In the previous blog posts on API security, we introduced the 10 most critical API risks based on the 2019 edition of the OWASP Top 10 API Security Risks. Then we explained the most critical risk—Broken Object Level Authorization (BOLA)—in detail. Now, after almost 4 years, the new OWASP Top 10 API Security Risks 2023 has been released. In this blog post, we will discuss what has stayed the same and what has changed compared to the last API Security Top 10 of 2019.
The New OWASP Top 10 API Security Risks 2023
Before we discuss the similarities and differences with the OWASP API Security Top 10 of 2019 in the following sections, let's briefly introduce the Top 10 risks. Similar to a previous blog post introducing the OWASP API Security Top 10 of 2019, we've created a table introducing the newly released OWASP API Security Top 10 2023:
Rank | Title | Description |
1 |
Broken Object Level Authorization |
The API doesn’t check whether a user is authorized to access a specific resource (usually referenced by an ID). Thus, an attacker can replace their ID to access a resource of another user. For a detailed description take a look at our blog post about this most critical risk. |
2 | Broken Authentication | The APIs authentication isn’t sufficiently secured. This includes various examples, such as not validating the authenticity of tokens or using weak signatures. |
3 | Broken Object Property Level Authorization | The API is returning more data than necessary or allows to store more data than intended. This may lead to information exposure or data manipulation. |
4 |
Unrestricted Resource Consumption |
The API is not protected against an unusual amount of traffic and doesn’t restrict the number of a user’s API calls or allows parameters to be modified to cause performance issues. Thus, an attacker can flood the API with arbitrary calls in order to overload it, leading to a denial of service (DoS). Further, the attacker can increase operational costs by having the API send large volumes of SMS or consume other resources provided by third party service providers. |
5 | Broken Function Level Authorization | The API isn’t sufficiently secured against unauthorized calls. For example, an attacker can invoke admin APIs with a non-privileged user account. |
6 | Unrestricted Access to Sensitive Business Flows | A business sensitive API endpoint does not restrict excessive access. The consequences depend on the respective business flow. An example would be that all tickets of an event are reserved in an automated way without a normal user having the chance to reserve one. |
7 | Server Side Request Forgery (SSRF) | The API utilizes an unvalidated user-supplied URL to fetch remote resources. This allows an attacker to send requests to local services, which are not accessible directly, by supplying the API with local IP addresses. |
8 | Security Misconfiguration | The API itself or a system of the API is configured in an insecure manner. One example is a misconfigured web cache which can lead to a vulnerability called “web cache poisoning”. We wrote a detailed blog post about this vulnerability and created a CLI tool called Web Cache Vulnerability Scanner to scan for this vulnerability. |
9 | Improper Inventory Management | An attacker is able to call non-productive or old versions of APIs. These APIs often contain known vulnerabilities, which don’t get fixed, because the APIs weren’t meant to be used publicly. Non-productive APIs might also provide debugging information and omit sufficient security checks. |
10 | Unsafe Consumption of APIs | The API trusts data from third-party APIs and thus neglects data validation and sanitization. Thereby, an attacker might exploit a trusted third-party API in order to send malicious data to the credulous API; similar to a supply chain attack. |
The new OWASP Top 10 API Security Risks 2023. (Table 1)
What Has Remained (Largely) The Same?
Many things have stayed the same in the new version of the API Security Top 10, or have just been adjusted slightly. For example, “Broken Object Level Authorization” remains the most critical risk, while “Broken User Authentication” remains number two, but has been renamed “Broken Authentication”. This makes Broken Authentication more inclusive, rather than focusing solely on users.
“API3:2019 Excessive Data Exposure” is still #3, but has been combined with “API6:2019 Mass Assignment“ and renamed “Broken Object Property Level Authorization”.
“API4:2019 Lack of Resources & Rate Limiting” also remains in the same place and has only been renamed “Unrestricted Resource Consumption”.
“Broken Function Level Authorization” remains unchanged at #5.
While “Security Misconfiguration” has not been renamed, it has moved down one place and is now #8. “Improper Asset Management” remains in the same place, as most of the others, but has been renamed “Improper Inventory Management”.
What Are the Major Changes?
While much has remained largely the same, there have also been some significant changes. For example, the two risks “Injection” and “Insufficient Logging & Monitoring” no longer appear in the API Security Top 10 of 2023. The reason for the omission of injection is that the list is intended to represent API-specific security risks and injection is a generic security risk for all applications [1]. This does not mean that protecting against injections has become less important for APIs in recent years.
Another significant change is the addition of three new risks: “Unrestricted Access to Sensitive Business Flows”, “Server-Side Request Forgery (SSRF)”, and “Insecure Consumption of APIs”.
Conclusion
The OWASP API Security Top 10 is an important contribution to secure APIs. It is used by security professionals during penetration tests and by API developers during development. Hence, we appreciate that the OWASP Top 10 API Security Risks have been updated. For example, we missed server-side request forgery in the Top 10 list of 2019. However, it is less understandable why injection is excluded from the Top 10 list of 2023. Both injection and SSRF are also listed on the more general OWASP Top 10 Web Application Security Risks. SSRF is ranked #10 on that list, while injection is ranked #3. This inconsistency could lead to misunderstandings regarding the risk injection poses to APIs.
In Figure 1, we have visualized the changes and differences between the API Security Top 10 versions of 2019 and 2023.
Comparison of the OWASP API top 10 2019 and 2023. (Figure 1)
[1] https://owasp.org/API-Security/editions/2023/en/0xd0-about-data/
Our Experts Develop the Optimal Solution for You
APIs – OAuth – FAPI
Are you faced with the decision of how to best protect your APIs and customer data? Or are you already using OAuth and wondering if your implementation is secure?
We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:
IT Security Consulting | Training | Penetration Tests
Don't hesitate and find your way to secure APIs with us. We look forward to supporting you with your projects.
Your Contact for OAuth and secure APIs
Dr. Christian Mainka
christian.mainka@hackmanit.de