OWASP Top 10 API Security Risks – 2023
Carlo De Micheli, Zoran Gorgiev
OWASP API Security Top 10 is a list of the most common and severe API security risks. The well-known cybersecurity authority published the first list of critical API vulnerabilities in 2019.
Sadly, not much has changed since then. Several API exploits of business giants between 2019 and 2023, including T-Mobile and LinkedIn, ended in catastrophic data breaches. These highly publicized security incidents brought to light that:
- API security is still an afterthought in many business and software development environments.
- Improper care of your APIs can have dire financial, reputation, and business consequences.
This article discusses the OWASP API Security Top 10 – 2023—the latest list of security threats lurking in the exploding use of APIs (according to a recent report, as many as 26–50 APIs fuel the typical modern application). You’ll discover how OWASP API Top 10 relates to you and your organization and why you must consider API security seriously.
OWASP API Security Top 10 – 2023
The Data
The OWASP team created the list of the top 10 API vulnerabilities based on public data collected from big bounty platforms and news sources. This list, along with the OWASP guidelines, is our best resource on API security yet. The information is systematized and presented clearly to provide a primary API security reference point and foundation for building your API security strategy.
The Risk Score
OWASP API Security Top 10 – 2023 followed the same Risk Rating Methodology as the 2019 API Top 10 to arrange the security risks by gravity.
To rate an API vulnerability, OWASP takes into account the following factors:
- Exploitability
- Prevalence
- Detectability
- Technical Impact
The score for each factor ranges from 1–3. The numeric values of the four factors determine the final risk score and, consequently, the position of an individual API security vulnerability in the list.
The List
This list was created for developers and security professionals and applies to both internal and external APIs.
API1:2023 Broken Object Level Authorization (BOLA)
Description: BOLA means that user A can access user B’s data despite not being authorized. Threat actors can exploit this API weakness by manipulating object identifiers, i.e., user IDs (strings or numbers), and through unauthorized reuse of access tokens.
Consequence: Data disclosure, data loss, data manipulation, and a complete account takeover.
Prevention: Authorization based on user policies, an authorization mechanism that verifies whether a user has the access privileges to perform the requested actions, random and unpredictable ID values, and tests that evaluate the authorization mechanism in place.
This is by far the most common API vulnerability exploited in the wild. It was number one on the top 10 API vulnerabilities list in 2019 and holds the same position in 2023.
API2:2023 Broken Authentication
Description: This vulnerability comes down to easily guessable passwords and missing or weak encryption in transit and at rest.
If authentication mechanisms are not implemented correctly or are insufficient, such as unlimited failed logins and weak password policies, your API can quickly become a cyberattack victim. Malicious actors can perform brute-forcing, credential stuffing, and dictionary attacks to acquire credentials and impersonate legitimate users.
Consequence: Full control of another account and access to a user’s personal information.
Prevention: Re-authentication for sensitive operations such as changing an account email address, multi-factor authentication, anti-brute force mechanisms, and use of API keys only for API client authentication.
API3:2023 Broken Object Property Level Authorization (BOPLA)
Description: BOPLA refers to missing or inadequate authorization validation, such as when an API expects users to filter data themselves.
If a proper validation mechanism is missing, the API shows unfiltered data, i.e., more information than necessary.
This vulnerability combines excessive data exposure and mass assignment from the 2019 API Security Top 10.
Consequence: Data disclosure, data loss, data corruption, privilege escalation, and account takeover.
Prevention: Avoidance of methods such as to_json() and to_string(), schema-based response validation mechanism, minimum returned data structures, and more.
API4:2023 Unrestricted Resource Consumption
Description: This vulnerability means that an API lacks rate and request limiting. It allows attackers to perform a DoS attack.
Consequence: Operational costs that result from, for instance, high CPU usage and cloud storage demands.
Prevention: Limits on processes and number of restarts; enforced maximum data and parameter size; rate limiting; spending limits for service providers and API integrations; and limited number of times for actions like OTP validation and password recovery.
API5:2023 Broken Function Level Authorization (BFLA)
Description: BFLA refers to the unclear separation between admin and non-admin roles that can lead to access to other users’ resources and privilege escalation. An unauthorized user can add to, update, or delete another user’s record.
Consequence: Data disclosure, data loss, data corruption, and service disruption.
Prevention: Denied access by default, required explicit grants for function access, authorization based on user’s group and role, and only limited endpoints and methods allowed for users and third parties.
API6:2023 Unrestricted Access to Sensitive Business Flows
Description: This vulnerability directly relates to the business logic behind an API use. When attackers find sensitive business flows, such as a commenting feature within an app, they can overuse (through automation) or abuse it to cause damage to the business.
Consequence: Deny app access to regular users (so, say, they can’t post comments or buy tickets) or alter the usual function and flow of an app (for instance, change the typical way an online game is played).
Prevention: Device fingerprinting, captcha, biometric solutions, blocking Tor nodes and notorious proxies, and detecting non-human patterns.
API7:2023 Server-Side Request Forgery
Description: This vulnerability is present when an API doesn’t validate user URIs. That way, users who control a URI can send requests to an unexpected destination and force the server to connect to it.
Consequence: Service enumeration, DoS, information disclosure, bypassed firewalls, and use of a server as a proxy for malicious purposes.
