API Security Masterclass Recap: Your Guide to the OWASP API Top 10
The API masterclass is back, and in this month’s live class, last time we covered everything API discovery and reconnaissance, and now it’s finally time to actually hunt for vulnerabilities, so what kind of bugs are in APIs and how do we look for them? Well thankfully we don’t need to figure that one out ourselves, we can use the OWASP API Top 10. The OWASP API Top 10 is a project hosted by the OWASP API group, and defines the top API security risks, and was last updated in 2023.The OWASP API Top 10 is a list that was created by API experts, from hackers to developers, and involved multiple revisions, discussions and changes. To begin it’s important to know that this isn’t a list of security vulnerabilities, necessarily, anyway, the OWASP API Top 10 is about API risk so includes some issues that you wouldn’t always assume is strictly a vulnerability. Traceable ASPEN researcher Inon also contributed to the OWASP API Top 10 and you can find out more here. So while you can go through the OWASP API Top 10 one by one from 1 to 10, it can be helpful to think of categories and themes. So there are four key themes that the OWASP API top 10 covers. The first two themes are very much general, they exist in pretty much every web application, regardless of whether or not they use any kind of API in the backend. Then you have API specific issues only affect APIs because of the unique ways that APIs work
Access Control
The access control theme has the three most well known API vulnerabilities, broken object level authorization, broken object property level authorization, and broken function level authorization. These essentially all describe you being able to do something you shouldn’t be able to. For Broken Object Level Authorization you can do something to somebody else's account, for broken function level authorization you can do something as an admin user, even if you're a regular user and you haven't got any admin powers. Finally, with a broken object property level authorization - which while new to the OWASP API Top 10 this year, is actually a combination of two previous entries, mass assignment and information disclosure, you're able to do something at a property level, even though you shouldn't be able to, for example read a secret field of another’s account. It can be difficult to tell these three apart, particularly in a black box situation, but they all have slightly different mitigations, which we’ll talk about in a future webinar.
Identity and Authentication
Identity describes who you are to an application, so flaws in identity and authentication allow you to login as another user or you can perform some action without being logged in. Some common examples include being able to generate some kind of token like a JWT for any user account, and missing authentication. In addition to broken authentication you can also place security misconfiguration in this category, security misconfiguration is very broad and there are lots of different ways to misconfigure APIs, which leaves this flaw between API Management and Identity.
Upstream / Downstream
APIs never exist on their own. They always exist. In an upstream or downstream, whether that's going from an API into a business flow, think about an e-commerce website where you have a payment provider like PayPal's API, then handles it and then sends it back. These flaws cover issues that appear on either side, sometimes this can be overly trusting API input like in prompt injection and sometimes it’s more about abusing the business logic of the API.
API Management and Deployment
These vulnerabilities essentially cover all the ways API can be deployed which can cause security issues. This covers things like unrestricted resource consumption, Improper inventory management, leaving old vulnerable APIs up and running, as well as more typical web security vulnerabilities like server side request forgery.During the session we covered a few different scenarios and covered where they would sit under the OWASP API Top 10, but regardless of the vulnerability, once you know what to look for the challenge is actually finding a vulnerability in the wild! In next month’s webinar! Join us on episode 4 of the API security masterclass as we actually start hacking and finding these vulnerabilities. Bring your API with you and hack-along with us to find API bugs. If you missed this session you can catch up or we’ll see you next time for the next entry in the API masterclass!
About Traceable
Traceable is the industry’s leading API Security company helping organizations achieve API protection in a cloud-first, API-driven world. Traceable is the only contextually-informed solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, visit https://www.traceable.ai/.
The Inside Trace
Subscribe for expert insights on application security.