API Security Academy
OWASP API Top 10
OWASP compiled a top 10 API security issues list to bring awareness to the most common attack vectors that attackers can use to compromise information or bring down the API. They have made this list available to the public so that you can learn about what to be wary of and how to increase the security around your API.
OWASP API TOP 10 / LESSON 2:12
Broken Object Level Authorization
Broken object-level authorizations (BOLA) generally refer to an insecure direct object reference or IDOR.
OWASP API TOP 10 / LESSON 3:12
Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently.
OWASP API TOP 10 / LESSON 4:12
Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their sensitivity, relying on clients to perform the data filtering before displaying it to the user.
OWASP API TOP 10 / LESSON 5:12
Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user.
OWASP API TOP 10 / LESSON 6:12
Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws.
OWASP API TOP 10 / LESSON 7:12
Mass Assignment
The binding client-provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually leads to Mass Assignment.
OWASP API TOP 10 / LESSON 8:12
Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers…
OWASP API TOP 10 / LESSON 9:12
Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query.
OWASP API TOP 10 / LESSON 10:12
Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important.
OWASP API TOP 10 / LESSON 11:12
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data.
API Security 101
Application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of software applications and their data. There are several types of software applications, such as web, mobile, native clients (i.e Windows Store apps), and command line. Each type of application has a different threat model and must apply different principles and tactics to secure it.