The Open Web Application Security Project (OWASP), a non-profit foundation dedicated to web application security, has recently released the 2023 OWASP API Security Top 10 list. This updated list aims to bring attention to the most common API security risks faced by organizations and provide guidance on how to defend against them.
The new list is an update to the original list published in 2019. It reflects the acceleration and evolution of API security threats since then. Salt, a company proud to have contributed to the creation of the initial list, has also played a key role in shaping the updated version.
The importance of understanding these vulnerabilities cannot be understated. Recognizing the areas where organizations are most at risk of API attacks allows them to stay ahead of potential threats. The following are the key threats and vulnerabilities highlighted in the new list, along with their changes from the original version:
1. API1:2023 – Broken Object Level Authorization (BOLA)
Broken object level authorization occurs when API endpoints lack proper access controls, allowing unauthorized users to access and modify sensitive data. BOLA accounts for around 40% of all API attacks and remains the most common API security threat. It has retained its top spot on the OWASP list since 2019.
2. API2:2023 – Broken Authentication
Broken authentication enables attackers to exploit stolen authentication tokens, engage in credential stuffing, or launch brute-force attacks to gain unauthorized access to applications. An example of broken authentication can be seen in the case of Booking.com, where improper social login functionality could have led to potential ATO (Account Takeover) attacks. This vulnerability has maintained its position as the second threat on the OWASP list since 2019.
3. API3:2023 – Broken Object Property Level Authorization
Broken Object Property Level Authorization combines attacks that involve gaining unauthorized access to sensitive information through excessive data exposure or mass assignment. Both techniques rely on manipulating API endpoints to access sensitive data.
4. API4:2023 – Unrestricted Resource Consumption
Unrestricted Resource Consumption refers to APIs that inadequately or completely neglect to implement limits on resource consumption, making them highly susceptible to brute-force attacks. This vulnerability has replaced Lack of Resources and Rate Limiting as the fourth threat on the OWASP list, although the underlying risk remains largely similar.
5. API5: Broken Function Level Authorization
This threat occurs when API authorization is improperly implemented, allowing unauthorized users to execute API functions such as adding, updating, or deleting customer records or user roles. Broken Function Level Authorization has maintained its position as the fifth threat on the list since 2019.
6. API6: Unrestricted Access to Sensitive Business Flows
Replacing Mass Assignment as the sixth threat on the OWASP list, this vulnerability arises when an API exposes a business flow without considering potential harm caused by excessive use through automation. Attackers must understand the API’s business logic, identify sensitive business flows, and automate access to them to exploit this vulnerability.
7. API7: Server-Side Request Forgery (SSRF)
Server-Side Request Forgery occurs when a user-controlled URL is passed through an API and processed by the back-end server. If the server attempts to connect to the user-supplied URL, it introduces a risk for SSRF. This threat has taken the place of Mass Assignment in the seventh spot on the OWASP API Security Top 10 list.
8. API8: Security Misconfigurations
Security Misconfigurations encompass a wide range of misconfigurations that impact API security and unintentionally introduce vulnerabilities. This threat has remained in the same position as number seven on the OWASP list since 2019.
9. API9: Improper Inventory Management
Improper Inventory Management arises from outdated or incomplete inventory systems, which can result in unknown gaps in the API attack surface, impeding the identification of outdated API versions that should be decommissioned. This vulnerability has replaced Improper Assets Management as the ninth threat on the OWASP list, but the underlying risk remains unchanged. An example of this vulnerability is the breach at Optus, Australia’s second-largest telecom company, where more than 11.2 million customer records with sensitive information were exposed due to a forgotten and exposed API.
10. API10: Unsafe Consumption of APIs
Unsafe Consumption of APIs occurs when API clients misuse APIs by bypassing authentication controls or manipulating API responses, leading to unauthorized access and data exposure. This vulnerability can be exploited through the consumption of API data itself or by abusing third-party integration issues. It has replaced Insufficient Logging and Monitoring as the tenth threat on the OWASP API Security Top 10 list. The Log4Shell attack serves as a notable example within this category.
APIs play a crucial role in connecting modern applications and driving business innovation. However, they have also become a prime target for attackers. Understanding the main issues that threaten APIs is essential for implementing robust and mature API security strategies.
By familiarizing themselves with the 2023 OWASP API Security Top 10 list, organizations can proactively address these vulnerabilities and protect their APIs from potential attacks. The continued collaboration and contributions from organizations like Salt ensure that the list remains up-to-date, reflecting the evolving nature of API security threats.