The OWASP API Security Project is updating its Top 10 API Security Risks for 2023. Last updated in 2019, the new list acknowledges many of the same risks, adds a few new ones, and drops a couple off the list. For example, logging and monitoring, and injection no longer make the top 10 risks, although they are still significant factors. New to the list are server side request forgery (SSRF) and unsafe consumptions of APIs.
Currently, the list isn’t finalized, but it is available on the OWASP Github site for review and comment. As it stands, here are the items that made the 2023 list.
- Broken object level authorization
- Broken authentication
- Broken object property level authorization
- Unrestricted resource consumption
- Broken function level authorization
- Server side request forgery
- Security misconfiguration
- Lack of protection from automated threats
- Improper asset management
- Unsafe consumption of APIs
1. Broken object level authorization
Object level authorization, typically implemented at the code level for user validation, is a control method to restrict access to objects. When authorization at the object level is not properly enforced, it can expose systems. Such a vulnerability was uncovered at Uber by sending API requests including user phone numbers to get access to tokens and manipulating systems.
Attack vectors: Attacks exploit API endpoints by manipulating object IDs that are sent within a request. This issue is unfortunately fairly common in API-based applications when server-side components do not track the full client state but rely more on object IDs.
Security weakness: Authorization and access controls are complex. Even with proper protocols and configurations, developers sometimes forget to use authorization checks before accessing sensitive objects. These states do not play well with automatic testing.
2. Broken authentication
Authentication endpoints are vulnerable to a number of risks, including brute force attacks, credential stuffing, weak encryption keys, and connections to other microservices without requiring authentication.
Attack vectors: Because these endpoints may be accessible to people outside an organization, there are several potential threats. It’s easy to fail to fully protect the entire boundary for authentication or implement the proper security protocols.
Security weakness: OWASP points to two specific issues with endpoint authentication:
- A lack of protection mechanisms that include extra levels of protection
- Incorrect implementation of authentication mechanisms or using the wrong mechanism for applications
3. Broken object property level authorization
When accessing an object via an API, users must be validated to ensure they have the authority to access certain object properties. Broken authorization at the object property level can allow unauthorized users to access and change objects.
Attack vectors: Threat actors exploit vulnerable API endpoints to read, change, add, or delete object property values for objects that should not be available to attackers.
Security weakness: Even when developers provide validations for user access to functions and objects, they may not validate if users are allowed to access specific properties within objects.
4. Unrestricted resource consumption
Without restrictions on API requests, attackers sending multiple requests or flooding resources can implement denial of service (DoS) attacks and also cause financial damage for those using pay-per-request billing. Distributed denial of service (DDoS) attacks have grown significantly over the past two years, up as much as 60%.
Attack vectors: APIs can be exploited by sending multiple, concurrent requests to APIs that do not limit interactions.
Security weakness: APIs often do not limit activities such as execution timeouts, maximum allowable memory, the number of operations in client requests, or implementing third-party spending limits. Even with logging, it’s easy for malicious activity to go unnoticed in the early stages.
5. Broken function level authorization
When function level authorization allows users to access administrative endpoints, they can perform sensitive actions.
Attack vectors: Attackers can uncover API flaws because they are more structured and predictable in access methodology, and then they can send legitimate API calls to endpoints that they should not be able to access. In some cases, it can be as simple as guessing the endpoint URL and changing “users” to “admins” in strings.
Security weakness: Modern applications contain plenty of roles, groups, and complex user hierarchies. Users may have different roles for different areas or objects, so it can be challenging to monitor.
6. Server side request forgery
Server side request forgery (SSRF) can happen when an API fetches a remote resource without first validating the URL supplied by users. Servers can be used as proxies to hide malicious activity. Researchers recently found four such instances of SSRF vulnerabilities with Azure API management, which have since been patched.
Attack vectors: Attackers find an API endpoint that receives a universal resource identifier (URI) and force the application to send a request to an unexpected destination — even when destinations are protected via a firewall or VPN.
Security weakness: Application development often includes accessing URIs provided by the client, and server-side data retrieval generally is not logged or monitored.
7. Security misconfiguration
Hardening security for the API stack should be a top priority for developers, but permissions are often improperly, or inconsistently, applied across cloud services. In other cases, security patches and software are out of date. There have been several high-profile instances where companies failed to protect their cloud resources properly, such as the United States Army Intelligence and Security Command, and in that case the unprotected data included some files classified as top secret.
Attack vectors: Threat actors actively search for unpatched flaws and unprotected files or directories, and they attack common endpoints to map systems and gain unauthorized access. Discrepancies in the way requests are handled and processed leave attack vectors open.
Security weakness: Misconfigurations can happen at any level from network to application. Legacy options and unnecessary services can also create additional attack pathways.
8. Lack of protection from automated threats
Cybercriminals and other threat actors are increasingly evolving their tactics, and APIs are prime targets. Automation is cheap and widely available on the dark web. The APIs themselves may not have flaws or bugs, but the underlying business flow may be vulnerable to excessive activity.
Attack vectors: Attackers learn API models and business flows and then exploit them using automated tools. For example, the use of automated tools and botnets can bypass rate limiting by spreading requests over IP addresses.
Security weakness: The challenge here is that each request may appear legitimate, so it will not be identified as an attack. However, these automated attacks can flood systems and prevent legitimate users from access.
9. Improper inventory management
APIs across applications can be quite complex and interwoven. Connectivity with third parties increase threat exposure, and often multiple versions of APIs may be left running that are unmanaged. Outdated or missing documentation can make it challenging to keep track of everything.
Attack vectors: Attackers may access older API versions or endpoints that are unpatched. They may also gain access through third parties.
Security weakness: A lack of inventory or asset management can lead to a host of problems, including unpatched systems. API hosts may be exposed through microservices, which make applications independent in many cases. A lack of a systematic and documented way to deploy, manage, and retire APIs can lead to different security weaknesses.
10. Unsafe consumption of APIs
When working with well-known third parties and suppliers, you can generally trust the data you receive and might employ less stringent security standards. Yet, if threat actors can breach third parties, they may be able to cause damage through APIs that connect you. Today, as many as half of data breaches occur because of third-party connectivity.
Attack vectors: The exploitation of security flaws in APIs occurs when developers trust — but do not verify and fully protect — endpoints that interact with APIs. For example, they may not place appropriate limitations on resources, validate redirects, or validate/sanitize data requests from APIs before processing.
Security weakness: Security weaknesses often arise when weaker security models are applied to API integrations, especially in areas such as transport security, input validation, data validation, authentication, and authorization. This exposes organizations to unauthorized access and malicious injections.
OWASP accepting comments and feedback
The OWASP API Security Top 10 is designed to help organizations understand and think about the top risks and threats associated with their APIs and to provide guidance on how to increase security.
OWASP is currently seeking contributions and feedback on the list before its final release. You can review the list and provide comments through the issue tracker on the Github site.