OWASP Top 10 for API
Get Trained and Stay Ahead of Cybersecurity Threats with Our Vast Library of Application Security Training Content.
Broken Function Level Authorization
Broken Function Level Authorization relates to the security issues arising due to improper validation of the authorization level of the user of an API and the function that it is intended to perform. This security issue is common with modern applications implementing improper checks due to the prevalence of several types of roles, scopes, and/or groups leading to a complex user access hierarchy.
Broken Object Level Authorization
Broken Object Level Authorization is a type of security vulnerability allowing attackers to exploit API endpoints by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.
Broken User Authentication
Broken User Authentication refers to a class of vulnerabilities, which allow attackers to assume other users’ identities due to a poorly implemented API authentication.
Excessive Data Exposure
Excessive Data Exposure issues are a class of vulnerabilities that arise when an API returns excessive amounts of data to the client, which may be used by a potential attacker to gain access to sensitive information.
Improper Assets Management
Improper Assets Management is a common type of security problem arising from inadequate access control restriction and/or the failure to properly implement security controls against undocumented or old versions of application API endpoints, source code repositories, or access to application development environments e.g. development, production, or staging environments.
Insufficient Logging & Monitoring
Insufficient logging and monitoring is a common issue when developing and deploying web applications and can result in sensitive information being accessed or stolen by malicious or unauthorized parties, without having the relevant audit trail data to identify or trace the source of the problem.
Lack of Resources & Rate Limiting
Lack of Resources & Rate Limiting refers to a vulnerability whereby the published APIs lack insufficient resources or limits on the rate of access per user or per client application, resulting in poor performance of the application and further making it susceptible to Denial of Service (DoS) or brute-force attacks or user enumeration attacks depending on the API’s implementation.
Mass Assignment
Mass assignment is a class of vulnerabilities whereby an active record or ORM pattern in a web application is modified by an attacker that should otherwise be protected from modification e.g. objects that may contain sensitive fields such as administrator status flags, permission flags, etc.
Security Misconfiguration - Part 1
Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.
Security Misconfiguration - Part 2
Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.
SQL Injection
SQL Injection is a type of code injection vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL code, an attacker can read database content and thus gain access to sensitive information, modify or delete data, and in some cases execute administrative operations on the backed SQL server.
XXE Injection
XML External Entity (XXE) Injection is an attack targeting applications that transmit data between browser and server in XML format. By intercepting and modifying the data, an attacker can exploit potentially dangerous features of standard XML libraries, such as the parsing and loading of external entities, in order to gain access to the server’s filesystem or to interact with backend systems that the application has access to.
Ready to get started?
Experience the full Kontra platform and see what it can do for you and your team.
