ARTICLE

OWASP API Security Top 10

From Microservices Security in Action by Prabath Siriwardena

OWASP API security top 10

  1. Broken Object Level Authorization
  2. Broken authentication
  3. Excessive data exposure
  4. Lack of resources and rate limiting
  5. Broken Function Level Authorization
  6. Mass assignment
  7. Security misconfiguration
  8. Injection
  9. Improper asset management
  10. Insufficient logging and monitoring

Broken Object Level Authorization

\> curl -i -X GET “https://graph.facebook.com/{user-id}
?fields=id,name&access_token={your-user-access-token}”
\> curl -i -X GET “https://graph.facebook.com/me
?fields=id,name&access_token={your-user-access-token}”

Broken authentication

  • The issuer of the token is trusted (signature verified).
  • The audience of the token is correct.
  • The token isn’t expired.
  • The scopes bound to the token permits it to access the requested resource.

Excessive data exposure

Lack of resources and rate limiting

https://findusers.com/api/v2?limit=10000000

Broken Function Level Authorization

Mass assignment

{"user": {
"id": "18u-7uy-9j3",
"username": "robert",
"fullname": "Robert Smith",
"roles": ["admin", "employee"]
}
}

Security misconfiguration

  • Not disabling HTTP when allowing only HTTPS on your APIs
  • Allowing unnecessary HTTP methods on API resources (for example, allowing POST on a resource when only a GET is required)
  • Including stack traces on error messages that reveal the internals of a system
  • Permissive Cross-Origin Resource Sharing (CORS) that allows access to APIs from unnecessary domains

Injection

GET /search/users?name=robert
SELECT * FROM USERS WHERE NAME = robert;
SELECT * FROM USERS WHERE NAME = robert; DELETE FROM USERS WHERE ID = 1;

Improper asset management

Insufficient logging and monitoring

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Manning Publications

Follow Manning Publications on Medium for free content and exclusive discounts.