Reviewing the 2023 OWASP API Top 10

Bassel Kablawi
Author: Bassel Kablawi, CISM, CDPSE, COBIT Foundation, ITIL v3
Date Published: 1 August 2023

In the age of digital transformation, many organizations rely on application programming interfaces (APIs), which enable different applications to communicate with each other. APIs empower developers to quickly and easily integrate new services into their applications, allowing them to create new offerings for customers. API calls represent 54% of the total requests of Cloudflare itself,1 confirming a 2019 finding that more than 80% of all web traffic is API communication.2

The Open Web Application Security Project (OWASP) has become the standard for helping developers and security teams understand the types of risk associated with their web applications. If an API is not secure, malicious cyberactors can use it to gain access to sensitive data relatively easily. In 2019, the OWASP group determined that with the increased adoption of APIs, there was a need for an API-specific Top 10 list of vulnerabilities.3 In 2023, a new edition of the OWASP API Top 10 was released (figure 1).4 To ensure that enterprises are not subjected to the nightmare that is an API security breach, the updated OWASP API Top 10 list is worth examining.

Figure 1—OWASP

API1:2023 Broken Object Level Authorization
This is the most common and damaging API vulnerability because the server component often does not comprehensively track the client's state. Instead, it relies on parameters such as object IDs sent from the client to decide which objects to access.

Attackers can exploit API endpoints that are vulnerable to broken object-level authorization (BOLA) by manipulating the identification (ID) of an object that is sent within the request to impersonate other users and gain unauthorized access to the data.

Impact
BOLA exploitation allows malicious cyberactors to gain unauthorized access to confidential information such as financial data and other sensitive personal data. It can also lead to a loss of integrity if attackers perform actions they are not authorized to perform (e.g., deleting data, changing settings).

Example
The attacker authenticates themselves as user A and retrieves and/or changes the data of user B.

Root Causes and Prevention
There are several root causes that may be to blame for causing the vulnerability, including:

  • Failing to enforce access controls at the object level
  • Lack of proper input validation or sanitization

Possible prevention techniques include:

  • Defining data access policies and implement associated controls
  • Enforcing data access controls at the application logic layer
  • Implementing automated testing to find broken object-level authorization flaws

API2:2023 Broken Authentication
The authentication mechanism can be an easy target for attackers in cases of a lack of password management maturity. Weak or poor authentication creates vulnerabilities through a lack of security controls or poorly implemented controls.

Weak or poor authentication creates vulnerabilities through a lack of security controls or poorly implemented controls.

Impact
This vulnerability allows attackers to gain control of users, which can result in data being stolen and unauthorized transactions being performed. When attackers gain access to many accounts in a short period of time (via credential stuffing or brute force attacks), it can lead to widespread data exposure affecting millions of users. This can result in organizations being subjected to reputational damage or legal consequences.

Examples
Attackers can exploit stolen or leaked credentials from other services to try to gain unauthorized access to an API. They could also gain access to the API’s database in cases of improper secure password storage or handling.

Root Causes and Prevention
Potential root causes of the vulnerability may include:

  • Weak password requirements
  • Use of IDs/passwords commonly victimized by brute force attacks (e.g., credential stuffing)
  • No Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) rate-limiting lockout
  • Authentication information included in Uniform Resource Locators (URLs) (e.g., token, password)
  • Changing passwords without identity verification
  • Nonvalidation of token authenticity
  • Insecure password storage

A recommended prevention tactic is to define authentication policies and standards, which may be based on existing controls such as the US National Institute of Technology (NIST) Special Publication (SP) 800-535 control AC-16–Access Management, the NIST SP 800-53 control AC-3–Access Enforcement, or the International Organization for Standardization (ISO) control ISO 27001:2022 Annex A Control 5.17–Authentication Information.6 Referring to such controls helps enterprises form effective authentication and password policies.

API3:2023 Broken Object Property Level Authorization
This vulnerability occurs when a user without validated access permissions exploits the endpoint by reading and/or modifying the value of objects. The ability to update object elements allows for mass assignment, which is an input and authorization validation flaw that allows attackers to manipulate client-provided data for advanced exploits. Excessive data exposure may occur if nonessential data are revealed.

Impact
Sensitive data may be disclosed to unauthorized parties, lost or manipulated to achieve access privilege escalation. If an attacker exploits this vulnerability, it could result in the permanent loss of personal information and cause significant financial distribution and losses.

Examples
An example of this vulnerability is if a user is able to change a subscription plan from a base plan to a business plan with more advanced features by setting “account-type=business,” or if the user’s search returns excessive personally identifiable information (PII) (e.g., name, address, ID, email).

Root Causes and Prevention
Some common root causes of API3:2023 include:

  • Failure to properly enforce authorization on object properties
  • Outdated or insecure authorization mechanisms
  • Improper or incomplete security testing during the development life cycle

To prevent this vulnerability from becoming a reality, organizations can take several steps, including:

  • Ensuring that the user can only access legitimate, permitted fields
  • Returning only the minimum amount of data required for the use case

API4:2023 Unrestricted Resource Consumption
API requests consume resources such as network bandwidth, computing power, memory and storage space. The volume of resources required to satisfy a request greatly depends on the user input and endpoint business logic. A lack of resource limiting can cause inadequate traffic control, which allows for mass data retrieval and a risk of operation interruption.

