What Is OWASP<\/h2>\n<\/div>\n\n\n\n\n![\"\"](\"https:\/\/apimike.com\/wp-content\/uploads\/2022\/08\/owasp.png\")
<\/figure><\/div><\/div>\n<\/div>\n\n\n\nThe word OWASP<\/strong> is an acronym which means Open Web Application Security Project<\/strong>.
OWASP is a worldwide community responsible for web application protection. This organization is a non-profit that provides free resources on how to improve software security.<\/p>\n\n\n\n<\/a>What Is OWASP API Security Top 10<\/h2>\n\n\n\nThe OWASP API Security Top 10 is a document that the OWASP community updates with up-to-date attacks on APIs and workable solutions.<\/p>\n\n\n\n
Developers build most modern applications with microservices architecture.<\/p>\n\n\n\n
The microservices are loosely coupled so they integrate them with APIs. These APIs developers use to run these applications are in charge of data.<\/p>\n\n\n\n
Attackers would attack these APIs because of their vulnerability and have access to the full system.<\/p>\n\n\n\n
That was how OWASP API Security Top 10 came to be. The document highlights the top ten vulnerabilities that could breach the security of a program.<\/p>\n\n\n\n
<\/a>OWASP API Security Risks<\/h2>\n\n\n\nThis list was last updated on 2019, the top ten OWASP API security risks include:<\/p>\n\n\n\n
<\/a>1. Broken Object Level Authorization<\/h3>\n\n\n\nAPIs use object-level authorization to authorize legitimate users.<\/p>\n\n\n\n
When we leave the API endpoint exposed and unsecured, an attacker can gain access to it by changing the Ids.<\/p>\n\n\n\n
For example, when a consumer makes a request containing a userid<\/code> to an API, like;<\/p>\n\n\n\nhttps://docs.com\/document?userID=12\n<\/code><\/pre>\n\n\n\nIf the object level authorization is broken or not implemented. An attacker could gain unauthorized access by changing the userId to something like:<\/p>\n\n\n\n
https://docs.com\/document?userID=13\n<\/code><\/pre>\n\n\n\nIf the new userid<\/code> above guessed by the attacker is in the program.<\/p>\n\n\n\nThe attacker will gain unauthorized access to the consumers\u2019 data without undergoing authorization. Or the attacker will guess another number that will be in use in the program.<\/p>\n\n\n\n
<\/a>2. Broken User Authentication<\/h3>\n\n\n\nThere are so many authentication processes done in an application like resetting passwords, login authentication and so on.<\/p>\n\n\n\n
We do these normally using APIs. If developers fail to design these API endpoints differently from other API endpoints. Or they fail to implement the authentication correctly.<\/p>\n\n\n\n
Then, malicious agents can access the accounts of legitimate users in the application.<\/p>\n\n\n\n
Some examples where broken user authentication can occur include:<\/p>\n\n\n\n
\n- Weak passwords<\/li>\n\n\n\n
- Weak Encryption Keys<\/li>\n\n\n\n
- Non-encrypted or unhashed passwords<\/li>\n\n\n\n
- Unvalidated or insecure JWT tokens<\/li>\n\n\n\n
- Failure to limit the number of tries for a digit in authentication<\/li>\n<\/ul>\n\n\n\n
When the user authentication is broken in any of these cases, attackers can have access to a user\u2019s account.<\/p>\n\n\n\n
For example, an attacker might try to reset a password by sending a POST request to<\/p>\n\n\n\n
https://myapp.com\/api\/auth\/password_reset\n<\/code><\/pre>\n\n\n\nThe API would send some digits to the legitimate user for verification.<\/p>\n\n\n\n
The attackers can use an automated system to guess those digits and continue trying until they get the right guess.<\/p>\n\n\n\n
This happens so fast that it can take minutes to get the right guess. Here, the developers did not implement the API to limit the number of tries.<\/p>\n\n\n\n
Hence, there could be guesses of up to thousands or millions before they get the right digit.<\/p>\n\n\n\n
<\/a>3. Excessive Data Exposure<\/h3>\n\n\n\nAPIs return data to the frontend but some of this data returned could contain sensitive information.<\/p>\n\n\n\n
We expect developers to filter out sensitive data and send it to the frontend.<\/p>\n\n\n\n
Malicious users can call an API directly even if the developers had filtered it and they would still have direct access to the API.<\/p>\n\n\n\n
For example, if we made an application of user API endpoint to show the details of a user.<\/p>\n\n\n\n
https://myapp.com\/api\/users\/{userId}\n<\/code><\/pre>\n\n\n\nA malicious user can sniff through the user details and get access to too much information like;<\/p>\n\n\n\n
GET userId\n\n[ \n {\n \"Name\": syxxx, \n \"Id\": 0,\n \"Address\": \"xxxx, xxxxland\", \n \"Phone Number\": +1111111111,\n }\n ]\n<\/code><\/pre>\n\n\n\nThis data contains too much information like the users home address and phone digits.<\/p>\n\n\n\n
