What is OWASP API Security Top 10: A Deep Dive

Monolithic on-premise applications are giving way to microservices and distributed cloud-native applications. Alongside this dramatic change in architectural patterns and deployment strategies, API service offerings are exploding. They are being consumed and packaged to users in single-page applications, native mobile apps, voice services, and a diverse landscape of internet-of-things (IoT) connected devices like in-vehicle displays in rental cars.

Some seventy percent of enterprises have reported that their planning identifies APIs as crucial to their own digital transformations and new revenue opportunities. But many challenges exist for organizations in reorienting to an API-centric customer experience, first among them safeguarding their users' data and their own resources.

Why Is API Security Becoming More Important?

APIs are an attractive choice of attack vector for automated hacking tools. A long list of recent API security incidents shows that APIs are increasingly targeted for data theft due to security gaps like weak authentication or business logic errors. While tech companies were the most frequent target of successful API breaches (58%), regulated organizations and industries were frequent targets as well: government (10%), healthcare (4.5%), financial (6%), and telcos (3%) were common successful targets of data breach attacks. Given the frequency of these API breaches, enterprises need to be aware of what poses the biggest risks and how to mitigate them.

What is the OWASP API Top 10?

The Open Web Application Security Project (OWASP) is a nonprofit foundation and industry authority that works to improve software security. OWASP programming includes articles, methodologies, documentation, tools, and technologies to improve application security.

A flagship project of OWASP is their Top 10 Security Vulnerability report, compiled annually and incorporated in many prominent standards, including PCI DSS, the U.S. Defense Information Systems Agency, and the U.S. Federal Trade Commission.

Since 2003, the OWASP Top 10 project has been the authoritative list of web application vulnerabilities and mitigation strategies for them. The original Top 10 involved common web application security vulnerabilities, like cross-site scripting (XSS) attacks.

However, the rise of APIs has changed the landscape of vulnerabilities so fundamentally that a new approach was necessary. In 2019, OWASP added the API Security Top 10 list to the annual reports they maintain. The list serves as a standard awareness document for software development of the security issues they need to address.

OWASP Designation

Description

API1: Broken Object Level Authorization

Broken request validation allows an attacker to perform an unauthorized action by reusing an access token

API2: Broken Authentication

Broken user authentication allows attackers to impersonate legitimate users

API3: Excessive Data Exposure

An API exposes more data than necessary, relying on client software to perform filtering

API4: Lack of Resources & Rate Limiting

By not implementing rate limiting policies, attackers can overwhelm the backend with denial-of-service attacks

API5: Broken Function Level Authorization

Broken request validation allows an attacker to execute functions they are unauthorized to access

API6: Mass Assignment

Unfiltered data allows attackers to guess object properties via requests

API7: Security Misconfiguration

Insecure configurations including misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and error messages containing sensitive information

API8: Injection

Untrusted injection of data resulting in the unintended execution of command or unauthorized data access via database engines, LDAP, and OS system commands

API9: Improper Assets Management

Insufficient environment management and segregation allowing attackers to access under-secured endpoints

API10: Insufficient Logging & Monitoring

Inadequate monitoring infrastructure allows attacks in progress to go undetected

Drilling Down to the OWASP API Top 5

Why are we focusing on the top 5 OWASP API vulnerabilities? Because that’s where the breaches are.

Industry research shows that the most common incident root causes are related to authentication (51%), authorization (22%), and misconfiguration (6%). These categories of vulnerabilities are business logic flaws specific to a particular application and business domain. Business logic errors allow attackers to misuse the application by circumventing the business rules of the application in place.

Examples of application business logic at a high level include wire transfers, banking queries, customer purchase orders, and shopping carts. Lower-level business logic includes more specific rules such as what users are allowed to see or how much users are charged for various items. Attacks that exploit such trusted code are at the root of the largest data breaches over the past few years.

Here are the OWASP Top 5 Web Application Security Risks:

OWASP API Security #1: Broken Object Level Authorization

This represents the single most common, and often most serious, vulnerability for APIs. Broken Object Level Authorization vulnerabilities exist when user A can access user B’s data due to errors in the business logic of the application.

