OWASP API Security Top 10 Overview and Best Practices

The goal of the OWASP (Open Worldwide Application Security Project) list of the Top 10 API Security Risks is to educate those involved in API development and maintenance and increasing awareness of common API security weaknesses. APIs have increasingly become a target for attackers and OWASP’s API security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks associated with APIs.

What Are APIs?

APIs (Application Programming Interfaces) are fundamental to the development of modern
applications, as they facilitate the ability of applications to communicate and exchange data
with other applications, services, or platforms.

APIs are a key part of an app modernization strategy and are the foundation of mobile apps. They enable businesses to easily integrate with external platforms and third-party services and build comprehensive solutions by connecting various components. This promotes a modular approach to app development that enables developers to leverage existing services and functionality, promote code reuse, accelerate development cycles, and enhance productivity.

APIs also expand the risk surface and specifically introduce unforeseen risk due to the
nature of their interdependencies across multi-cloud architectures. Like web apps, APIs
are susceptible to vulnerability exploits, abuse from automated threats, denial of service,
misconfiguration, and attacks that bypass authentication and authorization controls.

By their nature, APIs expose critical business logic and sensitive information, such as user
data, authentication credentials, and financial transactions, and have increasingly become a
target for attackers; in particular, the login, create account, add to cart, and money transfer
functions. APIs can become entry points for attackers seeking to exploit vulnerabilities or
weaknesses, or to expose underlying infrastructure and resources.

What Are API Security Best Practices?

Robust API security measures are necessary to protect data from unauthorized access,
manipulation, or exposure to ensure privacy and maintain the trust of users and stakeholders, as well as ensure the confidentiality, integrity, and availability of APIs. Best practices for API security include the following:

OWASP API Security Top 10 — 2023

The OWASP API Security Top 10 – 2023 was formulated to increase awareness of common
API security weaknesses and to help developers, designers, architects, managers, and others
involved in API development and maintenance maintain a proactive approach to API security.
The OWASP API Security Top 10 risks for 2023 are:

Broken object level authorization. This security vulnerability occurs when an
application fails to properly enforce access controls at the object or data level, allowing
an attacker to manipulate or bypass authorization checks and grant unauthorized
access to specific objects or data within an application. This can happen due to
improper implementation of authorization checks, lack of proper validation, or
bypassing of access controls. Every API endpoint that receives an ID of an object, and
performs any action on the object, should implement object-level authorization checks
to validate that the logged-in user has permissions to perform the requested action on
the requested object.

Broken authentication. Authentication mechanisms in an API are often implemented
incorrectly, allowing attackers to gain unauthorized access to user accounts or
sensitive data, or perform unauthorized actions. It typically arises due to improper
implementation or configuration of authentication processes, weak password policies,
session management flaws, or other weaknesses in the authentication workflow.

Broken object property level authorization. This threat occurs when an API fails to
properly enforce access controls and authorization checks at the object property level.
An API endpoint is vulnerable to these attacks if it exposes properties of an object that
are considered sensitive and should not be read by the user, an exploit sometimes
referred to as excessive data exposure. An API endpoint is also vulnerable to these
attacks if it allows a user to change, add, or delete the value of a sensitive object’s
property, an exploit sometimes called mass assignment.

Unrestricted resource consumption. This attack, also called resource exhaustion,
involves exploiting weaknesses in the API implementation to intentionally consume
an excessive amount of resources, such as CPU, memory, bandwidth, or other system
resources. This denial of service (DoS) degrades the performance or availability of the
API or the underlying system and can lead to downtime.

Broken function level authorization. This threat occurs when an API fails to properly
enforce authorization checks at the function or operation level, allowing attackers to
access unauthorized functionality. Implementing proper authorization checks can be
confusing since modern applications can define many types of functional roles and
groups and involve complex user hierarchies, which attackers can manipulate.

Unrestricted access to sensitive business flows. This attack occurs when an API lacks proper access controls or authorization checks, allowing attackers to automate access to sensitive business flows backed by the API. These business flows might support mass purchasing of high-value, low-inventory products such as tickets or sneakers, which can be resold at a mark-up on secondary markets. Attackers often retool their attacks using sophisticated automation toolkits and may pivot to target business logic behind APIs if the target’s web apps are adequately protected by anti-automation defenses.

Server-side request forgery (SSRF). This vulnerability results when an attacker
identifies a vulnerable API endpoint that accepts user-supplied URLs or performs
server-side requests to external resources. The attacker crafts malicious requests
that specify URLs of internal resources or systems that the attacker wishes to target.
Unaware of the malicious intent, the server performs the server-side request to the
specified URL, potentially exposing sensitive information or services.

