OWASP API Security Top 10: A Framework for Improving Your API Security Efforts

December 24, 2020

During a recent API Security conversation with a customer, I asked if they had seen the OWASP API Security Top 10 list. They had not heard about it yet, a response that is consistent with other customers as well as from industry analysts including Gartner, Forrester and the Aite Group. Like the preceding Web App Security Top 10 list, the OWASP API Security Top 10 is a great addition to your API programs and initiatives, acting as a set of guidelines for both security and development teams alike.

APIs have long been the vehicle of choice for automated bots – it’s far easier to target the API for a shopping cart, a login or registration endpoint than it is to script a web form fill. However, a long list of API security incidents in 2020 shows that APIs are increasingly targeted for data theft due to security gaps like weak authentication or verbose error messages. Clearly, the explosive use of APIs has exposed security gaps within both the development and security teams, as highlighted in our API Security Risks webinar with the Aite Group.

Improving your API security posture is best done using a combination of documented best practices and technology to monitor and enforce policies. To that end, we recently held an educational webinar, Demystifying the OWASP API Security Top 10, where we took a threat actor (Jason Kent, our Hacker in Residence) vs. protector (Subbu Iyer, VP of Products) approach of defining each of the attacks on the list, discussing the ways threat actors will use the security weakness, prevention tips, and how the Cequence Application Security Platform can augment your API coding best practices. You can see the webinar here, and a summary is shown in the table below.

OWASP API Security Top 10 Laymen’s Description Prevention Tips How Cequence Can Help
API1:2019 Broken object level authorization Insufficient validation of an object access request allows an attacker to perform an unauthorized action by reusing an access token.
  • App dev and security collaborate to create an API specification that includes authorization requirements that are consistent with business requirements.
  • Use API function-level, security specific test cases, beyond scalability and pen-testing to ensure APIs are secure.
  • API Sentinel: Detect usage of all endpoints and paths at runtime including volume of traffic, IP addresses, organizations and countries
  • Bot Defense: Detect and block automated bot attacks, such as endpoint enumeration and token reuse.
API2:2019 Broken user authentication Poorly implemented user authentication allows attackers to impersonate legitimate users by exploiting implementation flaws in authentication mechanisms.
  • App dev, security and business groups collaborate to fully understand API authentication workflow.
  • Ensure ALL authentication endpoints (e.g., login, reset, etc.) are identified; protect them with the same standards-based, multi-factor where possible, authentication mechanisms.
  • API Sentinel: Detect and flag unauthenticated endpoints as high risk;
  • Detect and block* requests to endpoints that require authentication but are missing required auth tokens.
  • Bot Defense: Detect and block malicious automated attacks attempting ATO attacks on login APIs.
API3:2019 Excessive data exposure A published API might expose more data than necessary, relying on the client app to perform the necessary filtering.
  • App dev collaborates with business groups to fully understand who uses/consumes the data
  • App dev should ensure the API never relies on client-side filtering.
  • Use a layered approach to schema validation and avoid using generic methods.
  • API Sentinel: Detect and block* requests to endpoints that are leaking proprietary/sensitive data in cleartext, deviating from published schemas.
  • Bot Defense: Detect automated exploitation and attacks of endpoints vulnerable to excessive data exposure.
API4:2019 Lack of resources & rate limiting By not implementing rate limiting policies, attackers can overwhelm the backend with denial-of-service attacks. API definition and test plans should include:

