What is the OWASP API Security Top 10?

What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) is a non-profit organization whose goal is to promote web application security. OWASP offers many free resources to anyone who wants to build a secure web application.

One of their most widely referenced resources is the OWASP Top 10, which lists the 10 biggest security concerns for web applications.

OWASP also maintains a separate, similar list for application programming interfaces (APIs), which are a crucial building block for most web applications. This list is the OWASP API Security Top 10.

As of 2019*, the OWASP API Security Top 10 includes:

1. Broken Object Level Authorization: This refers to manipulation of object identifiers within a request to gain unauthorized access to sensitive data. Attackers access objects (data) they should not have access to, by merely changing the identifiers.
2. Broken User Authentication: If authentication is implemented incorrectly, attackers may be able to impersonate API users, enabling them to access confidential data.
3. Excessive Data Exposure: Many APIs err on the side of exposing data and count on the API user to filter the data properly. This could allow unauthorized persons to view the data.
4. Lack of Resources & Rate Limiting: By default, many APIs do not limit the number or size of requests they can receive at a given time. This leaves them open to denial-of-service (DoS) attacks.
5. Broken Function Level Authorization: This risk has to do with authorization. API users may be authorized to do too much, leading to data exposure.
6. Mass Assignment: The API automatically applies user inputs to multiple properties. An attacker could use this vulnerability to, for example, change themselves to an admin while updating some other innocuous property of their user profile.
7. Security Misconfiguration: This covers a variety of mistakes in setting up the API, including misconfigured HTTP headers, unnecessary HTTP methods, and what OWASP calls "verbose error messages containing sensitive information."
8. Injection: In an injection attack, the attacker sends specialized commands to the API that trick it into revealing data or executing some other unexpected action. Learn about SQL injection.
9. Improper Assets Management: This occurs when there is no tracking of both current, production APIs and those that have been deprecated, leading to shadow APIs. APIs are vulnerable to this risk because they tend to make so many endpoints available.
10. Insufficient Logging & Monitoring: OWASP notes that studies show it typically takes over 200 days to detect a breach. Detailed event logging and close monitoring may enable API developers to detect and stop breaches far earlier.

*As of December 2021, the list had not been updated since 2019.

To read about these 10 security risks in more depth, see OWASP's official page.

There is some crossover between the OWASP Top 10 list (full list here) and the OWASP API security top 10 list. For instance, injection, broken authentication, and insufficient logging and monitoring appear in both. However, APIs present slightly different risks compared to web applications. Developers should take both lists into account.

How does Cloudflare API Shield help combat these 10 security risks?

Cloudflare API Shield uses layered API defenses to protect against a variety of API-directed attacks. Among the features included are data loss prevention (counteracts risks Nos. 1 and 3), mutual TLS (risk No. 2), and rate limiting (risk No. 4). See the full list of features on the Cloudflare API Shield page.

To learn more about API security, read What is API security?