OWASP API Security Top 10 2023 RC Published
Why API Security?
APIs have become an integral part of modern software development. APIs allow different software systems to communicate and exchange data, enabling developers to create complex applications by combining existing software components. However, the increasing use of APIs has also brought new security challenges for organizations.
API security has become more important as APIs have become the primary way that attackers gain access to sensitive data and systems. Hackers can use APIs to bypass traditional security measures and directly access databases, servers, and other resources. Furthermore, APIs often serve as gateways to entire ecosystems of applications and services, which means that a single API vulnerability can have far-reaching consequences.
The OWASP API Security Top 10 List
API security has become increasingly crucial for organizations due to the growing number of APIs and their associated security risks. The increasing use of APIs has opened up new avenues for cyberattacks and vulnerabilities. These risks led to the original creation of the OWASP API Security Top 10 list by OWASP (the Open Web Application Security Project) organization. The list provides guidance on the most critical API security issues that organizations must address.
The OWASP API Security Top 10 list is intended to help organizations identify the most critical vulnerabilities and risks associated with their APIs, allowing them to take proactive measures to protect their systems and data. The list includes ten categories of vulnerabilities that organizations must be aware of when developing and deploying APIs and is an essential tool for organizations that use APIs.
2023 List Update
The OWASP organization has just published the release candidate for the OWASP API Security Top 10 2023 – the next iteration of the list of the most common API threats.
The first version of the list, published in 2019, was due for an update since API usage and API Security have been changing quite a lot in recent years. The project’s leadership has been analyzing recent trends, public breaches, and bug bounty reports, and has composed a release candidate for the updated list, which represents today’s current and actual threats to APIs.
The new list is currently open to the community for review and comment and a final version, incorporating the community’s suggestions and changes, is expected to be released in March 2023.
Some of the key 2023 Changes
Looking at the new release candidate list, we can find well-thought-out changes that align with our efforts to build a comprehensive API Security solution.
Authorization is the biggest challenge of API Security
There are few things that engineers agree about. But there is one consensus among pen-testers, bug bounty hunters, and hackers when it comes to API Security – Authorization is the most significant risk.
An average API exposes thousands of access points to sensitive data that can be easily consumed by different types of users. By design, some users have access to the data of other users – driven by the business’s need to create highly connected and integrated applications that encourage interaction between users.
It is extremely challenging to design and create an API that enforces strict authorization policies. It is so challenging that sometimes the engineering team working on the API doesn’t even fully understand the complexity of the authorization policies they need to implement.
On the new list, among the known BOLA and BFLA vulnerabilities, we can find a new type of Authorization problem – BOPLA (Broken Object Property Level Authorization). The creators of the list decided it made sense to combine two items from the previous list:
- Excessive Data Exposure – a scenario where a user is able to read a piece of information (“property”) of an object they are not supposed to read.
- Mass Assignment – a scenario where a user is able to set/update a property of an object they are not supposed to be able to modify.
SSRF – Server-Side Request Forgery
Aligned with the OWASP Top Ten 2021, SSRF found its place on the API 2023 list. Using an SSRF vulnerability, an attacker can manipulate the API and make it access internal/external resources, on behalf of the attacker. Attackers often use it to bypass firewalls and gather information about the internal network of the company.
This vulnerability has become more and more common because of concepts in modern application development, such as webhooks and the import of files from URLs (instead of manually uploading them). These concepts encourage developers to fetch a resource based on a URI, which opens the door to SSRF.
Bots (Automated threats) got their place on the list
It’s not a secret that bots have become more and more dangerous over the last few years. Botnet operators are leveraging the low cost and anonymous nature of spinning up virtual machines in cloud environments, together with the new capabilities to get around “anti-bot” mechanisms (e.g, captcha) using AI.
They have found ways to make their botnets more profitable. Some common examples are scalping – buying all the stock of a high-demand item (such as masks during covid, or PS5 on the release date) at once, and reselling it for a much higher price, and account takeover – performing credential stuffing and selling stolen accounts on the darknet.
We can see that a lot of hard work has been put into the release candidate for the next version of this list. Congratulations to the OWASP API Security Project Leadership for reaching this milestone, and thank you for continuing to conduct research and pushing forward the field of API Security
We also want to acknowledge the efforts of other thought leaders in the API Security industry who helped to review and shaped the release candidate:
- Corey Ball – Author of Hacking APIs
- Isabelle Mauny – 42crunch
- Zavodchik Maxim – Akamai
- Yaniv Balmas – Salt Security
- Ivan Novikov – Wallarm
- Alissa Knight – Knight Group
The Traceable team is proud to also be a contributor to the updated list and a project sponsor, as we feel it is important for the industry to understand what threats it needs to protect itself from. We are humbled to be part of this great community working together to help organizations secure their applications and APIs.
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.