The API Security Top 10 is an invaluable resource for application security professionals, providing a comprehensive list of the most common API security risks and how to mitigate them. It’s maintained by the Open Web Application Security Project (OWAP) and recently got a major update.

This blog post looks at the latest OWAP API Security Top 10 list from 2023 and then compares it to the original list from 2019. We’ll explore what has changed and what has stayed the same and take a look at how API security has evolved over the past years.

Overview of OWASP API Security Top 10

OWASP’s top ten list for APIs collects the most common risks that APIs face, as identified by the OWASP community. This list is designed to help organizations prioritize their efforts to secure APIs and provide guidance on addressing these risks. The list is regularly updated to reflect the changing landscape of API security threats.

In 2023, OWASP released an updated version of their API Security Top 10, which aimed to address new and emerging threats to API security. Below is the updated 2023 version.

API1:2023 – Broken Object Level Authorization

This new addition highlights the need for object-level access control, which means ensuring that every function that accesses a data source using an ID from the user has the necessary authorization checks. Without this level of control, APIs can expose a broad attack surface riddled with object-level access control issues.

API2:2023 – Broken Authentication

This security risk has been around for a while but remains just as critical in 2023. Authentication mechanisms are still being implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws to assume other users’ identities temporarily or permanently.

API3:2023 – Broken Object Property Level Authorization

This new addition focuses on the tendency of APIs to expose endpoints that return all object’s properties. This can be particularly problematic for REST APIs. Although it may require more effort, identifying these additional properties that can be manipulated is essential. Luckily, there are automated tools available to assist in this task.

API4:2023 – Unrestricted Resource Consumption

This risk highlights the importance of monitoring resource usage and preventing unauthorized access to resources. If attackers can exhaust system resources such as network bandwidth, CPU, memory, and storage, it can result in a Denial-of-Service attack or an increase in operational costs. It’s essential to ensure that APIs are designed to use resources efficiently and have measures to detect and prevent resource abuse.

API5:2023 – Broken Function Level Authorization

This risk focuses on the access control policies of an API and highlights the need for proper separation between administrative and regular functions. When access control policies are complex and not well defined, attackers can exploit vulnerabilities to gain access to sensitive resources. Developers need to carefully consider the access control policies of an API and ensure that authorization flaws are prevented.

API6:2023 – Unrestricted Access to Sensitive Business Flows

This risk highlights the need to carefully consider how business flows are exposed through APIs. APIs vulnerable to this risk expose a business flow — such as buying a ticket or posting a comment — without considering the potential impact on the business if the function is used excessively or abused. This risk doesn’t necessarily come from implementation bugs, so it’s important to carefully consider the design of APIs and ensure that they are not exposing sensitive business flows unnecessarily.

API7:2023 – Server Side Request Forgery

Server-side request forgery (SSRF) is a flaw in which the API fetches a remote resource without validating the user-supplied URI. This flaw can allow an attacker to coerce the application to send a crafted request to an unexpected destination, even if it is protected by a firewall or a VPN. This type of vulnerability can result in serious data breaches and requires robust security measures to prevent.

API8:2023 – Security Misconfiguration

APIs and the systems supporting them typically contain complex configurations, which can be overlooked or not follow security best practices. This leaves them open to different types of attacks. Security misconfigurations can include anything from leaving debugging endpoints open to failing to implement basic authentication measures. It is important to properly configure APIs to prevent any type of attack.

API9:2023 – Improper Inventory Management

APIs tend to expose more endpoints than traditional web applications, meaning proper and updated documentation is highly important. Maintaining an inventory of hosts and deployed API versions is important to mitigate issues such as deprecated API versions and exposed debug endpoints. If an attacker can identify which API versions are outdated or insecure, they can exploit those weaknesses to access sensitive information.

API10:2023 – Unsafe Consumption of APIs

Developers usually rely on data received from third-party APIs more than user input, leading them to adopt weaker security standards for these integrations. To compromise APIs, attackers could target integrated third-party services instead of trying to compromise the target API directly. This issue can be addressed by stressing the importance of keeping track of third-party APIs, conducting regular audits, and implementing strong security measures when consuming APIs.

New API Risks

The updated list reflects many of the latest trends and vulnerabilities organizations face in their API security programs. While OWASP API Security Top 10 2019 focused on common threats such as injection and insufficient logging and monitoring, the 2023 version introduces new categories that have emerged as serious threats in recent years.

Firstly, API7:2023 – Server Side Request Forgery has been added as a risk. SSRF refers to an attack where a malicious user can trick the server into sending requests on behalf of the attacker, which could lead to unauthorized access and data breaches.

Secondly, the new risk API6:2023 – Unrestricted Access to Sensitive Business Flows highlights the risks associated with allowing too much access to sensitive business logic. This can lead to unintended consequences that impact business operations and create vulnerabilities in the system.

Another new addition is API10:2023 – Unsafe Consumption of APIs. This refers to the use of APIs without proper validation and authentication, leading to unauthorized access to sensitive information.

Other Changes

There were also some changes and renaming of pre-existing risks. For instance, API2:2019 Broken User Authentication has been renamed to API2:2023 – Broken Authentication, reflecting a broader scope of vulnerabilities arising from poor authentication mechanisms.

API3:2019 Excessive Data Exposure is now part of API3:2023 Broken Object Property Level Authorization, which focuses on how attackers can exploit poorly designed object-level authorization schemes to access sensitive information.

API4:2019 Lack of Resources & Rate Limiting is now API4:2023 Unrestricted Resource Consumption, highlighting the risks of APIs being consumed without proper resource allocation and usage limitations.

API9:2023 Improper Inventory Management, which was previously a separate category, has now been updated to include risks associated with maintaining an inventory of APIs, such as outdated and unsecured APIs.

Finally, two categories, API10:2019 Insufficient Logging & Monitoring, and API8:2019 Injection, have been removed from the list.

Limited information is available regarding the reasons behind removing Insufficient Logging & Monitoring. However, one GitHub thread mentioned that the team excluded the other, Injection, because they believe it is not exclusively specific to APIs. Even though injection is a significant and well-known attack vector, the philosophy behind the decision is to include only those risks in the top 10 that are uniquely associated with APIs.

What Lies Ahead for Developers?

As the field of API development continues to grow, so does the importance of API security. With each passing year, new security threats arise, and developers must stay on top of the latest trends and best practices to keep their systems safe.

Education and awareness are key factors in writing secure software. Developers must understand the common vulnerabilities that can arise in APIs and how to prevent them. It’s also essential to stay up to date on the latest security technologies and trends.

In addition to education, repeatable security processes and standard security controls are necessary to achieve the goal of secure APIs. This means implementing policies and procedures for authentication, access control, encryption, and monitoring.

Fortunately, many resources are available to help developers stay on top of the latest security trends. The OWASP organization, in particular, provides numerous free and open resources to help address security in all stages of the development process. From tools to best practices to guidelines and training, OWASP is a valuable resource for any developer looking to improve their security knowledge and skills.

Final Words

API security remains a critical concern for developers and DevSecOps professionals alike. As new technologies and trends continue to emerge, the threat landscape is constantly evolving, making it necessary for security standards to keep pace with the changing times. The updated OWASP API Security Top 10 list is a significant step towards providing developers with the knowledge and tools to safeguard their APIs against common vulnerabilities and attacks.

It is crucial that organizations incorporate API security into their overall security strategies and ensure that their development teams are equipped with the necessary training and resources to build secure APIs. By taking a proactive approach to API security, organizations can protect their customers’ sensitive data, safeguard their brand reputation, and minimize the risk of costly security breaches.