fbpx

API Security Academy

OWASP API Top 10

OWASP compiled a top 10 API security issues list to bring awareness to the most common attack vectors that attackers can use to compromise information or bring down the API. They have made this list available to the public so that you can learn about what to be wary of and how to increase the security around your API.

OWASP API TOP 10 / LESSON 1:12
Introduction
Top 10 API bugs and where to find them

read more

OWASP API TOP 10 / LESSON 2:12
Broken Object Level Authorization
Broken object-level authorizations (BOLA) generally refer to an insecure direct object reference or IDOR.

read more

OWASP API TOP 10 / LESSON 3:12
Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently.

read more

OWASP API TOP 10 / LESSON 4:12
Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their sensitivity, relying on clients to perform the data filtering before displaying it to the user.

read more

OWASP API TOP 10 / LESSON 5:12
Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user.

read more

OWASP API TOP 10 / LESSON 6:12
Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws.

read more

OWASP API TOP 10 / LESSON 7:12
Mass Assignment
The binding client-provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually leads to Mass Assignment.

read more

OWASP API TOP 10 / LESSON 8:12
Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers…

read more

OWASP API TOP 10 / LESSON 9:12
Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query.

read more

OWASP API TOP 10 / LESSON 10:12
Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important.

read more

OWASP API TOP 10 / LESSON 11:12
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data.

read more

OWASP API TOP 10 / LESSON 12:12
Final Words
Top 10 API bugs and where to find them

read more

API Security 101

Application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of software applications and their data. There are several types of software applications, such as web, mobile, native clients (i.e Windows Store apps), and command line. Each type of application has a different threat model and must apply different principles and tactics to secure it.

coming soon…