OWASP API Top 10

Top 10 API Bugs and Where to Find Them

Dr. Katie Paxton-Fear

Lecturer in Cyber Security, Speaker & Ethical Hacker, Manchester, England

Application Programming Interfaces, better known as APIs, are a type of interface that makes interactivity between different applications a possibility. APIs define what type of information is passed from one application to another and how; they typically do so over a local network or the internet. Examples of APIs that are commonly used every day around the world include searching for deals on traveling or looking for someone on social media via the search function. When you have the option of signing in to a website such as Etsy using the “Login with Facebook/LinkedIn/Twitter” button, you are dealing with an API. In all of these instances, APIs serve as a middle entity, between you, the user, and a web application.

Due to their ubiquity, securing APIs is a top priority. The number of users and companies whose data or reputation can be leaked, damaged, or destroyed is extremely significant. OWASP compiled a top 10 API security issues list to bring awareness to the most common attack vectors that attackers can use to compromise information or bring down the API. They have made this list available to the public so that you can learn about what to be wary of and how to increase the security around your API.

The 2019 edition of this list, which is the most recent, features these 10 security issues, in order: broken object-level authorization, broken user authentication, excessive data exposure, lack of resources and rate-limiting, broken function level authorizations, mass assignment, security misconfiguration, injection, improper assets management, and insufficient logging and monitoring.

Each API vulnerability is ranked on its exploitability, prevalence, detectability, and technical impact on a scale of 1 to 3, with 1 meaning difficult or minor, and 3 meaning easy or severe. They also discuss the business impacts of each vulnerability. We’ll discuss each of these API security issues, considering what they are, what they mean for users and companies, and OWASP’s chief recommendations to address these issues so that malicious actors’ attacks are thwarted.