<\/a>4. Lack Of Resources $ Rate Limiting<\/h3>\n\n\n\nWhen some APIs cannot limit the number of requests, they can get from a particular client.<\/p>\n\n\n\n
An attacker can take advantage of this and make too many queries from the API.<\/p>\n\n\n\n
This will make the API exceed its performance and run down making it unresponsive to other users.<\/p>\n\n\n\n
For example, if we could set a certain API endpoint for users\u2019 info to a limit of only 20 entries per page.<\/p>\n\n\n\n
https://myapp.com\/api\/users_info?page=1&entries=20\n<\/code><\/pre>\n\n\n\nHackers can increase the entries if there is no limit on the API endpoint like:<\/p>\n\n\n\n
https://myapp.com\/api\/users_info?page=1&entries=2000\n<\/code><\/pre>\n\n\n\nThis will overwhelm the API server and cause it to be unresponsive to other users.<\/p>\n\n\n\n
Hackers can also use the absence of rate limiting to reset a user\u2019s password and have access to their info.<\/p>\n\n\n\n
<\/a>5. Broken Function Level Authorization<\/h3>\n\n\n\nThis happens when users have access to specific functions on the site or even admin functions.<\/p>\n\n\n\n
When we do not configure an API properly, it could give room for users to have unwanted access to other features.<\/p>\n\n\n\n
For example, A blog application has a feature that will allow its users to export their blog info.<\/p>\n\n\n\n
GET\n\nhttps://myapp.com\/api\/posts\/export_info\n<\/code><\/pre>\n\n\n\nIf there is a flaw in the API endpoint, then the user can export all the users blog info like this:<\/p>\n\n\n\n
GET\n\nhttps://myapp.com\/api\/posts\/export_info\/all\n<\/code><\/pre>\n\n\n\nIn another scenario,
An unauthorized user could register as an admin on a site and have access to all the users\u2019 information.<\/p>\n\n\n\n
<\/a>6. Mass Assignment<\/h3>\n\n\n\nMany frameworks of today have features like object-relational mapping. Where developers can bind input from users to variables.<\/p>\n\n\n\n
Some examples of such frameworks are Ruby on Rails, Java Play Framework, ASP.NET<\/a> MVC and so on.<\/p>\n\n\n\nThese features help to speed up development time but after they deploy the code to production.
Hackers can take advantage of these features to manipulate users\u2019 data.<\/p>\n\n\n\n
For example, in an e-commerce application, an authorized user might have access to details like user.addDiscount and use it.<\/p>\n\n\n\n
Another example, Hackers could make themselves the admin of a site by adding the code:<\/p>\n\n\n\n
PUT\n\n[ \n {\n \"is_admin\": true,\n \"is_sso: true, \n \"role\":\"admin\",\n \"Sso_type\":\"admin\",\n }\n ]\n\n<\/code><\/pre>\n\n\n\nIn this example, the hacker has manipulated the data by giving himself admin rights. So he can access the application and tamper with sensitive data.<\/p>\n\n\n\n
<\/a>7. Security Misconfiguration<\/h3>\n\n\n\nWhen there is a misconfiguration in an application infrastructure or an API. This can give attackers access to the application.<\/p>\n\n\n\n
When there is loose protection on an API, an attacker can take advantage and launch an attack.<\/p>\n\n\n\n
Some of these misconfigurations in an application are:<\/p>\n\n\n\n
\n- Unnecessary http methods<\/li>\n\n\n\n
- Use of default usernames and passwords<\/li>\n\n\n\n
- Use of default ports<\/li>\n\n\n\n
- Cross-origin site sharing<\/li>\n\n\n\n
- Directory traversal<\/li>\n\n\n\n
- Open cloud storage<\/li>\n<\/ul>\n\n\n\n
For example, an attacker might search through computers on a popular search engine directly connected to the internet. If they find a host using a default port with a default configuration and no authentication. They can easily access the host and have access to all the records in it.<\/p>\n\n\n\n
<\/a>8. Injection<\/h3>\n\n\n\nThis is when APIs receive data from consumers of that API but the data contains commands\/queries that are not trusted.<\/p>\n\n\n\n
For instance, SQL injection is a good example of an attack.<\/p>\n\n\n\n
In an SQL injection, they make a query to an API endpoint which could damage or alter the application.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
In an application, we use an API to get userID<\/code>.<\/p>\n\n\n\nGET\n\napi\/info\/users?=12\n<\/code><\/pre>\n\n\n\nThe request above will return the user with the specified ID.<\/p>\n\n\n\n
But an attacker can inject SQL into the code<\/p>\n\n\n\n
GET\n\napi\/info\/users?=12; DROP USER\n<\/code><\/pre>\n\n\n\nHere, the program will retrieve user id <\/code> first and delete it afterwards.<\/p>\n\n\n\nIn a command injection, an attacker could make a command to an API endpoint that will tamper with the records.<\/p>\n\n\n\n