Prevention: Allowlists, isolation of the resource fetching mechanism, disabled HTTP redirections, URL parser, validation and sanitization of user input, and no raw responses to clients.
API8:2023 Security Misconfiguration
Description: This vulnerability is intuitive to understand. It refers to API misconfiguration or complex configurations that sometimes offer customizability at the expense of security.
Misconfigured HTTP headers, unnecessary HTTP methods, default configuration, cross-origin resource sharing, and verbose error messages that reveal too much information all fall within this category.
Consequence: Server compromise as well as exposure of sensitive user data and system details.
Prevention: Encrypted communication channels between clients and servers, disabled unneeded HTTP verbs, proper CORS policy, restricted content types and data formats, and automated configuration assessment.
API9:2023 Improper Inventory Management
Description: Improper Inventory Management refers to the lack of proper and updated documentation, missing or incomplete catalog of APIs, old and unpatched APIs, staging API versions, shadow APIs, and similar unwanted phenomena.
The problem arises when APIs that must be decommissioned or hidden (still) connect to the same data source as the current official API.
This vulnerability is a clear example of human error.
Consequence: Server takeover and access to sensitive data.
Prevention: Appropriately documented inventory of each API host, appropriately documented inventory of integrated services, proper API documentation available only to authorized users/consumers, protection for all API versions, and forced use of only the latest API version if necessary.
API10:2023 Unsafe Consumption of APIs
Description: This vulnerability means an API integrates with third-party APIs and services that can endanger it. For instance, if developers use weaker security standards for third-party APIs, threat actors can get to the target API by compromising those other APIs first. Third-party services may allow them to bypass authentication and manipulate API responses.
Injection, a separate vulnerability in OWASP API Security Top 10 – 2019, now falls under this category.
Consequence: Sensitive information exposure, different types of injection attacks, and DoS.
Prevention: Assessment of the API security posture of third-party services, API interaction through secure channels, validation and sanitization of data from integrated services, and allowlists of locations that redirects lead to.
OWASP API Security Top 10 and Why You Should Care
By now, it’s apparent why you should care about API security and the OWASP API security project in particular. But to reinforce a point, we’ll look at some worrying statistics and examples of what happens when businesses fail to protect themselves from the most severe API security threats.
-
A recent Salt Lab research detected a 400% upsurge in API attacks in just a few months at the end of 2022.
-
The same research discovered that as high as 78% of API attacks were performed by what appeared to be legitimate users, which only highlights how easy it is to abuse inadequate API authentication mechanisms and how difficult it is to detect an ongoing API attack.
-
In 2022, 94% of the companies surveyed by Salt Security said they had faced an API-related problem throughout the past 12 months.
-
Insecure API use costs businesses US$41-75 billion a year.
-
Google, Facebook, Peloton, and Samsung have all suffered API attacks that led to the leakage of sensitive data in the first three cases. Google even shut down the consumer version of Google+ due to an API vulnerability whose exploitation leaked personally identifiable information of the tech magnate’s clients.
Is API security a Subsection of Web Application Security?
If you compare the most current OWASP API Security Top 10 – 2023 and OWASP Top Ten – 2021 (web application security) lists, you can’t help but notice that the two overlap, at least to some extent. Also, organizations often rely on security safeguards like WAFs (web application firewalls), intrinsic to traditional web application security, to protect their APIs.
In addition, in our private and professional experience and understanding, modern web applications are almost impossible to imagine without APIs.
Then, can we safely infer that API security boils down to web application security? Is it simply an extension of, or even a footnote to, AppSec?
As early as 2016, security experts discussed and answered this question with an emphatic no. APIs bring unique security problems that can neither be explained by web application security nor remediated by mechanisms such as WAFs.
The same applies today. One of the most prominent contemporary API security experts, Alissa Knight, talks openly about the inefficiency of WAFs for API protection. She managed to hack 55 banks and cryptocurrency exchanges, mainly due to her targets “using WAFs to secure APIs.”
Much of the uniqueness of API security comes from the distinctive architecture of modern applications that extensively use APIs (not a few, but numerous APIs).
It also has to do with the considerably larger API attack surface compared to traditional apps, which springs from the sheer number and multiple types of clients accessing APIs, as well as the numerous endpoints. Besides that:
- APIs have unique authorization and authentication nuances that may lead to abuse.
- Cyberattacks can easily hide behind legitimate API requests.
- APIs can grow quickly, which creates a gap between the existing WAF configuration and the reality it needs to cover.
Our discussion, of course, is not exhaustive. Still, it suffices to show that API security is a distinct discipline that deserves separate attention. And budget.
What to Do?
API attacks are becoming more prevalent and subtle, and threat actors are more patient and skillful than ever. Besides, now they have automation, machine learning, and artificial intelligence at their disposal, which can make your life even harder.
Securing APIs is already tricky enough, so why make it even more difficult by letting attackers in through the cracks of different API vulnerabilities? Study the top 10 API vulnerabilities, try to implement the OWASP prevention suggestions, and put robust security mechanisms in place. You can avoid a disaster even if you can’t evade an attack.
Equixly is an automated API penetration testing tool that lets you find your application’s business logic vulnerabilities, locate edge cases, and unearth blind spots.
Test your APIs through and through, leave no stone unturned, and discover zero days.
Contact us to learn how.
Carlo De Micheli
Director of Product Marketing
Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.
Zoran Gorgiev
Technical Content Specialist
Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.