The Open Web Application Security Project (OWASP) works to improve the security of software worldwide. OWASP’s well-known Top 10 lists increase awareness about the most critical security risks to web applications.
As the foundation for today’s app-driven economy, APIs have risen to the very top of those risks. API usage has exploded and has become ubiquitous across both external-facing and internal applications. To understand and mitigate unique API vulnerabilities and the growing threats against them, OWASP published its inaugural OWASP API Security Top 10.
The list provides companies with a good starting point for learning about the common weaknesses and security flaws that can exist within APIs. Of these, the most common are:
BOLA (Broken Object Level Authorisation)
Broken User Authentication
Excessive Data Exposure
Security Misconfiguration
BOLA
Accounting for about 40% of all API attacks, broken object level authorisation – or BOLA – represents the most prevalent API threat. Attackers can easily exploit API endpoints that are vulnerable to BOLA by manipulating the ID of an object sent within an API request. Because the server component typically does not fully track the client’s state, these vulnerabilities are extremely common in API-based applications.
BOLA authorization flaws can lead to data exfiltration as well as unauthorised viewing, modification, or destruction of data. BOLA can also lead to full account takeover (ATO).
Automatic static or dynamic testing cannot easily detect BOLA authorisation flaws. Traditional security controls, such as WAFs and API gateways, also miss these types of attacks because they cannot understand API context and so cannot baseline normal API behaviour.
Broken User Authentication
Broken user auth ..
Support the originator by clicking the read the rest link below.