<\/a>9. Improper Asset Management<\/h3>\n\n\n\nWith rapid delivery cycles, most DevOps teams constantly push their code to production with their APIs.<\/p>\n\n\n\n
Sometimes the software deployed may be in the testing phase like beta and when in beta, the developers may fail to protect the APIs.<\/p>\n\n\n\n
Malicious agents could use those insecure APIs to have unauthorized access.<\/p>\n\n\n\n
For example,<\/p>\n\n\n\n
A game application pushed new APIs into production but left the old APIs for backward compatibility. Without updating the security features on the old APIs.<\/p>\n\n\n\n
A hacker found the new API<\/p>\n\n\n\n
api.games.com\/v2\n<\/code><\/pre>\n\n\n\nAnd changed it to;<\/p>\n\n\n\n
api.games.com\/v1\n<\/code><\/pre>\n\n\n\nThis gave the hacker access to all the records in the application.<\/p>\n\n\n\n
<\/a>10. Insufficient Logging $ Monitoring<\/h3>\n\n\n\nWhen APIs cannot log login attempts or password resets or any other activity going on in it.<\/p>\n\n\n\n
A malicious agent might take advantage of it and cause severe damage to the application.<\/p>\n\n\n\n
Developers should design APIs to watch and log activities. So it would be easier to detect malicious attacks and prevent them from further happening.<\/p>\n\n\n\n
For example,<\/p>\n\n\n\n
In a service application, an attacker tries to log in and gain access to an application and there are no logs of the activity.
The attacker continues to attempt undetected until they gain full access and tamper with the customer records.<\/p>\n\n\n\n
<\/figure><\/div><\/div>\n<\/div>\n\n\n\nThe word OWASP<\/strong> is an acronym which means Open Web Application Security Project<\/strong>. The OWASP API Security Top 10 is a document that the OWASP community updates with up-to-date attacks on APIs and workable solutions.<\/p>\n\n\n\n Developers build most modern applications with microservices architecture.<\/p>\n\n\n\n The microservices are loosely coupled so they integrate them with APIs. These APIs developers use to run these applications are in charge of data.<\/p>\n\n\n\n Attackers would attack these APIs because of their vulnerability and have access to the full system.<\/p>\n\n\n\n That was how OWASP API Security Top 10 came to be. The document highlights the top ten vulnerabilities that could breach the security of a program.<\/p>\n\n\n\n This list was last updated on 2019, the top ten OWASP API security risks include:<\/p>\n\n\n\n APIs use object-level authorization to authorize legitimate users.<\/p>\n\n\n\n When we leave the API endpoint exposed and unsecured, an attacker can gain access to it by changing the Ids.<\/p>\n\n\n\n For example, when a consumer makes a request containing a If the object level authorization is broken or not implemented. An attacker could gain unauthorized access by changing the userId to something like:<\/p>\n\n\n\n If the new The attacker will gain unauthorized access to the consumers\u2019 data without undergoing authorization. Or the attacker will guess another number that will be in use in the program.<\/p>\n\n\n\n There are so many authentication processes done in an application like resetting passwords, login authentication and so on.<\/p>\n\n\n\n We do these normally using APIs. If developers fail to design these API endpoints differently from other API endpoints. Or they fail to implement the authentication correctly.<\/p>\n\n\n\n Then, malicious agents can access the accounts of legitimate users in the application.<\/p>\n\n\n\n Some examples where broken user authentication can occur include:<\/p>\n\n\n\n When the user authentication is broken in any of these cases, attackers can have access to a user\u2019s account.<\/p>\n\n\n\n For example, an attacker might try to reset a password by sending a POST request to<\/p>\n\n\n\n The API would send some digits to the legitimate user for verification.<\/p>\n\n\n\n The attackers can use an automated system to guess those digits and continue trying until they get the right guess.<\/p>\n\n\n\n This happens so fast that it can take minutes to get the right guess. Here, the developers did not implement the API to limit the number of tries.<\/p>\n\n\n\n Hence, there could be guesses of up to thousands or millions before they get the right digit.<\/p>\n\n\n\n APIs return data to the frontend but some of this data returned could contain sensitive information.<\/p>\n\n\n\n We expect developers to filter out sensitive data and send it to the frontend.<\/p>\n\n\n\n Malicious users can call an API directly even if the developers had filtered it and they would still have direct access to the API.<\/p>\n\n\n\n For example, if we made an application of user API endpoint to show the details of a user.