This list of API-specific top 10 vulnerabilities released by the OWASP organization in 2019 is not brand new, but let’s take another look at it. Just as the OWASP Top 10 standardizes vulnerability information for developers across web application security, this specialized list represents a broad consensus about the most critical API security risks to web applications. Let’s take a look at each one and see why it poses a problem.
API1:2019 Broken Object-Level Authorization
Object-level authorization is an access control mechanism that is usually implemented at the code level to validate that a user can access only objects that they should have access to. Every API endpoint should implement object-level authorization checks to validate that the logged-in user is authorized to perform the requested action on the requested object.
API2:2019 Broken User Authentication
When authentication mechanisms are implemented incorrectly, they can allow attackers to assume other user’s identities. Authentication endpoints and flows are assets that need to be protected, including your forgot password / reset password systems. When password reset protocols are an afterthought, they form a rich attack surface for broken user authentication attacks.
API3:2019 Excessive Data Exposure
Developers tend to expose all object properties by default, relying on clients to perform data filtering before displaying to the user. Malicious actors take advantage of this weakness by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.
API4:2019 Lack of Resources and Rate Limiting
Too often APIs do not impose any restrictions on the size or number of resources that can be requested by the client or user. API requests consume resources such as network, CPU, memory, and storage. Not only can this impact the API server performance, leading to denial of service (DoS), but it also leaves the door open to authentication attacks such as brute force.
API5:2019 Broken Function-Level Authorization
Authorization flaws can be caused by overly complex access control policies with different hierarchies, groups, and roles, and by an unclear separation between administrative and regular functions. Malicious actors exploit this flaw by sending legitimate API calls to API endpoints to which they should not have access, in order to access unauthorized functionality. Administrative functions are key targets for this type of attack.
API6:2019 Mass Assignment
Modern frameworks encourage developers to use functions that automatically bind input from the client into code variables and internal objects. Since APIs expose the underlying implementation of the application along with property names, attackers can use this methodology to update or overwrite sensitive object properties that developers never intended to expose. Exploitation may lead to privilege escalation, data tampering, bypass of security mechanisms, and more.
API7:2019 Security Misconfiguration
Security misconfiguration can happen at any level of an API stack, from the network level to the application level. Attackers will often attempt to find unpatched flaws, common endpoints, or unprotected files and directories to gain unauthorized access or knowledge of the system. Security misconfigurations can expose sensitive user data as well as system details that may lead to full server compromise.
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Injection can lead to information disclosure and data loss. It can also lead to DoS or complete host takeover. This is why injection is listed as the third-most-critical security issue in the general OWASP Top 10.
API9:2019 Improper Assets Management
Old API versions are usually unpatched. This makes them an easy way to compromise systems without having to fight state-of-the-art security mechanisms, which might be in place to protect the more-recent API versions. Attackers can gain access to sensitive data or even take over the server through old, unpatched API versions connected to the same database.
API10:2019 Insufficient Logging and Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, or extract or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, and they are typically detected by external parties rather than internal processes or monitoring. Lack of visibility into ongoing malicious activities gives attackers have plenty of time to fully compromise systems. Read about our logging and monitoring best practices for more info.