  • Rate limits for API calls and client notifications (e.g., resets, lockout, etc.).
  • Resource consumption limits and server-side validation for response size (e.g., # of records, etc.).
  • API Sentinel: Identify and alert on endpoints experiencing large spikes in usage. Identify IP and geographic sources of traffic spikes.
  • Bot Defense: Detect and block suspicious volumetric spikes in usage, based on custom & pre-defined checks separating bad requests from good requests.
API5:2019 Broken function level authorization This threat is a variation on API1 and is also an authorization vulnerability. With this threat, an attacker is able to perform actions by sending requests to functions they are unauthorized to access. Define, document and implement a strong and consistent access control/authorization mechanism that defaults to positive security model – deny all, except those you want to allow.
  • API Sentinel: Detect usage of all endpoints and methods from runtime usage, including sources such as IP addresses, organizations and countries.
  • Bot Defense: Detect and block automated attacks, such as reuse and enumeration of session keys/tokens across functions.
API6:2019 Mass assignment Unfiltered data provided via APIs to client apps allows attackers to guess object properties via requests.
  • App dev and security define, agree on and enforce adherence to published API schema.
  • Whitelist client-updatable properties; blacklist those that are restricted.
  • Identify exposed privileged endpoints and shadow APIs.
  • API Sentinel: Identify endpoints deviating from schema definitions. Detect and block*API requests or responses containing specific non-conformant headers or query params.
  • Bot Defense: Detect automated exploitation and attacks of endpoints vulnerable to such attacks.
API7:2019 Security misconfiguration Commonly a result of insecure default configurations, incomplete or ad-hoc configurations, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
  • App dev, business groups and security define and adhere to an API schema that includes encryption, authentication, and resource configuration requirements.
  • Define repeatable process for hardening, patching and functional security testing.
  • API Sentinel: Identify endpoints that use non-conformant headers, query params or verbose error messages leaking sensitive data. Detect and block* endpoints that are not supposed to be used, (e.g., hidden methods or endpoint paths).
  • Bot Defense: Detect and block automated exploitation attempts of hidden methods or endpoints, automatically separating good vs bad requests.
API8:2019 Injection Untrusted injection of data, such as SQL, NoSQL, XML Parsers, ORM, LDAP, OS Commands, and JavaScript, into API requests can result in the execution of unintended commands or unauthorized data access.
  • Define and enforce data types, parameter patterns and limit the number of records returned.
  • Test validation and filtering of data from client and external integrated systems.
  • Combine OWASP Web App Top 10 protection with API Security Top 10.
  • API Sentinel: Flag requests containing anomalous values indicating potential Injection attacks*.
  • App Firewall: detect and block injection attempts, such as SQLi or system commands in API request parameters.
API9:2019 Improper assets management Insufficient environment management and environment segregation allows attackers to access under-secured API endpoints.
  • Document and follow an API publication process, adopted by security, app dev, operations and all other related groups.
  • Visibility and monitoring to enforce adherence to process; discover shadow, newly released, out-of-spec APIs and take necessary actions.
  • API Sentinel: Detect and block*shadow APIs and hidden endpoints with real usage not conformant to API specifications.
  • Bot Defense: Detect and block anomalous and suspicious usage of hidden and shadow APIs originating from non-legitimate sources.
API10:2019 Insufficient logging & monitoring Insufficient logging, monitoring, and alerts allows attacks in progress to go undetected.
  • App dec, business groups, security should define and enforce monitoring and logging requirements for all APIs.
  • Implement runtime visibility and monitoring tools to discover anomalous traffic patterns.
  • API Sentinel: Continuous API visibility & usage analysis, incl. hidden endpoints and those not listed in OpenAPI schemas.
  • Bot Defense: Export data about suspicious, non-legitimate and blocked traffic detected to external SIEM systems for analysis by fraud and SecOps teams.

Items shown in Italics* = Roadmap

Tags

API Securitybest practicesOWASP

About the Author

Matt Keil

Matt Keil

Director of Product Marketing

22 December 2020

Predictions 2021: Getting an Edge Against the Bots

Read More
8 December 2020

The Open Banking API Security Imperative

Read More
25 November 2020

The Cequence Security Blog – Top 5 Posts of 2020

Read More
4 November 2020

Tales from the Front Lines: How Third-Party APIs Simplify Enumeration Attacks

Read More
22 October 2020

How the HR System Enabled my Promotion to CEO

Read More

Subscribe to our blog