OWASP TOP 10 API SECURITY RISKS

API1:2023 - Broken Object Level Authorization

[{"selector":"#anim-c65623f7-de69-4da1-807c-2b65d1ab4355","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-fd54cfc1-c1cf-4e3b-8c07-838c9ffc7718","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API2:2023 - Broken Authentication

[{"selector":"#anim-2bc5d938-fb6a-44e5-9e58-87b247d52cc7","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-48208a49-e37a-4951-bec1-ec62f753c9a3","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API3:2023 - Broken Object Property Level Authorization

[{"selector":"#anim-8584d97a-797c-4e18-8a46-c4e3c2929d8e","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-d3cf40da-6cad-4eeb-a45f-960a67690521","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API4:2023 - Unrestricted Resource Consumption

[{"selector":"#anim-73fb84f7-8ef2-4234-98f7-3aa1dfec1192","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-a6aa61b3-c710-4037-a31b-637499a3dfa9","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API5:2023 - Broken Function Level Authorization

[{"selector":"#anim-87d2e61b-1abb-4599-a620-571b604a02f4","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-c92c9ea3-beea-4772-9a83-3cab9b5674b4","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API6:2023 - Unrestricted Access to Sensitive Business Flows

[{"selector":"#anim-9ee8668d-b9ac-40bc-b0b3-ed9df57be28d","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-ec778930-f33d-4691-b77c-19e632d44c1c","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API7:2023 - Server Side Request Forgery

[{"selector":"#anim-8b616a76-c844-42b5-a3df-0ed1e22d7b9a","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-fbfa6d7d-cda0-4212-ae07-1f41701b5ba9","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API8:2023 - Security Misconfiguration

[{"selector":"#anim-e20354df-cfb8-4f47-bb21-5f5d191c885d","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-8020af3b-adf0-488f-900f-51f8c6558828","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API9:2023 - Improper Inventory Management

[{"selector":"#anim-de93ccf2-91dd-431a-ba10-e2f59ae9b7a6","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-efb03730-abb6-457f-911d-70fabb0601ad","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

API10:2023 - Unsafe Consumption of APIs

[{"selector":"#anim-1dfcceed-e041-4c68-9639-a576be5c745a","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1500,"fill":"both","iterations":1}] [{"selector":"#anim-7f454d29-61e0-4f0f-bbfb-d8961465ffe0","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] January 31, 2020

DISCOVER MORE ABOUT API SECURITY

[{"selector":"#anim-0022bda3-7b99-4c40-8eaf-b4cc0e666660","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-876afb47-e429-4495-b0fb-b1d0b980c645","keyframes":{"transform":["translate3d(0px, -105.15298%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4ea9a6b4-aa0d-49e6-808d-71060586b6c0","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-bb3490c3-bc87-4010-8b10-a996b35796ea","keyframes":{"transform":["translate3d(0px, 258.70583%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] READ MORE !

OWASP TOP 10 API SECURITY RISKS

Written By Deepraj

24/5/2024

API1:2023 - Broken Object Level Authorization

APIs often expose endpoints with object identifiers, creating a wide attack surface. Always implement object-level authorizations.

1

API2:2023 - Broken Authentication

Incorrectly implemented authentication mechanisms can let attackers compromise tokens or exploit flaws to assume other users' identities.

2

API3:2023 - Broken Object Property Level Authorization

Lack of or improper authorization at the object property level leads to data exposure or manipulation.

3

API4:2023 - Unrestricted Resource Consumption

API requests consume resources like bandwidth, CPU, and memory. Unrestricted access can lead to Denial of Service (DoS).

4

API5:2023 - Broken Function Level Authorization

Complex access control policies often lead to authorization flaws. Ensure clear separation between administrative & regular functions .

5

API6:2023 - Unrestricted Access to Sensitive Business Flows

Vulnerable APIs expose business flows like ticket purchasing or commenting without safeguards against e automated uses.

6

API7:2023 - Server Side Request Forgery

SSRF flaws occur when APIs fetch remote resources without validating user-supplied URIs. Attackers can craft requests to anywhere.

7

API8:2023 - Security Misconfiguration

Complex API configurations can lead to security oversights. Ensure all configurations follow best practices to prevent various types of attacks.

8

API9:2023 - Improper Inventory Management

APIs expose more endpoints than traditional web apps, making documentation crucial. Maintain an updated inventory of hosts and API versions .

9

API10:2023 - Unsafe Consumption of APIs

Developers often trust third-party API data more than user input, leading to weaker security standards.

10

DISCOVER MORE ABOUT API SECURITY