Security misconfiguration. Attackers attempt to find unpatched flaws, common
endpoints, services running with insecure default configurations, or unprotected files
and directories to gain unauthorized access to the API. This vulnerability can result
when appropriate security hardening is missing across any level of the API stack, from
the network to the application level, or if there are improperly configured permissions
on cloud services. Misconfiguration impacts web apps and APIs, and is an increasing
risk as architecture continues to decentralize and become distributed across multicloud environments.

Improper inventory management. APIs are subject to changes and updates over time,
but outdated or insecure API versions may remain in production, or older endpoints
may be left running unpatched or using weaker security requirements, increasing the
risk of security breaches. A lack of proper inventory management makes it difficult to
track which versions are in use, which ones are outdated or deprecated, and which
vulnerabilities have been addressed. Shadow and Zombie APIs pose significant risks,
underscoring the importance of continuous discovery and automated protections.

Unsafe consumption of APIs. Developers tend to trust data received from third-party
APIs, particularly from APIs offered by well-known companies, and adopt weaker
security requirements for this data in terms of input validation and sanitization or
transport security. Unsafe consumption can also occur when APIs are accessed over
insecure protocols or when proper encryption mechanisms are not used, leading to
eavesdropping, data interception, and unauthorized access to sensitive information.

The Case for Integrated Security Controls

F5 ADDRESSES OWASP SECURITY RISKS

F5 supports the OWASP Foundation and its dedication to improving software security and
raising awareness of web application security risks and vulnerabilities at multiple levels.
Indeed, there are security risks common to both apps and APIs that bear consideration
when implementing security solutions. For example:

• Weak authentication/authorization controls
• Misconfiguration
• Business logic abuse (credential stuffing, account takeover)
• Server-side request forgery (SSRF

F5 addresses the risks identified in the OWASP API Security Top 10 with solutions
that protect the growing attack surface and emerging threats as apps evolve and API
deployments increase. F5 Web Application and API Protection (WAAP) solutions defend
the entirety of the modern app attack surface with comprehensive protections that include
WAF, API Security, L3-L7 DDoS mitigation, and bot defense against automated threats and
fraud. The distributed platform makes it simple to deploy consistent policies and scale
security across your entire estate of apps and APIs regardless of where they’re hosted,
and integrate protections into the API lifecycle and broader security ecosystems.

F5 provides hybrid security architectures that consistently and continuously protect apps
and APIs from core to cloud to edge. F5 solutions dynamically discover and automatically
protect critical business logic behind APIs using threat intelligence, ML-based security, and
zero trust principles, providing the resilience and agility necessary to compete in the APIdriven digital economy

F5 Web Application Firewall solutions also block and mitigate a broad spectrum of risks
identified by OWASP Top 10, a widely recognized list of the most critical web application
security risks. APIs, like web apps, are susceptible to misconfiguration and automated
threats, and can be targeted by vulnerability exploits, SSRF, and attacks that attempt to
bypass authentication and authorization controls. F5 WAF solutions combines signature
and behavioral protections, including threat intelligence from F5 Labs and ML-based
security, to keep pace with emerging threats; they can also be integrated with specialized
bot defense controls.

These solutions ease the burden and complexity of consistently securing applications
across clouds, on-premises, and edge environments, while simplifying management via
a centralized SaaS infrastructure. F5 WAFs also streamline app security by integrating
protections into development frameworks and CI/CD pipelines with core security
functionality, centralized orchestration, and oversight via a single dashboard with a
360-degree view of app performance and security events across distributed applications.

F5 also offers solutions to address the risks outlined in OWASP’s Automated Threats to
Web Applications Project. F5 Distributed Cloud Bot Defense prevents fraud and abuse
that can bypass existing bot management solutions and provides real-time monitoring
and intelligence as well as ML-based retrospective analysis to protect organizations from
automated attacks, without inserting user friction or disrupting the customer experience.
Distributed Cloud Bot Defense maintains effectiveness regardless of how attackers retool,
whether the attacks pivot from web apps to APIs or attempt to bypass anti-automation
defenses by spoofing telemetry or using human CAPTCHA solvers

F5 also offers multi-tiered DDoS protection for advanced online security as a managed,
cloud-delivered mitigation service that detects and mitigates large-scale network, protocol,
and application-targeted attacks in real time; the same protections are available as on-premises hardware, software, and hybrid solutions as well. F5 Distributed Cloud DDoS
Mitigation defends against volumetric and application-specific layer 3-4 and advanced layer
7 attacks before they reach your network infrastructure and applications.

For more information, visit https://activedgetechnologies.com/
or contact [ [email protected]] to schedule a demo