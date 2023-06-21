Both OWASP and Akamai continue to see major risks on the object level, which explains why BOLA remains the first and most critical API security risk to be aware of.

However, diving one level deeper and looking at the object property level, there is additional risk of oversharing information or allowing for specific properties that can be modified or deleted when that should not be the case.

Being covered for BOLA doesn’t mean you are covered for BOPLA, and combining Mass Assignment and Excessive Data Exposure into a single category emphasizes the attention required by API developers for properties in an object.

This distinction is important for those who are choosing an API security product because they need to make sure that the product covers both types of attack.

IN | API6:2023 | Server Side Request Forgery

OWASP lowered the Injection security risk and, in doing so, removed it from the top 10 and paved the way for Server-Side Request Forgery (SSRF) to be added.

SSRF is a type of attack that exploits a vulnerability in a web application or API that allows an attacker to make unauthorized requests from the server to other internal or external systems.

Here are some potential reasons why OWASP chose to make this change:

APIs are more vulnerable to SSRF attacks because they rely on modern technologies, such as Kubernetes and Docker, which rely on HTTPS API-based communication protocols.

With technologies such as Webhooks, SSO integrations, and URL file fetching/redirects through API endpoints, there is an opportunity for threat actors to apply SSRF.

A deeper dive

For a deeper dive into SSRF attacks, read Mike Elissen’s article Your APIs Are Enabling Server-Side Request Forgery (SSRF) Attacks.

OUT | API8:2019 | Injection

Removing Injection attacks from the list was a bold and contentious move within the API security community, but there is a reduced threat from Injection attacks on API endpoints.

Injection is now is essentially part of API8:2023 | Security Misconfiguration. Proper security configuration should include web application and API protection mechanisms, which should scan and prevent injections by default.

GraphQL is growing as an API technology. It is, at its core, a querying language that could re-open the door to a rise in Injection attacks, so API developers who rely on GraphQL should continue to stay vigilant.

NEW | API4:2023 | Unrestricted Resource Consumption

The original list focused specifically on understanding the risk of resource consumption that leads to API endpoints becoming overwhelmed (and potentially unavailable) harming user experience.

API endpoints these days need to be available — but just being available isn't everything. Implementing API gateway, load balancing, or rate limiting controls is a step in the right direction.

In recent years, we are seeing a huge shift in the “economics of API usage.” This updated category takes aim at creating awareness of this aspect, which will continue to grow with third-party API integrations.

NEW | API6:2023 | Unrestricted Access to Sensitive Business Flows

Another new addition is API6:2023 Unrestricted Access to Sensitive Business Flows. This category has finally codified what makes security so special: to think more like a threat actor and see where potential gains can be.

The technology (the API) is just a way to execute the business logic, and having ways of bypassing or altering this business logic through the technology is unwanted and could lead to complications.

OWASP shared specific examples of how these complications can be prevented, but this security risk is very specific to the business logic that your API endpoints are supporting.

API developers: Example

Recently, Mike Elissen had a conversation with API developers at a streaming service. To attract a new audience, this streaming service offered a free 30-day trial for new users who shared their credit card information.

However, the business logic was only looking at unique email addresses for new sign-ups. A new email address could easily access a new trial using the same credit card information, which could lead to users who create new accounts each month, using the service for free indefinitely.

NEW | API10:2023 | Unsafe Consumption of APIs

As third-party API consumption is growing rapidly, APIs often have to integrate and communicate with different internal and external (third-party) services, sending and receiving data.

It is important to follow the “basic” rules of security in those cases, too, and it can be complicated for security products to detect vulnerabilities and proactively defend in this space.

OWASP includes a range of suggestions in their document, both general and API-specific, such as:

Follow redirections carefully. Build this oversight into the business logic as well as add security solutions that are continuously monitoring and inspecting the traffic flows.

Do not simply trust third-party APIs, even if they have a good reputation. Build defenses and limits into your application and API endpoints.

Congratulations and thank you, OWASP!

Creating security awareness takes a huge effort from the community, and we appreciate OWASP for heading up this project. Special thanks to Erez Yallon, Inon Shkedy, and Paulo Silva for all their great work on the 2023 edition.

We also want to thank all the contributors, specifically Akamai’s Maxim Zavodchik and Mike Elissen for participating in this project and educating the larger developer community on API security.

