OWASP API Top 10 Explained with Real-World Examples

Avatar photo
Author
Updated: June 28th, 2024
13 mins read
OWASP API Top 10 Astra

It’s an API talking to the API world we’re living in. As per Postman, 500 million new APIs are expected to be created by 2025.  APIs are a lifesaver when it comes to automation or integration. But when it comes to the security of these APIs, things can get a little tricky. OWASP API Top 10 gives insights on top vulnerabilities exploited in APIs.

In a recent update, OWASP, a well-known security foundation built on open-source principles, has released an updated list of the top 10 API security risks. The list is known as the OWASP API Security Top 10 and identifies the most common security issues organizations face in using APIs. This list first came out in 2019, but so much has changed since then. 

Not only are there more cases of API attacks now, but they have also taken on new forms. While one can use API vulnerability scanning tools like Astra Pentest to uncover API vulnerabilities, nothing beats designing APIs securely by design. 

OWASP Top 10 for API Risks

When it comes to API security, you need to be aware of the highest possible risks that are likely to occur. The OWASP API Security Top 10 list is a great resource for understanding these risks and how they can impact your organization. Let’s examine each of these risks in depth.

OWASP API Top 10 Vulnerabilities

API1:2023 – Broken Object Level Authorization

An API’s failure to provide proper authorization checks at the object level can result in broken object-level authorization vulnerabilities. Attackers may exploit these flaws to gain access and change sensitive data that they are not supposed to have authority over. 

This will expose them to unauthorized viewing, modification, or deletion of resources, thereby compromising the confidentiality and integrity of the system.

To address this risk, granular access controls must be put in place, and user permissions for each requested object or resource must be verified. Consequently, developers have to ensure that the API checks whether a user can do something with any one element of information, such as read, write, or delete, among others, based on its privileges.

API2:2023 – Broken Authentication

Issues in authentication occur when authentication mechanisms used by an API are weakly constructed, misconfigured, or insecurely implemented. A malicious person can take undue advantage of these weaknesses to gain unauthorized access to user accounts, steal sensitive information, or make transactions on behalf of other users. 

Some common issues include weak password policies, lack of multi-factor authentication mechanisms, and inadequate protection against brute force attacks. Secure implementation is important in mitigating unauthorized access into systems. 

Strong passwords should be enforced, while secure protocols such as OAuth 2.0 and OpenID Connect should be used together with secondary layer security through the use of multi-factor authentication and proper session management involving secure session generation, expiration, and revocation by the API, respectively.

API3:2023 – Broken Object Property Level Authorization

When there are no access controls on specific properties or attributes within objects, an API has broken object property-level authorization. This vulnerability allows hackers who lack permission for certain properties to gain access to or change them, leaking data or making unauthorized alterations.

Developers can stop this vulnerability by putting in place fine-grained access controls at the property level. The API must check that users are allowed to view and modify each attribute of an object. Also, proper input validation and output encoding should also be used to prevent injection attacks and unauthorized data exposure. 

A malicious seller discovers that they can modify sensitive properties they shouldn’t have access to, such as the payment settings of competing stores or the order history of other sellers.

API4:2023 – Unrestricted Resource Consumption

Uncontrolled resource consumption vulnerabilities happen when there are no limits or controls on the amount of server resources an API can consume. With these flaws, it is possible for attackers to fill up the system with numerous requests or use a lot of resources leading to denial-of-service (DoS) attacks for instance. It affects both availability and performance of the API including its dependent services.

Mitigating this risk involves implementing proper rate-limiting and resource-throttling mechanisms. Limits should be set on how many transactions a user can perform within a particular time period through which only limited resources should be allocated per request respectively. Systems that monitor and raise alarms against uncharacteristic spikes in consumption exist alongside such measures.

shield

Why Astra is the best in pentesting?

  • We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
  • Vetted scans ensure zero false positives.
  • Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
  • Astra’s scanner helps you shift left by integrating with your CI/CD.
  • Our platform helps you uncover, manage & fix vulnerabilities in one place.
  • Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
cto

API5:2023 – Broken Function Level Authorization

The inability of APIs to implement adequate access controls for individual functions or endpoints leads to broken function-level authorization vulnerabilities. It might have authentication and authorization components, but many lack granularity within the scope of individual functions. This flaw then results in attackers accessing or running functions for which they should not have any permission, leading to unauthorized actions or data exposure.

Developers must therefore put in place strict authorization checks for every API function/endpoint to mitigate this risk. The API should verify and authorize users based on their roles, groups or privileges which will ensure that a user only accesses and executes allowed functions. To prevent parameter tampering or injection attacks, proper input validation and parameter binding should be enforced as well.

Broken Function Level Authorization - OWASP API Top 10

API6:2023 – Unrestricted Access to Sensitive Business

Sensitive corporate information cannot be accessed freely when an API fails to secure it accordingly by restricting its access channels. Unauthorized persons can take advantage of this vulnerability to access financial statements, personal records on customers, and intellectual property, leading to data breaches that significantly impact business value.

To avoid this kind of situation from happening again, the APIs need strong access controls and mechanisms that guarantee secure data transmission over unsecured channels. On top of encrypting sensitive data at rest and in transit, it should also be protected using the least privilege approach, meaning that no one is supposed to access it unless with authority. In addition, there should be proper authentication and authorization checks for sensitive information that allow only authorized people or systems to gain entry into it. Moreover, we should build logging and monitoring mechanisms to warn against any suspicious activity, such as trespassing.