Impact
Excessive use of API resources allows an attacker to send a high volume of requests that can cause distributed denial of service (DDoS), slowing the response of API services or shutting services down entirely. Data harvesting is another possible impact of this vulnerability, since if the API is slow or down, attackers can download large quantities of data to steal personal information.

Examples
This vulnerability can be observed in several examples, including:

  • An API that allows users to request a list of all available products in a database without limiting the number of products that can be requested in a single query
  • An API that allows users to upload files, but does not restrict the size or number of files that can be uploaded

Root Causes and Prevention
There are various root causes that may be causing the vulnerability, including:

  • Missing or inadequate volume controls
  • Execution timeout that indicates the maximum number of seconds for which a request is allowed to execute
  • Maximum allocatable memory is reached
  • Maximum number of file descriptors is reached
  • Maximum file upload size is reached
  • Excessive records are returned in a single request

Traffic controls should be implemented to ensure that the risk of the vulnerability is not realized. Controls such as NIST SP 800-53 control AC-20–User of External Systems or ISO 27001:2022 control A.8.20–Network Security can be used to help establish requirements for securing and hardening network-connected devices and systems by specifying a maximum percentage for network bandwidth and the maximum number of requests by a single source.

API5:2023 Broken Function Level Authorization
This involves using APU functionality to modify, create, update and/or delete the resources of another user.

Other attributes include:

  • Often involves replacing passive actions (e.g., GET) with active ones (e.g., PUT, DELETE)
  • Can be used to escalate privilege

Impact
Administrative functions are key targets for this type of vulnerability, wherein attackers perform malicious activity such as creating, modifying or deleting data. Such data could be used to illegally assume the identity of other users and access their confidential information.

Examples
There are several examples that illustrate this vulnerability, including:

  • Replacing GET with PUT
  • Modifying URL parameters (i.e., “role=admin,” account-type=“business”)
  • Deleting an invoice
  • Resetting an account balance to zero dollars

Root Causes and Prevention
This vulnerability can be attributed to several possible causes, including:

  • Failure of an API to properly enforce authorization at the function or operation level
  • The use of inadequate or incomplete role-based access control (RBAC) mechanisms
  • Improper or incomplete security testing during the development life cycle

Options for prevention techniques include:

  • Identify functions that expose high-sensitivity capability and develop access policies and rules to limit unauthorized access.
  • Implement continuous release testing to ensure proper behavior.

API6:2023 Server-Side Resource Forgery (SSRF)
SSRF involves inserting a URL into an API request to make a request to a third-party server. This vulnerability occurs when the API fails to properly validate user inputs and constructs a URL based on untrustworthy input.

Impact
This vulnerability creates a channel for malicious requests, data access or other fraudulent activities such as port scanning, information disclosure, and bypassing firewalls or other security mechanisms. It also introduces the potential for data leaks if sensitive data are retrieved. Additional security issues may occur if attacks are launched on other systems or services.

Example
An example of this vulnerability would be if an endpoint’s access URL input is submitted by an attacker and malware is downloaded from the malicious URL.

Root Causes and Prevention
Possible root causes of this vulnerability include:

  • Lack of proper input validation
  • Weak or outdated access control
  • Failure to properly secure APIs during development
  • Inadequate security testing and a lack of proper security controls, such as encryption and tokenization

This vulnerability can be avoided by validating and sanitizing all user-supplied information, including URL parameters. Organizations can also ensure that communication is only permitted for trusted resources.

API7:2023 Security Misconfiguration
Attackers use bots to scan, detect and exploit misconfiguration of unpatched systems or unprotected files and directories to gain unauthorized access to a system.

Attackers use bots to scan, detect and exploit misconfiguration of unpatched systems or unprotected files and directories to gain unauthorized access to a system.

Impact
This vulnerability can result in the exposure of sensitive data or create potential for complete server compromise.

Examples
For example, if the database server is misconfigured and default login credentials have not been changed, an attacker could easily gain access to the database and steal sensitive data. Alternatively, if the API is not properly configured to use a secure communication protocol (e.g., Hypertext Transfer Protocol Secure [HTTPS]), attackers could intercept the communication and steal sensitive data.

Root Causes and Prevention
Potential underlying causes of this vulnerability may include:

  • Lack of security hardening
  • Improperly configured permissions
  • Missing security patches
  • Unnecessary features enabled
  • Missing Transport Layer Security (TLS)
  • Cross-Origin Resource Sharing (CORS) policy missing or ineffective

To prevent this vulnerability from occurring, organizations should consider:

  • Implementing hardening procedures
  • Routinely reviewing configurations
  • Implementing automated, continuous security testing

API8:2023 Lack of Protection from Automated Threats
Exploitation of this vulnerability often involves an attacker targeting an API’s legitimate business workflow with excessive automated use. Attackers can identify sensitive business flows and leverage automated access to these flows to cause harm to the enterprise.

