July 17, 2023 By Josh Nadeau 5 min read

As more organizations rely on the automation and scale that web applications and connected services provide, application programming interface (API) security has become imperative. In just the last year alone, unique attackers targeting customer APIs grew by 400%, proving that organizations must take a proactive approach to secure these increasingly valuable services.

But considering the rapidly evolving nature of API technology and the growing number of threats, knowing where and how to start securing APIs can be overwhelming. Fortunately, organizations like the Open Web Application Security Project (OWASP) have been working hard to identify the most common and dangerous API security risks that businesses should prioritize.

What are the OWASP top 10?

Recognized for its comprehensiveness and accuracy, the Open Web Application Security Project (OWASP) Top 10 is a detailed list, updated every one to two years, highlighting critical web application security risks businesses should know. The OWASP is a non-profit community of tens of thousands of contributors committed to promoting software security through various measures like creating frameworks, tools and education programs.

As each year passes by, digital threats evolve constantly. As a result, the OWASP list receives timely updates based on data trends specific to API security that helps prioritize countermeasures by developers and security professionals. Most recently, in 2023, OWASP released its updated list of the top 10 API security risks to watch out for.

Starting from the bottom of the list, these are the OWASP Top 10 API security risks that organizations need to be aware of in 2023 and specific measures that can be taken to mitigate them.

Explore IBM Application Security Services

10. Unsafe consumption of APIs

Unsafe consumption of APIs occurs when an application fails to validate, filter or sanitize the data it receives from external APIs. This can lead to security vulnerabilities like injection attacks or data leakage. As organizations increasingly rely on third-party APIs to provide critical functionality, ensuring safe consumption becomes even more crucial to prevent attackers from exploiting these integrations.

Mitigation Strategies:

  • Validate and sanitize all data received from external APIs before processing or storing it. This helps ensure that only valid and safe data is used within your application.
  • Implement input validation using allow-lists and strict data type constraints to prevent your application from processing potentially harmful data.
  • Use a secure API gateway to filter and monitor incoming API requests, adding a layer of protection against malicious traffic targeting your APIs.

9. Improper inventory management

Improper inventory management pertains to the absence of sufficient control over the APIs utilized by an organization. This may result in unauthorized access and increased attack surfaces, exposing sensitive data to malicious parties. As the volume of APIs that organizations use continues to rise, it’s paramount to keep track of their function, endpoints and accessibility directives to maintain overall protection for your API ecosystem.

Mitigation Strategies:

  • Maintain an up-to-date inventory of all APIs within your organization, including their purpose, endpoints and access controls. This helps you identify potential security gaps and ensure all APIs are adequately secured.
  • Regularly review and update API documentation to ensure that it accurately reflects the current state of your APIs. Clear and accurate documentation is essential for developers and security professionals to understand and secure your APIs effectively.
  • Decommission unused or deprecated APIs to minimize the attack surface. Removing unnecessary APIs reduces the likelihood of attackers discovering and exploiting vulnerable endpoints.

8. Security misconfiguration

Security misconfiguration occurs when an API is not securely configured, exposing it to various security risks. Examples of security misconfigurations include using default credentials, failing to turn off unnecessary features or neglecting to apply security patches promptly.

Mitigation Strategies:

  • Set up your APIs with secure configurations at the early stages of development.
  • Regularly review and update API configurations to ensure they continuously apply best security practices.
  • Employ automated tools to detect and remediate security misconfiguration through continuous monitoring.

7. Server-side request forgery (SSRF)

Server-side request forgery (SSRF) is a vulnerability that allows an attacker to manipulate server-side requests, potentially leading to unauthorized access to internal resources or remote code execution. This can result in the exposure of sensitive data, disruption of critical systems or even complete system compromise.

Mitigation Strategies:

  • Validate and sanitize user-supplied input used in server-side requests. This helps ensure that only legitimate requests are processed by your application and reduces the risk of SSRF attacks.
  • Restrict the types of requests and resources that the API can access. Implementing strict access controls can help prevent unauthorized actions and limit the potential impact of SSRF attacks.
  • Implement network segmentation and firewall rules to limit access to internal systems. You can reduce the likelihood of successful SSRF attacks by isolating sensitive resources from public-facing APIs.

6. Unrestricted access to sensitive business flows

Unrestricted access to sensitive business flows occurs when an API fails to implement proper access controls, allowing unauthorized users to perform sensitive operations or access confidential data.

Mitigation Strategies:

  • Implement strong authentication and authorization mechanisms for all API endpoints.
  • Apply the principle of least privilege, granting users the minimum necessary permissions to perform their tasks.
  • Regularly audit and monitor API access logs to detect and respond to potential security incidents.

5. Broken function level authorization

A broken function-level authorization essentially refers to a situation in which a regular user can perform tasks that should be reserved for administrators due to an Insecure Direct Object Reference (IDOR) issue. This occurs when the user’s hierarchical permission system is incomplete or malfunctioning.

Mitigation Strategies:

  • Implement strong authorization checks on all API endpoints.
  • Use role-based access control (RBAC) to manage user permissions.
  • Regularly review and update access control policies.

4. Unrestricted resource consumption

Unrestricted resource consumption, or denial of service (DoS) attacks, happens when an attacker exploits an API vulnerability to consume excessive amounts of system resources, such as memory, CPU or network bandwidth. This can lead to the degradation or complete unavailability of the affected service.

Mitigation Strategies:

  • Monitor and limit resource usage.
  • Implement rate limiting to control the number of requests from clients.
  • Use caching to reduce the load on backend systems.

3. Broken object property level authorization

Broken object property level authorization is a security risk that occurs when an attacker can access or modify properties of an object that they should not have access to. This can happen if an API does not correctly validate user permissions before granting access to object properties.

Mitigation Strategies:

  • Implement proper access control checks for all object properties.
  • Validate user permissions before granting access to object properties.
  • Use attribute-based access control (ABAC) to define granular access rules.

2. Broken authentication

Security issues arise when authentication protocols are not strong enough or properly executed. This results in open doors for attackers to breach an API undetected. Authentication weaknesses can manifest themselves in several ways, including but not limited to poor password creation best practices, compromised password storage systems and vulnerabilities within the token-based authentication framework.

Mitigation Strategies:

  • Enforce strong password policies.
  • Use secure password storage methods, such as bcrypt or Argon2.
  • Implement multi-factor authentication (MFA) where possible.

1. Broken object-level authorization

Broken object-level authorization (BOLA) vulnerabilities occur when a user can access other users’ data due to the flaws in authorization controls validating access to data objects. BOLA vulnerabilities are often caused by insecure coding practices, such as failing to properly validate user input or check permissions before granting access to an object. This happens when an API uses overly permissive access controls or when API resources are not adequately protected.

Mitigation Strategies:

  • Employ random, universally unique identifiers (UUIDs).
  • Establish strong authorization protocols.
  • Adopt the zero trust security framework.

Keep your APIs secure

Securing APIs requires a holistic approach that covers everything from authentication and authorization to access control and resource management. By taking the necessary steps to ensure your API and adopting best security practices, you can protect your applications and data from potential attacks while benefiting from the advantages of a robust API-driven architecture.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today