OWASP API Security

Understanding the OWASP API Security Top 10 (2023)

APIs form the backbone of modern applications—facilitating communication between mobile apps, microservices, partner systems, and cloud platforms. However, their growing adoption has also expanded the attack surface for malicious actors. The OWASP API Security Top 10 (2023) outlines the most critical security risks facing APIs today.

This guide explains how REST APIs function, the common API workflow, and how each of the OWASP top 10 risks manifests in real-world scenarios—with practical mitigation strategies.

---

How REST APIs Work

REST APIs expose application functionality over HTTP(S), allowing clients to interact with backend systems. A typical API request might look like this:

POST /api/v1/orders HTTP/1.1  
Host: api.store.com  
Authorization: Bearer <access_token>  
Content-Type: application/json  

{
  "productId": "12345",
  "quantity": 2
}

Here’s how the request is processed:

1. Authentication – Validating the access token.

2. Authorization – Ensuring the user has permission to perform the action.

3. Input Validation – Checking the request payload for format or malicious content.

4. Business Logic Execution – Processing the request, such as creating an order or sending a notification.

5. Resource Usage – Accessing databases, cloud services, or third-party APIs.

6. Response Generation – Returning a success or error response to the client.

Any weakness in these steps can lead to serious vulnerabilities. The OWASP API Security Top 10 categorizes the most common and critical of these.

---

OWASP API Security Top 10 – 2023

1. Broken Object Level Authorization (BOLA)

Issue: APIs expose object identifiers like userId=123, which attackers manipulate to access unauthorized data.

Example:

GET /api/users/12345/profile → attacker changes to /12346

The attacker retrieves someone else’s profile.

Mitigation:
Always enforce object-level checks at the API or service layer, such as comparing the userId in the request with the one in the access token.

---

2. API2:2023 – Broken Authentication

Issue: Weak authentication mechanisms allow attackers to impersonate legitimate users.

Example:

• JWT tokens are not properly validated.

• Tokens do not expire, leading to perpetual access.

Mitigation:
Use industry standards like OAuth2 and OIDC. Implement multi-factor authentication (MFA), rotate secrets, and validate token signatures and expiry.

---

3. Broken Object Property Level Authorization

Issue: Users can view or modify fields they should not have access to.

Example:

{
  "username": "amit",
  "role": "admin"
}

An attacker includes "role": "admin" in an update request and elevates privileges.

Mitigation:
Implement field-level access control. Only expose and accept properties appropriate for the user’s role.

---

4. Unrestricted Resource Consumption

Issue: Absence of limits on API usage or payloads can exhaust system resources or inflate costs.

Example:

• Uploading excessively large files.

• Bots triggering 10,000 SMS requests in an hour.

Mitigation:
Set limits on timeouts, memory, upload sizes, and concurrent requests. Apply rate limiting per user, IP, or endpoint, and enforce quotas for high-cost operations.

---

5. Broken Function Level Authorization

Issue: Attackers bypass UI controls to access unauthorized endpoints.

Example:

DELETE /api/users/56789

A regular user accesses a delete operation intended only for administrators.

Mitigation:
Use role-based or attribute-based access control (RBAC/ABAC) to enforce authorization checks on all endpoints, regardless of how they’re exposed.

---

6. Unrestricted Access to Sensitive Business Flows

Issue: APIs allow sensitive workflows (like checkout or account creation) to be abused at scale.

Example:
An attacker automates the checkout API to purchase limited-stock items before legitimate users can.

Mitigation:
Implement abuse detection, rate limits for business-critical operations, and bot mitigation techniques such as CAPTCHA or behavioral analysis.

---

7. Server Side Request Forgery (SSRF)

Issue: APIs that fetch external URLs allow attackers to target internal systems.

Example:

{ "url": "http://169.254.169.254/latest/meta-data" }

The request exposes internal AWS instance metadata.

Mitigation:
Block requests to internal IP ranges and use allow-lists to validate external URLs. Reject requests to [file://](file://), gopher://, or localhost endpoints.

---

8. Security Misconfiguration

Issue: Default, weak, or inconsistent configurations expose systems to attackers.

Example:

• Swagger docs are publicly accessible in production.

• CORS policy is set to allow all origins.

Mitigation:
Harden production environments by disabling debug modes and verbose error messages. Enforce secure headers such as CORS, CSP, and HSTS. Regularly review and test configurations.

---

9. Improper Inventory Management

Issue: Untracked or deprecated APIs are accessible and vulnerable.

Example:
A forgotten endpoint /api/v1/exportAll is still accessible without authentication.

Mitigation:
Maintain a comprehensive inventory of all APIs. Use API gateways or scanning tools to detect and monitor endpoints. Implement clear versioning and formally deprecate unused APIs.

---

10. Unsafe Consumption of APIs

Issue: Trusting external APIs without proper validation can lead to data poisoning or injection attacks.

Example:
An application consumes data from a partner API without schema validation, leading to security vulnerabilities.

Mitigation:
Validate all third-party API responses using schema validators. Apply strict input sanitization, enforce timeouts, and handle errors gracefully to prevent downstream impacts.

---

Extending Security with API Threat Modeling

While OWASP helps prioritize known API flaws, threat modeling helps discover flaws early—before code is written. It's a proactive security design exercise for understanding how your API can be attacked and defended.

What Is API Threat Modeling?

API threat modeling identifies:

• What could go wrong?

• Who might attack?

• How can those attacks be prevented?

---

Step-by-Step Threat Modeling for APIs

1. Define API Assets and Scope:

• Public/private endpoints

• Authentication methods

• Sensitive data types (PII, tokens)

2. Map the API Workflow:

[Client] → [API Gateway] → [App Logic] → [Database/External APIs]

Mark trust boundaries (e.g., internet → internal network).

3. Apply STRIDE to Each Component:

4. Identify Mitigations:

• Schema validation for inputs

• RBAC enforcement on every method

• Rate limits on high-cost operations

• Strict URL allow-lists

• Logging and anomaly detection

---

Tools and Practices

• Threat Modeling Tools: OWASP Threat Dragon, Microsoft Threat Modeling Tool

• Testing: Burp Suite, ZAP, Postman Security Fuzzers

---

Conclusion

APIs are the interface to your application’s core logic and data. As they grow in complexity and exposure, so do the associated risks.

The OWASP API Security Top 10 provides a structured approach to understanding and mitigating the most critical vulnerabilities.

By integrating secure design principles, enforcing proper access controls, validating inputs and outputs, and monitoring API usage, organizations can significantly reduce their risk surface and protect both users and infrastructure.

---

Reference resource: official owasp guidelines