API7:2023 – Server-Side Request Forgery (SSRF)

Whenever an attacker manipulates an API server so that it sends requests to unintended domains or even those without prior permission, we call this Server-Side Request Forgery (SSRF). Hackers normally exploit this weakness by misleading the server to make requests for internal systems, external websites, or other APIs. As a result, sensitive data might be stolen, or unauthorized actions might also be taken.

To prevent SSRF attacks, one has to ensure that all user-supplied data used in constructing server-side requests is properly validated and sanitized. The API is supposed to ascertain the allowed destinations and protocols for outbound requests.

API8:2023 – Security Misconfiguration

A security misconfiguration vulnerability happens when an API is not properly configured or secured leaving it open to possible threats. It may include use of default/weak security settings, exposing confidential information/functionality without any reason or the lack of updating the API together with its dependencies with current security patches.

Secure configuration practices must be adopted throughout the API development lifecycle and deployment to mitigate security misconfigurations. As part of this practice, default accounts/passwords must be disabled, unnecessary features/endpoints removed, and necessary security settings such as encryption/authentication/authorization properly configured. 

Regular audits on security issues and vulnerability scans should then help detect misconfigurations that need addressing. Additionally, keeping the API and its dependencies up to date regarding the latest security patches prevents proven vulnerabilities from being exploited.

API9:2023 – Inadequate Inventory Control

Inadequate inventory control vulnerabilities occur when an organization fails to maintain a current and correct inventory of its APIs, including their versions, endpoints, and associated assets. This lack of transparency and oversight can result in security issues such as exposing deprecated or vulnerable APIs or failing to find vulnerabilities in good time.

To manage this risk, there should be a well laid down process for managing the API inventory. This entails having an all-inclusive list of all the APIs, versions, and endpoints, along with dependencies associated documentation. To ensure that the inventory is up to date and accurate, regular reviews and updates should be done. 

API10:2023 – Unsafe Consumption of APIs

Unsafe consumption of APIs happens when client applications or other consumers do not correctly handle or validate API data that is being sent by them. Consequently, this may lead to security vulnerabilities like injection attacks, data leakages, or unauthorized access if the client application blindly trusts API responses without validating them properly.

Both API providers and consumers are responsible for mitigating this risk. Developers need to include input validation routines into their code, which will sanitize any malicious inputs that might be entered by users before taking further action on any input received from clients. On the other hand, all data retrieved from this system should be properly validated before processing in any way. 

Using OWASP API Top 10 to Breach Dell – A Case Study

Recently, Dell was breached, leading to 49 million customer records being leaked. The hackers used multiple OWASP Top 10 API vulnerabilities to cause this breach. Here’s how the breach happened:

  1. Fake partner, real access: The hackers requested for a partner account on Dell’s partner portal. With limited to no checks, they got a partner account on the portal.
  2. Oh, those juicy APIs: The attacker found an API endpoint that returned customer details, including address, name, etc., upon receiving a Dell service tag. 
  3. Let’s hack at scale: Once hackers knew that the service tags were 7-character alphanumeric codes, the attacker created a script that generated and submitted these codes to the API at a rate of thousands of requests a minute.
  4. Rate limiting, what?:  The API had no rate limiting to prevent such excessive requests. This allowed the attacker to extract a massive 49 million customer records.
Dell Data Breach - OWASP API Top 10 2023

The hackers claimed that they contacted Dell to disclose the vulnerability, but they had allegedly dumped the data before reporting.

OWASP API Top 10 Vulnerabilities Exploited in The Process

  • API1:2023 – Broken Object Level Authorization
  • API2:2023 – Broken Authentication
  • API9:2023 – Improper Inventory Management

Astra’s Perspective on the OWASP API Top 10 Security

Astra Security recognizes the vital significance of OWASP API Top 10 in mitigating the most common security vulnerabilities in APIs. In line with this, Astra directs its services and products to these risk areas.

With regards to the OWASP API Top 10 risks, Astra’s API Vulnerability Scanner is a potent tool that helps companies identify and mitigate any risks involved. It conducts an all-around automated test on APIs following OWASP guidelines for various security checks. It identifies weaknesses such as broken object-level authorization, injection flaws, and broken authentication, offering insights into an API’s weak points.

In addition to automated API vulnerability scanning capabilities, Astra has a team of experienced security experts who provide enterprises with support in dealing with risks associated with the OWASP Top 10 API. They offer manual penetration testing that complements automated scans to thoroughly assess an API’s overall security posture.

At the same time, they maintain up-to-date knowledge of current threat landscapes while recommending best practices and remedial strategies.

Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer


character

To sum it up, Astra Security’s Scanner is an effective instrument for addressing potential issues accompanying OWASP API Security Top 10 by businesses. This way, organizations can identify, prioritize, and rectify vulnerabilities affecting their API Systems, making them more robust against breaches. 

Automated scanning capabilities, skilled assistance, and a holistic approach by Astra make it possible for companies to discover, prioritize, and address API vulnerabilities by empowering their overall security landscape.