Top 10 API Bugs and Where to Find Them
Application Programming Interfaces, better known as APIs, are a type of interface that makes interactivity between different applications a possibility. APIs define what type of information is passed from one application to another and how; they typically do so over a local network or the internet. Examples of APIs that are commonly used every day around the world include searching for deals on traveling or looking for someone on social media via the search function. When you have the option of signing in to a website such as Etsy using the “Login with Facebook/LinkedIn/Twitter” button, you are dealing with an API. In all of these instances, APIs serve as a middle entity, between you, the user, and a web application.
The 2019 edition of this list, which is the most recent, features these 10 security issues, in order: broken object-level authorization, broken user authentication, excessive data exposure, lack of resources and rate-limiting, broken function level authorizations, mass assignment, security misconfiguration, injection, improper assets management, and insufficient logging and monitoring.
Each API vulnerability is ranked on its exploitability, prevalence, detectability, and technical impact on a scale of 1 to 3, with 1 meaning difficult or minor, and 3 meaning easy or severe. They also discuss the business impacts of each vulnerability. We’ll discuss each of these API security issues, considering what they are, what they mean for users and companies, and OWASP’s chief recommendations to address these issues so that malicious actors’ attacks are thwarted.