What is the OWASP API Security Top 10?

What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) is a non-profit organization whose goal is to promote web application security. OWASP offers many free resources for building a more secure web application.

One of the organization’s most widely referenced resources is the OWASP Top 10, which lists the 10 biggest security concerns for web applications. OWASP also maintains a separate, similar list for application programming interfaces (APIs), which are crucial for powering most web and mobile experiences.

APIs can fuel competitive advantages for businesses by providing business intelligence, facilitating cloud deployments, and enabling integration of AI capabilities. But at the same time, APIs can introduce new risks by allowing outside parties to access applications, share data, and run potentially sensitive workflows.

This OWASP API Security Top 10, most recently published in 2023, highlights key issues that organizations should address to better protect their APIs, applications, and data. The list includes:

1. Broken object-level authorization: Attackers might try to exploit API endpoints vulnerable to broken object-level authorization. They could manipulate object identifiers within a request to gain unauthorized access to sensitive data.
2. Broken authentication: If authentication is implemented incorrectly, attackers could impersonate API users and gain access to confidential data.
3. Broken object property-level authorization: A lack of authorization or improper authorization validation at the object property level could leave information exposed or vulnerable to manipulation by unauthorized people.
4. Unrestricted resource consumption: Many APIs do not limit client interactions or resource consumption. Attackers might generate a high volume of API requests, which can increase operational costs and lead to a denial of service.
5. Broken function-level authorization: Attackers might send legitimate API calls to an endpoint that they should not be able to access. They might gain access to the resources or administrative functions of other users.
6. Unrestricted access to sensitive business flows: APIs might expose a business flow (such as posting a comment on a website, purchasing a product, or making a reservation), enabling attackers to execute that flow excessively.
7. Server-side request forgery: An API might fetch a remote resource without validating the user-supplied URL. For example, a user might provide a URL to upload an image to a social media platform. That URL might then initiate a port scan within an internal network.
8. Improper inventory management: APIs can expose more endpoints than traditional web applications. If organizations do not inventory hosts and deployed API versions, they might leave deprecated API versions and endpoints vulnerable.
9. Unsafe consumption of APIs: Attackers might target third-party services that interact with APIs rather than targeting an API directly. They realize that developers often trust data from third-party APIs more than user input.

To learn more about these 10 security risks, see OWASP's official page.

There is some crossover between the OWASP Top 10 list (full list here) and the OWASP API Security Top 10 list. For example, broken access control is the first issue on the OWASP Top 10 list, and there are various forms of broken authentication and authorization among the first five security issues on the API list. In addition, security misconfiguration and server-side request forgery appear on both lists.

However, APIs do present several distinct risks compared to web applications. Developers should take both lists into account.

How does Cloudflare help address API security risks?

Cloudflare API Shield helps keep APIs secure and working as they should through API discovery capabilities, centralized API management and monitoring, and innovative, layered defenses. API Shield is part of Cloudflare’s application security portfolio, which offers additional capabilities for stopping bots, DDoS attacks, and application attacks while monitoring for supply chain attacks.

Learn how Cloudflare capabilities address the specific risks detailed in the OWASP API Security Top 10. And explore more of Cloudflare’s API security solutions.

FAQs

What is the OWASP (Open Web Application Security Project)?

OWASP is a non-profit organization that promotes web application security by providing free resources, such as security best practices and risk lists, to help organizations secure their applications.

What is the OWASP API Security Top 10?

The OWASP API Security Top 10 is a list of the most critical security risks facing APIs. It helps organizations understand and address common vulnerabilities in API design and implementation.

What does "broken authorization" mean in API security?

"Broken authorization" can refer to a number of OWASP risks for APIs: broken object-level authorization, broken object property-level authorization, and broken function-level authorization. All three of these vulnerabilities can allow attackers to expose or manipulate sensitive data.

What are some examples of API security risks?

Key API risks include unrestricted resource consumption, server-side request forgery (SSRF), and poor API inventory management, all of which can lead to data exposure or service disruption.

What are authentication vulnerabilities in APIs?

Authentication vulnerabilities occur when APIs do not properly verify users, enabling attackers to impersonate legitimate users and gain unauthorized access to sensitive data.

What are third-party API risks?

Third-party API risks can arise when an API interacts with external services. Attackers may target those external services rather than targeting the API directly, especially when the API tends to trust data from those third-party services.

What is Cloudflare API Shield?

Cloudflare API Shield is a solution that helps organizations secure their APIs by providing API discovery, centralized management, monitoring, and layered security defenses.

How does the OWASP API Security Top 10 relate to the OWASP Top 10 for web apps?

Both of these lists categorize common security risks. The OWASP API Security Top 10 is specific to APIs, while the OWASP Top 10 applies to web applications in general. APIs are almost always crucial pieces of a web application's infrastructure, so both lists should be taken into account by security-minded web app developers. There is some overlap in terms of the types of security risks APIs and web apps face, such as issues with broken access control and server-side request forgery, but the implementation of solutions for these risks will be slightly different for APIs and web apps.

What is business flow exploitation in APIs?

Business flow exploitation occurs when attackers abuse legitimate API workflows — like making excessive purchases or reservations — to disrupt business operations.