As more organizations rely on the automation and scale that web applications and connected services provide, application programming interface (API) security has become imperative. In just the last year alone, unique attackers targeting customer APIs grew by 400%, proving that organizations must take a proactive approach to secure these increasingly valuable services.

But considering the rapidly evolving nature of API technology and the growing number of threats, knowing where and how to start securing APIs can be overwhelming. Fortunately, organizations like the Open Web Application Security Project (OWASP) have been working hard to identify the most common and dangerous API security risks that businesses should prioritize.

What are the OWASP top 10?

Recognized for its comprehensiveness and accuracy, the Open Web Application Security Project (OWASP) Top 10 is a detailed list, updated every one to two years, highlighting critical web application security risks businesses should know. The OWASP is a non-profit community of tens of thousands of contributors committed to promoting software security through various measures like creating frameworks, tools and education programs.

As each year passes by, digital threats evolve constantly. As a result, the OWASP list receives timely updates based on data trends specific to API security that helps prioritize countermeasures by developers and security professionals. Most recently, in 2023, OWASP released its updated list of the top 10 API security risks to watch out for.

Starting from the bottom of the list, these are the OWASP Top 10 API security risks that organizations need to be aware of in 2023 and specific measures that can be taken to mitigate them.

Explore IBM Application Security Services

10. Unsafe consumption of APIs

Unsafe consumption of APIs occurs when an application fails to validate, filter or sanitize the data it receives from external APIs. This can lead to security vulnerabilities like injection attacks or data leakage. As organizations increasingly rely on third-party APIs to provide critical functionality, ensuring safe consumption becomes even more crucial to prevent attackers from exploiting these integrations.

Mitigation Strategies:

  • Validate and sanitize all data received from external APIs before processing or storing it. This helps ensure that only valid and safe data is used within your application.
  • Implement input validation using allow-lists and strict data type constraints to prevent your application from processing potentially harmful data.
  • Use a secure API gateway to filter and monitor incoming API requests, adding a layer of protection against malicious traffic targeting your APIs.

9. Improper inventory management

Improper inventory management pertains to the absence of sufficient control over the APIs utilized by an organization. This may result in unauthorized access and increased attack surfaces, exposing sensitive data to malicious parties. As the volume of APIs that organizations use continues to rise, it’s paramount to keep track of their function, endpoints and accessibility directives to maintain overall protection for your API ecosystem.

Mitigation Strategies:

  • Maintain an up-to-date inventory of all APIs within your organization, including their purpose, endpoints and access controls. This helps you identify potential security gaps and ensure all APIs are adequately secured.
  • Regularly review and update API documentation to ensure that it accurately reflects the current state of your APIs. Clear and accurate documentation is essential for developers and security professionals to understand and secure your APIs effectively.
  • Decommission unused or deprecated APIs to minimize the attack surface. Removing unnecessary APIs reduces the likelihood of attackers discovering and exploiting vulnerable endpoints.

8. Security misconfiguration

Security misconfiguration occurs when an API is not securely configured, exposing it to various security risks. Examples of security misconfigurations include using default credentials, failing to turn off unnecessary features or neglecting to apply security patches promptly.

Mitigation Strategies:

  • Set up your APIs with secure configurations at the early stages of development.
  • Regularly review and update API configurations to ensure they continuously apply best security practices.
  • Employ automated tools to detect and remediate security misconfiguration through continuous monitoring.

7. Server-side request forgery (SSRF)

Server-side request forgery (SSRF) is a vulnerability that allows an attacker to manipulate server-side requests, potentially leading to unauthorized access to internal resources or remote code execution. This can result in the exposure of sensitive data, disruption of critical systems or even complete system compromise.

Mitigation Strategies:

  • Validate and sanitize user-supplied input used in server-side requests. This helps ensure that only legitimate requests are processed by your application and reduces the risk of SSRF attacks.
  • Restrict the types of requests and resources that the API can access. Implementing strict access controls can help prevent unauthorized actions and limit the potential impact of SSRF attacks.
  • Implement network segmentation and firewall rules to limit access to internal systems. You can reduce the likelihood of successful SSRF attacks by isolating sensitive resources from public-facing APIs.

6. Unrestricted access to sensitive business flows

Unrestricted access to sensitive business flows occurs when an API fails to implement proper access controls, allowing unauthorized users to perform sensitive operations or access confidential data.

Mitigation Strategies:

  • Implement strong authentication and authorization mechanisms for all API endpoints.
  • Apply the principle of least privilege, granting users the minimum necessary permissions to perform their tasks.
  • Regularly audit and monitor API access logs to detect and respond to potential security incidents.

5. Broken function level authorization

A broken function-level authorization essentially refers to a situation in which a regular user can perform tasks that should be reserved for administrators due to an Insecure Direct Object Reference (IDOR) issue. This occurs when the user’s hierarchical permission system is incomplete or malfunctioning.

Mitigation Strategies:

  • Implement strong authorization checks on all API endpoints.
  • Use role-based access control (RBAC) to manage user permissions.
  • Regularly review and update access control policies.

4. Unrestricted resource consumption

Unrestricted resource consumption, or denial of service (DoS) attacks, happens when an attacker exploits an API vulnerability to consume excessive amounts of system resources, such as memory, CPU or network bandwidth. This can lead to the degradation or complete unavailability of the affected service.

Mitigation Strategies:

  • Monitor and limit resource usage.
  • Implement rate limiting to control the number of requests from clients.
  • Use caching to reduce the load on backend systems.

3. Broken object property level authorization

Broken object property level authorization is a security risk that occurs when an attacker can access or modify properties of an object that they should not have access to. This can happen if an API does not correctly validate user permissions before granting access to object properties.

Mitigation Strategies:

  • Implement proper access control checks for all object properties.
  • Validate user permissions before granting access to object properties.
  • Use attribute-based access control (ABAC) to define granular access rules.

2. Broken authentication

Security issues arise when authentication protocols are not strong enough or properly executed. This results in open doors for attackers to breach an API undetected. Authentication weaknesses can manifest themselves in several ways, including but not limited to poor password creation best practices, compromised password storage systems and vulnerabilities within the token-based authentication framework.

Mitigation Strategies:

  • Enforce strong password policies.
  • Use secure password storage methods, such as bcrypt or Argon2.
  • Implement multi-factor authentication (MFA) where possible.

1. Broken object-level authorization

Broken object-level authorization (BOLA) vulnerabilities occur when a user can access other users’ data due to the flaws in authorization controls validating access to data objects. BOLA vulnerabilities are often caused by insecure coding practices, such as failing to properly validate user input or check permissions before granting access to an object. This happens when an API uses overly permissive access controls or when API resources are not adequately protected.

Mitigation Strategies:

  • Employ random, universally unique identifiers (UUIDs).
  • Establish strong authorization protocols.
  • Adopt the zero trust security framework.

Keep your APIs secure

Securing APIs requires a holistic approach that covers everything from authentication and authorization to access control and resource management. By taking the necessary steps to ensure your API and adopting best security practices, you can protect your applications and data from potential attacks while benefiting from the advantages of a robust API-driven architecture.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today