Impact
API8:2023 can result in a loss of critical business activity if a legitimate user is prevented from purchasing a product. Exploitation of this vulnerability can also allow an attacker to spread misinformation to customers, stakeholders or the general public through business communication channels.

Example
Mass automated ticket purchasing or high-volume referral bonuses are examples of this vulnerability in action. Attackers may also send fake promotions to an enterprise’s email or text message subscribers.

Root Causes and Prevention
Root causes of this vulnerability may include:

  • A lack of bot detection
  • An absence of rate limiting
  • Poorly implemented authentication procedures
  • Inadequate CAPTCHA protocols

To avoid this vulnerability, enterprises should be proactive in identifying critical business workflows, implementing fraudulent traffic detection mechanisms and controls, and organizing automated testing of control mechanisms.

API9:2023 Improper Inventory Management
This vulnerability occurs when there is unauthorized API access via an outdated, unused version of API or through a trusted third party.

Impact
API9:2023 can result in data theft if attackers gain access through an older, unpatched version of an API that is connected to a database.

Examples
This vulnerability may take shape in several ways, including:

  • Improper inventory management can lead to the creation of duplicate endpoints, resulting in confusion and potential security vulnerabilities.
  • If the API lacks proper inventory management protocols, deprecated endpoints may still be available for use, making the API vulnerable to attacks.
  • APIs may use external resources such as libraries, frameworks or databases. These resources may not be properly tracked or maintained and could be outdated or potentially vulnerable.

Root Causes and Prevention
Possible underlying causes of this vulnerability may include:

  • An outdated version of an API
  • Unpatched endpoints
  • Endpoint with weak security requirements
  • API access through a third party
  • Outdated documentation
  • Unnecessarily exposed endpoints

Preventative measures organizations can consider include:

  • Strengthening asset management
  • Enforcing a strict policy for applying all APIs (in a gateway)
  • Implementing rules and processes for API versioning and retirement
  • Periodically auditing third-party API access to ensure satisfactory protections

API10:2023 Unsafe Consumption of APIs
Exposure can occur via the use of third-party APIs, which are generally trusted but can be exploited. If exploited, third parties can be used to attack any APIs relying on them.

Impact
Unsafe consumption of APIs can result in data breach or theft, or an account takeover resulting in data privacy issues, especially if the API is used to transfer sensitive information between systems.

Example
An attacker compromises a third-party API, causing it to respond with a redirect to a malicious site, after which the client blindly follows the redirect without validation.

Root Causes and Prevention
The vulnerability may be present due to a number of root causes, including:

  • Insufficient validation that leads to structured query language (SQL) injection or cross-site scripting (XSS)
  • Poor error handling
  • Inadequate authentication and authorization

Recommended prevention techniques include:

  • Evaluating the security controls of the third-party API
  • Validating data returned by the third-party API
  • Encrypting all API communication
  • Maintaining an approved list of known locations to which integrated API may be redirected

Conclusion

The attack surface is growing larger day by day. At the same time, the majority of Internet traffic is driven through API communication. Hence, securing APIs is critical to protecting sensitive data from cyberattacks.

It is important to understand the top 10 API security risk factors identified by OWASP in 2023, supplied with some examples and root causes, in addition to possible prevention methods and controls established by NIST SP 800-53 and ISO 27001:2022 for information security management systems (ISMS). Implementing robust security controls and regularly assessing APIs for vulnerabilities minimizes the risk associated with APIs and helps prevent potential data breaches.

Attackers keep themselves up to date by searching for and identifying new ways to exploit vulnerabilities. Staying current with the latest security trends and regulations is crucial for organizations to ensure the continued protection of sensitive data and systems.

Endnotes

1 Moltene, D.; "Landscape of API Traffic,” The Cloudflare Blog, 26 January 2022
2 Akamiai, “Akamai State of the Internet Security Report: Retailers Most Common Credential Stuffing Attack Victim; Points to Dramatic Rise in API Traffic as Key Trend,” 26 February 2019
3 OWASP, “OWASP API Security Project"
4 OWASP, “OWASP API Security Top 10 2023RC
5 National Institute of Standards and Technology, NIST Special Publication (SP) 800-53, Revision 5, Initial Public Draft, Security and Privacy Controls for Information Systems and Organizations, USA, 2020
6 International Organization for Standardization, International Electrotechnical Commission, ISO/IEC 27001—Information security management systems, Switzerland, 2022

Bassel Kablawi, CISM, CDPSE, COBIT Foundation, ITIL v3

Is an information security and data privacy consultant with more than 10 years of experience delivering network and security management and support services across diverse industries and technologies in the telecom, fintech and nongovernmental organization (NGO) domains. Kablawi facilitates information security and data privacy, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security and data privacy programs utilizing industry-recognized frameworks and standards.