security Risks: APIs frequently lack limitations on activities like execution timeouts and maximum memory.

5. Broken Function Level Authorization

• Function level authorization enabling user access to administrative endpoints allows for sensitive actions.
• Security Risks: Modern applications with numerous roles, groups, and complex user hierarchies.

6. Unrestricted Access to Sensitive Business Flows

• One of the major concerns with unrestricted access to sensitive business flows is that it allows attackers to automate their attacks.
• Security Risks: The challenge lies in the legitimacy of each request.

7. Server Side Request Forgery (SSRF)

• Server side request forgery (SSRF) occurs when an API fetches a remote resource without validating the user-supplied URL.
• Security Risks: Application development often involves accessing URIs provided by the client.

8. Security Misconfiguration

• Prioritizing security hardening for the API stack is crucial for developers.
• Security Risks: Misconfigurations can occur at any level, from network to application.

9. Improper Inventory Management

• APIs across applications can be complex and interwoven.
• Security Risks: Inadequate inventory or asset management can lead to various problems.

10. Unsafe Consumption of APIs

• When collaborating with established third parties and suppliers, there's a general reliance on received data.
• Security Risks: Weak security models applied to API integrations often result in security vulnerabilities.

For more details, you can refer to the original https://owasp.org/API-Security/editions/2023/en/0x11-t10/ OWASP? Foundation

Beyond the Top 10

#Injections

#Insufficient #Logging & #Monitoring

Business Logic Flaws