The Open Web Application Security Project (OWASP) is a nonprofit organization that provides information about application security. In 2019, OWASP released its Top 10 API Security Risks. The OWASP API Security Top 10 is a comprehensive guide created with the purpose of helping organizations better understand both risks and threats that are associated to their APIs and how to secure them. In a similar vein to the OWASP Top 10 Vulnerabilities of 2022, and the OWASP Top 10 LLM Risks, this list identifies the most critical security risks that organizations need to be aware of when developing and managing APIs.
The OWASP Top 10 API Security Risks for 2023 has been updated to reflect the changing landscape of API security. The new list includes several new risks, such as server-side request forgery (SSRF) and unsafe consumption of APIs. It also drops a couple of risks from the 2019 list, such as logging and monitoring and injection.
Each of these risks can have a significant impact on the security of an API. Organizations should carefully consider these risks when developing and managing their APIs.
The OWASP top 10 API security risks for 2023
API1:2023 Broken Object Level Authorization
Broken Object Level Authorization is a consequence of insufficient access restrictions on API endpoints. This deficiency permits unauthenticated users to both access and alter critical data. BOLA incidents constitute approximately 40% of all API security breaches, making it the most frequent API security risk. Since 2019, Broken Object Level Authorization API weaknesses have topped the OWASP list, and they continue to hold the leading position in the 2023 edition.
API2:2023 Broken Authentication
Broken Authentication is a security vulnerability that allows intruders to gain unauthorized access to applications by employing methods like using stolen authentication tokens, employing credential stuffing, or executing brute-force attacks. This type of vulnerability concerning API authentication security has consistently maintained its position as the second most critical risk on the OWASP list since 2019.
API3:2023 Broken Object Property Level Authorization
Broken Object Property Level Authorization combines attack techniques that involve unauthorized access to confidential data through either Excessive Data Exposure or Mass Assignment. The former was ranked third and the latter sixth on the 2019 OWASP API Security Top 10 list. Both these methods revolve around manipulating API endpoints to gain access to sensitive information.
API4:2023 Unrestricted Resource Consumption
This particular vulnerability arises from APIs that inadequately enforce or entirely overlook restrictions on resource usage, making them a prime target for brute-force attacks. Unrestricted Resource Consumption has taken over the fourth spot in the OWASP API Security Top 10, previously held by Lack of Resources and Rate Limiting. Despite the change in terminology, the essence of this vulnerability remains largely unchanged.
API5:2023 Broken Function Level Authorization (BFLA)
This threat materializes when authorization is inadequately implemented, resulting in unauthenticated users having the ability to perform API functions. These functions could include actions like adding, updating, or deleting customer records or user roles. Known as BFLA, this vulnerability has consistently maintained its fifth position on the OWASP list since 2019.
API6:2023 Unrestricted Access to Sensitive Business Flows
This fresh threat, which has taken over the sixth spot on the OWASP API Security Top 10 list from Mass Assignment, becomes apparent when an API reveals a business process without considering the potential damage if the function is excessively automated. To leverage this vulnerability, an attacker must comprehend the business logic behind the relevant API, identify sensitive business processes, and automate access to these processes with the intention of inflicting harm on the business.
API7:2023 Server Side Request Forgery (SSRF)
Server-Side Request Forgery, or SSRF, can happen when an API accepts a user-controlled URL and the back-end server processes it. The API security vulnerabilities arise if the back-end server attempts to connect to this user-provided URL, thereby creating an opportunity for SSRF. This threat has displaced Mass Assignment to claim the sixth position on the OWASP API Security Top 10 list.
API8:2023 Security Misconfiguration
Security Misconfiguration serves as an umbrella term encompassing a broad array of security setup errors that typically harm API security overall and unintentionally introduce API vulnerabilities. This threat was ranked seventh on the OWASP API Security Top 10 list released in 2019 and it has sustained the same ranking in the 2023 edition.
API9:2023 Improper Inventory Management
This threat emerges from an antiquated or incomplete inventory that can lead to unidentified blind spots in the API attack surface. This makes it challenging to detect older API versions that need to be retired. Improper Inventory Management has taken over the ninth spot from Improper Assets Management in the OWASP API Security Top 10 list. While the name has been updated to underscore the significance of maintaining a precise and current API inventory, the nature of the threat continues to be the same.
API10:2023 Unsafe Consumption of APIs
The Unsafe Consumption of APIs vulnerability originates from incorrect utilization of APIs by API clients. This can include actions like evading API authentication security measures or altering API responses, potentially leading to unauthorized access and data leaks. This API vulnerability can be exploited either through the consumption of API data itself or by taking advantage of issues in third-party integrations. Unsafe Consumption of APIs has superseded Insufficient Logging and Monitoring to claim the tenth spot in the OWASP API Security Top 10 list.
Next steps
Balancing security against tight deadlines can be challenging, especially in today’s fast-paced development environments. The OWASP Top 10 2022 is an invaluable resource of known and possible vulnerabilities for development teams looking to create secure web applications. It’s important to prioritize application vulnerabilities against business impact in addition to other aspects of the overall threat profile.
To assist security teams with exactly this, Vulcan Cyber® can help you identify and prioritize security risks across your entire IT estate, including APIs. The Vulcan Cyber risk management platform provides a comprehensive view of all security risks, including those associated with APIs, and helps you to make informed decisions about how to prioritize and remediate those risks. Get a demo today.
