Home » Security Bloggers Network » Introduction to the OWASP API Top Ten

Introduction to the OWASP API Top Ten

The OWASP Project

The Open Web Application Security Project (OWASP) is best known for its list of the top ten web application vulnerabilities. This list is updated every few years and is designed to highlight the most common and most impactful vulnerabilities seen in production web applications.

However, the main OWASP Top Ten list is not the only OWASP project in existence. The OWASP umbrella also covers projects for learning about common vulnerabilities, like the deliberately vulnerable Mutillidae and Juice Shop web applications.

OWASP has also expanded their collection of lists to include specific domains like mobile and automated threats against web applications. In 2019, OWASP announced the creation of a top ten list specific to web API vulnerabilities.

The 2019 OWASP API top ten list

The creation of an API-specific top ten list was driven by the increased use of APIs and discovery of vulnerabilities within them. In 2019, 485 new API vulnerabilities were discovered, a 17% increase over the previous year. Since APIs are so powerful and exposed to the public internet, education about the threats that they face is extremely important.

1. Broken object level authorization 

   APIs commonly track the identity of a particular user with a user ID embedded in the API request. While this is useful for quickly identifying a particular session, the embedded user ID should not be fully trusted.If an API fully trusts a user ID, then an attacker can substitute another user’s ID number in an API request. If the API does not maintain state on the server, this would enable the attacker to access the other user’s account. This vulnerability is widespread and, according to OWASP, is the most common and impactful attack against APIs.

2. Broken authenticationAPIs are designed to provide access to sensitive data or protected functionality. If (Read more...)