<\/p>\n\n\n\n A malicious user can sniff through the user details and get access to too much information like;<\/p>\n\n\n\n This data contains too much information like the users home address and phone digits.<\/p>\n\n\n\n When some APIs cannot limit the number of requests, they can get from a particular client.<\/p>\n\n\n\n An attacker can take advantage of this and make too many queries from the API.<\/p>\n\n\n\n This will make the API exceed its performance and run down making it unresponsive to other users.<\/p>\n\n\n\n For example, if we could set a certain API endpoint for users\u2019 info to a limit of only 20 entries per page.<\/p>\n\n\n\n Hackers can increase the entries if there is no limit on the API endpoint like:<\/p>\n\n\n\n This will overwhelm the API server and cause it to be unresponsive to other users.<\/p>\n\n\n\n Hackers can also use the absence of rate limiting to reset a user\u2019s password and have access to their info.<\/p>\n\n\n\n This happens when users have access to specific functions on the site or even admin functions.<\/p>\n\n\n\n When we do not configure an API properly, it could give room for users to have unwanted access to other features.<\/p>\n\n\n\n For example, A blog application has a feature that will allow its users to export their blog info.<\/p>\n\n\n\n If there is a flaw in the API endpoint, then the user can export all the users blog info like this:<\/p>\n\n\n\n In another scenario, Many frameworks of today have features like object-relational mapping. Where developers can bind input from users to variables.<\/p>\n\n\n\n Some examples of such frameworks are Ruby on Rails, Java Play Framework, ASP.NET<\/a> MVC and so on.<\/p>\n\n\n\n These features help to speed up development time but after they deploy the code to production. For example, in an e-commerce application, an authorized user might have access to details like user.addDiscount and use it.<\/p>\n\n\n\n Another example, Hackers could make themselves the admin of a site by adding the code:<\/p>\n\n\n\n In this example, the hacker has manipulated the data by giving himself admin rights. So he can access the application and tamper with sensitive data.<\/p>\n\n\n\n When there is a misconfiguration in an application infrastructure or an API. This can give attackers access to the application.<\/p>\n\n\n\n When there is loose protection on an API, an attacker can take advantage and launch an attack.<\/p>\n\n\n\n Some of these misconfigurations in an application are:<\/p>\n\n\n\n For example, an attacker might search through computers on a popular search engine directly connected to the internet. If they find a host using a default port with a default configuration and no authentication. They can easily access the host and have access to all the records in it.<\/p>\n\n\n\n This is when APIs receive data from consumers of that API but the data contains commands\/queries that are not trusted.<\/p>\n\n\n\n For instance, SQL injection is a good example of an attack.<\/p>\n\n\n\n In an SQL injection, they make a query to an API endpoint which could damage or alter the application.<\/p>\n\n\n\n Example:<\/p>\n\n\n\n In an application, we use an API to get The request above will return the user with the specified ID.<\/p>\n\n\n\n But an attacker can inject SQL into the code<\/p>\n\n\n\n Here, the program will retrieve In a command injection, an attacker could make a command to an API endpoint that will tamper with the records.<\/p>\n\n\n\n With rapid delivery cycles, most DevOps teams constantly push their code to production with their APIs.<\/p>\n\n\n\n Sometimes the software deployed may be in the testing phase like beta and when in beta, the developers may fail to protect the APIs.<\/p>\n\n\n\n Malicious agents could use those insecure APIs to have unauthorized access.<\/p>\n\n\n\n For example,<\/p>\n\n\n\n A game application pushed new APIs into production but left the old APIs for backward compatibility. Without updating the security features on the old APIs.<\/p>\n\n\n\n A hacker found the new API<\/p>\n\n\n\n And changed it to;<\/p>\n\n\n\n This gave the hacker access to all the records in the application.<\/p>\n\n\n\n When APIs cannot log login attempts or password resets or any other activity going on in it.<\/p>\n\n\n\n A malicious agent might take advantage of it and cause severe damage to the application.<\/p>\n\n\n\n Developers should design APIs to watch and log activities. So it would be easier to detect malicious attacks and prevent them from further happening.<\/p>\n\n\n\n For example,<\/p>\n\n\n\n In a service application, an attacker tries to log in and gain access to an application and there are no logs of the activity.
