Application Programming Interfaces (APIs) power the modern web and mobile experience by letting different services talk to each other. They make everything from online shopping to bank transfers convenient. However, when APIs are designed or configured poorly, they create openings that attackers can exploit. The OWASP API Security Top 10 for 2023 highlights the most common and critical issues that lead to breaches.
API1: Broken Object Level Authorization – Many API endpoints include user‑controlled identifiers that point to objects such as accounts or orders. If the server does not check whether the requester is authorized to access that specific object, an attacker can change the identifier to retrieve or modify someone else’s data. This is like changing a number in a web address to view another person’s order details.
API2: Broken Authentication – APIs rely on tokens or credentials to know who is making a request. If authentication is implemented incorrectly or session tokens are poorly managed, attackers can impersonate legitimate users or take over their sessions. That means they can perform actions on behalf of victims.
API3: Broken Object Property Level Authorization – An API might enforce access to an object but fail to restrict which properties of that object a user can view or update. Without granular checks on each field, sensitive information can leak or be modified by unauthorized users.
API4: Unrestricted Resource Consumption – Some API calls trigger expensive operations or return large amounts of data. If there are no limits on how often or how much a client can request, malicious actors can overwhelm the server’s CPU, memory or bandwidth. This can lead to denial‑of‑service conditions that affect all users.
API5: Broken Function Level Authorization – APIs often expose multiple functions, some of which should only be available to admins or specific roles. Attackers can enumerate endpoints and call privileged functions if there are no proper checks on the user’s role. That might allow them to perform management operations they shouldn’t access.
API6: Unrestricted Access to Sensitive Business Flows – Business‑critical operations such as checkout processes or account upgrades are sometimes exposed without safeguards like captchas or rate limiting. Attackers can automate these flows to abuse promotions or disrupt normal operations.
API7: Server Side Request Forgery (SSRF) – When an API fetches resources on behalf of a client, attackers may be able to manipulate URLs to make the server request internal services not meant to be exposed. This can reveal internal system information or be used as a pivot for further attacks.
API8: Security Misconfiguration – Default settings, verbose error messages or inconsistent TLS enforcement are examples of misconfigurations that can weaken an API’s security posture. Attackers will probe for these mistakes to gather information or bypass protections.
API9: Improper Inventory Management – Organizations sometimes leave old or undocumented API versions running. Without an up‑to‑date inventory of all endpoints, it’s easy to miss vulnerable or unnecessary services. Attackers can discover and exploit these forgotten APIs.
API10: Unsafe Consumption of APIs – APIs often consume other services. If they blindly trust external or third‑party APIs and fail to validate responses, they can propagate malicious data or rely on insecure dependencies. Cascading failures can result.
By understanding these risks and building APIs with security in mind, organizations can reduce their attack surface. Following the OWASP guidelines, implementing proper authentication and authorization, enforcing rate limits and monitoring for unusual activity are key steps. Zerberos offers penetration testing services for API endpoints based on the OWASP standard to help identify and address these vulnerabilities.