The Open Web Application Security Project (OWASP), a non-profit foundation devoted to web application security, recently released the 2023 OWASP API Security Top 10 list. The list aims to raise awareness about the most common API security risks plaguing organisations and how to defend against them.
The 2023 list provides an update to the original list, published in 2019. Since that time, API security threats have accelerated and evolved, which has been reflected in the new list. We at Salt were proud to help craft the first list, and we’ve also been a key contributor to the updated list.
Understanding these areas of vulnerabilities is important for companies to stay ahead of increasing API risks. Below are the key threats and vulnerabilities in the new list and how they’ve changed from the original list:
API1:2023 – Broken Object Level Authorisation (BOLA)
Broken object level authorisation stems from a lack of proper access controls on API endpoints allowing unauthorised users to access and modify sensitive data. BOLA is represented in about 40% of all API attacks and is the most common API security threat. Broken object level authorisation API vulnerabilities have been number one on the OWASP list since 2019 and have kept their top spot in the 2023 version.
API2:2023 – Broken Authentication
Broken authentication enables attackers to use stolen authentication tokens, credential stuffing and brute-force attacks to gain unauthorised access to applications. Improper social login functionality in Booking.com (now remediated) provides a good example of broken authentication, which could have led to potential ATO attacks. This API authentication security vulnerability has kept its number two spot on the OWASP list since 2019.
API3: 2023 – Broken Object Property Level Authorisation
Broken Object Property Level Authorisation merges attacks that happen by gaining unauthorised access to sensitive information by way of Excessive Data Exposure (previously listed as number 3 in the 2019 OWASP API Security Top 10) or Mass Assignment (previously in sixth place in the 2019 list). Both techniques are based on API endpoint manipulation to gain access to sensitive data.
API4:2023 Unrestricted Resource Consumption
This vulnerability originates in APIs that improperly implement or neglect to implement limits on resource consumption, leaving them highly susceptible to brute-force attacks. Unrestricted Resource Consumption has replaced the previous number 4 in the OWASP API Security Top 10, Lack of Resources and Rate Limiting. However, while the name changed, this vulnerability remains the same overall.
API5: Broken Function Level Authorisation
This threat takes shape when authorisation is not properly implemented, leading to unauthorised users being able to execute API functions such as adding, updating, or deleting a customer record or a user role. BFLA has kept its fifth spot on the list since 2019.
API6: Unrestricted Access to Sensitive Business Flows
This new threat, which has replaced Mass Assignment as number 6 on the OWASP API Security Top 10, manifests when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation. To exploit this vulnerability, an attacker will need to understand the business logic behind the API in question, find sensitive business flows and automate access to them in order to cause harm to the business.
API7: Server-Side Request Forgery (SSRF)
Server Side Request Forgery can occur when a user-controlled URL is passed over an API and is honoured and processed by the back-end server. The API security risks materialise if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF. This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list.
API8: Security Misconfigurations
Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce API vulnerabilities inadvertently. This threat has been number 7 on the OWASP API Security Top 10 list released in 2019 and it has remained in the same position in 2023.
API9: Improper Inventory Management
This threat is the result of an outdated or incomplete inventory which can create unknown gaps in the API attack surface, making it difficult to identify older versions of APIs that should be decommissioned. Improper Inventory Management has replaced Improper Assets Management as number 9 in the OWASP API Security Top 10 and, while the name has been changed to emphasize the importance of an accurate and up-to-date API inventory, the threat remains the same. The Optus breach is a perfect example of this vulnerability. Optus, the second largest telecom company in Australia, exposed more than 11.2 million customer records with dozens of PIIs due to a “forgotten” API exposed to the public.
API10: Unsafe Consumption of APIs
The Unsafe Consumption of APIs vulnerability stems from the improper usage of APIs by API clients, such as bypassing API authentication security controls or manipulating API responses, which can lead to unauthorised access and data exposure. This API vulnerability can be exploited via the consumption of API data itself or by abusing third-party integration issues. Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10. The most relevant example for this category would be the notorious Log4Shell attack.
APIs are the glue that connects today’s modern applications and power business innovation. But they have also become a primary target for attackers. Understanding the main issues that threaten your APIs means you’ll be better equipped to put a robust and mature API security strategy in place.