Real-World Example: A large delivery provider built an API that allowed an authorized user to access, via API, all their shipments, delivery status, and account information. The problem was that even though this API required authentication, with minimal tweaks to the API requests, it was possible to access other user’s data and harvest that information.

OWASP API Security #2: Broken Authentication

API Authentication refers to the implementation of strong, effective, properly configured authentication to access data. Broken authentication may refer to a lack of authentication at the API layer or authentication methods that use weak password policies.

Real-World Example: A hacker found it was possible to request password resets from a fitness platform via APIs supplying a phone number. The hacker iterated through several potential phone combinations until he found out those that worked and then when the app sent a 4-digit password reset code, he brute-forced the codes, gaining access to different accounts.

OWASP API Security #3: Excessive Data Exposure

This vulnerability focuses on APIs that return more data, fields and information than the specific use requires. Many web and mobile apps rely on API calls that return more information from the user than necessary, which exposes unfiltered data in direct API calls.

Real-World Example: An electronic payment platform used an API that presented a list of real time transactions. A hacker discovered that it was possible to call that function directly without authentication and return full transaction details, which enabled her to harvest data from over 200 million transactions, including addresses, descriptions, and amounts.

OWASP API Security #4: Lack of Resources and Rate Limiting

APIs are especially vulnerable to DDoS attacks coming from different IPs that target different API functionality and data. Without proper limits and restrictions on frequency and volume of API requests, cyber attackers can brute-force password requests and harvest user information.

Real-World Example: A major social media site allowed users to reset their password using a 6-digit code. The site required the code to be used within 10 minutes and limited guesses to 200 attempts per IP address. However it did not limit how many different IPs could be used. A hacker found the API for submitting security codes and created a server farm on AWS that brute-forced the combinations in less than 10 minutes, allowing any account to be taken over.

OWASP API Security #5: Broken Function Level Assignment

Broken Function Level Assignment refers to what functional capabilities and API allows users to access and execute. Every API function, or endpoint, generally supports a range of methods - including PUT, POST, GET, DELETE and others. Organizations must carefully consider which specific endpoints and methods need to be enabled for users and third parties.

Real-World Example: A popular dating app enforced several user access and functionality restrictions within the app. However, since the app used a set of APIs to interact with the backend, it was possible for users to change account settings and permissions, enabling them to turn on premium features without paying and without volume restrictions.

Can Manual Testing Prevent OWASP Top 10 Attacks?

Business logic vulnerabilities are common, dangerous and are often not tested against. Security experts have sought to address the problem with a two-pronged approach: adding automated code auditing tools to their continuous integration pipelines, and scheduling periodic manual penetration testing by experienced “white hat” security professionals.

Automated static code analysis tools identify narrow and specific flaws in an application. They can include linting standards for code formatting and checking dependencies for published vulnerabilities. They can also help measure the quality of a codebase against KPIs, such as the percentage of code covered by test cases. But static analysis doesn’t reach into the types of business logic errors responsible for most API breaches.

Manual pen testing complements other forms of security prevention, but has marked limitations as a complete solution to application security:

How APIsec Helps Improve DevSecOps

APIsec offers an automated API testing platform that builds on the expertise of security professionals carrying out manual pen tests. This enables comprehensive coverage of the entire breadth of a company’s API inventory and methods. An automatic inventory of API assets is created, and generates test cases for all endpoints and methods offered, usually numbering in the thousands to tens of thousands of individual tests.

We integrate with your continuous integration pipeline. Even with granular tests and comprehensive coverage of your entire API footprint, our scalable platform does its work quickly, running in minutes rather than adding hours or days to your integration and deployment workflow.

Issues can be fed to trouble ticketing systems and pen-test reports suitable for submission to auditors and compliance officers automatically generated. An easy-to-use dashboard is also available for visualizing and managing changes to an API over time.

APIsec provides ten times the coverage of manual pen-testing at one-tenth the cost, leveraging the efficiencies inherent in a scalable and automated process. While traditional security techniques like code analysis, application firewalling, and manual penetration testing are valuable, they struggle to address the most common API attack vector: the business logic that powers APIs.

Learn more about how APIsec delivers continuous API security, with complete test coverage, that operates at CI/CD speed here.