Region

Login

Support

OWASP Top 10 for API

Get Trained and Stay Ahead of Cybersecurity Threats with Our Vast Library of Application Security Training Content.

Backend course icon

Broken Function Level Authorization

Broken Function Level Authorization relates to the security issues arising due to improper validation of the authorization level of the user of an API and the function that it is intended to perform. This security issue is common with modern applications implementing improper checks due to the prevalence of several types of roles, scopes, and/or groups leading to a complex user access hierarchy.

Broken Object Level Authorization

Broken Object Level Authorization is a type of security vulnerability allowing attackers to exploit API endpoints by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.

Broken User Authentication

Broken User Authentication refers to a class of vulnerabilities, which allow attackers to assume other users’ identities due to a poorly implemented API authentication.

Excessive Data Exposure

Excessive Data Exposure issues are a class of vulnerabilities that arise when an API returns excessive amounts of data to the client, which may be used by a potential attacker to gain access to sensitive information.

Improper Assets Management

Improper Assets Management is a common type of security problem arising from inadequate access control restriction and/or the failure to properly implement security controls against undocumented or old versions of application API endpoints, source code repositories, or access to application development environments e.g. development, production, or staging environments.

Insufficient Logging & Monitoring

Insufficient logging and monitoring is a common issue when developing and deploying web applications and can result in sensitive information being accessed or stolen by malicious or unauthorized parties, without having the relevant audit trail data to identify or trace the source of the problem.

Lack of Resources & Rate Limiting

Lack of Resources & Rate Limiting refers to a vulnerability whereby the published APIs lack insufficient resources or limits on the rate of access per user or per client application, resulting in poor performance of the application and further making it susceptible to Denial of Service (DoS) or brute-force attacks or user enumeration attacks depending on the API’s implementation.

Mass Assignment

Mass assignment is a class of vulnerabilities whereby an active record or ORM pattern in a web application is modified by an attacker that should otherwise be protected from modification e.g. objects that may contain sensitive fields such as administrator status flags, permission flags, etc.

Security Misconfiguration - Part 1

Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.

Security Misconfiguration - Part 2

Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.

SQL Injection

SQL Injection is a type of code injection vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL code, an attacker can read database content and thus gain access to sensitive information, modify or delete data, and in some cases execute administrative operations on the backed SQL server.

XXE Injection

XML External Entity (XXE) Injection is an attack targeting applications that transmit data between browser and server in XML format. By intercepting and modifying the data, an attacker can exploit potentially dangerous features of standard XML libraries, such as the parsing and loading of external entities, in order to gain access to the server’s filesystem or to interact with backend systems that the application has access to.

Ready to get started?

Experience the full Kontra platform and see what it can do for you and your team.

Get Your Free Trial

Almost There.

Are you ready to gain hands-on experience with the IT industry’s top tools, 
techniques, and technologies?

Take the first step and download the syllabus.

Name
Address
By clicking "Request Info," I consent to be contacted by ThriveDX, including by email, calls, and text messages, (including by autodialer or prerecorded messages) about my educational interests. I understand that my consent to be contacted is not required to enroll. Msg. and data rates may apply.

Contact (212) 448-4485 for more information. I also agree to the Terms of Use and Privacy Policy.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course

IMPORTANT!

Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content