OWASP is a worldwide community responsible for web application protection. This organization is a non-profit that provides free resources on how to improve software security.<\/p>\n\n\n\n<\/a>What Is OWASP API Security Top 10<\/h2>\n\n\n\n
<\/a>OWASP API Security Risks<\/h2>\n\n\n\n
<\/a>1. Broken Object Level Authorization<\/h3>\n\n\n\n
userid<\/code> to an API, like;<\/p>\n\n\n\nhttps://docs.com\/document?userID=12\n<\/code><\/pre>\n\n\n\nhttps://docs.com\/document?userID=13\n<\/code><\/pre>\n\n\n\nuserid<\/code> above guessed by the attacker is in the program.<\/p>\n\n\n\n<\/a>2. Broken User Authentication<\/h3>\n\n\n\n
\n
https://myapp.com\/api\/auth\/password_reset\n<\/code><\/pre>\n\n\n\n<\/a>3. Excessive Data Exposure<\/h3>\n\n\n\n
https://myapp.com\/api\/users\/{userId}\n<\/code><\/pre>\n\n\n\nGET userId\n\n[ \n {\n \"Name\": syxxx, \n \"Id\": 0,\n \"Address\": \"xxxx, xxxxland\", \n \"Phone Number\": +1111111111,\n }\n ]\n<\/code><\/pre>\n\n\n\n<\/a>4. Lack Of Resources $ Rate Limiting<\/h3>\n\n\n\n
https://myapp.com\/api\/users_info?page=1&entries=20\n<\/code><\/pre>\n\n\n\nhttps://myapp.com\/api\/users_info?page=1&entries=2000\n<\/code><\/pre>\n\n\n\n<\/a>5. Broken Function Level Authorization<\/h3>\n\n\n\n
GET\n\nhttps://myapp.com\/api\/posts\/export_info\n<\/code><\/pre>\n\n\n\nGET\n\nhttps://myapp.com\/api\/posts\/export_info\/all\n<\/code><\/pre>\n\n\n\n
An unauthorized user could register as an admin on a site and have access to all the users\u2019 information.<\/p>\n\n\n\n<\/a>6. Mass Assignment<\/h3>\n\n\n\n
Hackers can take advantage of these features to manipulate users\u2019 data.<\/p>\n\n\n\nPUT\n\n[ \n {\n \"is_admin\": true,\n \"is_sso: true, \n \"role\":\"admin\",\n \"Sso_type\":\"admin\",\n }\n ]\n\n<\/code><\/pre>\n\n\n\n<\/a>7. Security Misconfiguration<\/h3>\n\n\n\n
\n
<\/a>8. Injection<\/h3>\n\n\n\n
userID<\/code>.<\/p>\n\n\n\nGET\n\napi\/info\/users?=12\n<\/code><\/pre>\n\n\n\nGET\n\napi\/info\/users?=12; DROP USER\n<\/code><\/pre>\n\n\n\nuser id <\/code> first and delete it afterwards.<\/p>\n\n\n\n<\/a>9. Improper Asset Management<\/h3>\n\n\n\n
api.games.com\/v2\n<\/code><\/pre>\n\n\n\napi.games.com\/v1\n<\/code><\/pre>\n\n\n\n<\/a>10. Insufficient Logging $ Monitoring<\/h3>\n\n\n\n
The attacker continues to attempt undetected until they gain full access and tamper with the customer records.<\/p>\n\n\n\n
![\"8](\"https:\/\/apimike.com\/wp-content\/uploads\/2021\/11\/8-API-attack-types_v2.webp\")
<\/figure>\n<\/div>\n\n\n\n