OWASP Top 10 API Security Risks

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving the security of software. OWASP provides free and open resources, including tools, methodologies, and documentation, to help organizations secure their web applications. One of OWASP’s most well-known contributions is the list of Top 10 API Security Risks, highlighting the most critical risks to API security. An update in 2023 reflected the growing importance and unique challenges of securing application programming interfaces (APIs) and web applications.

APIs are sets of rules and protocols that allow different software applications to communicate with each other. A key function of APIs is to facilitate an efficient exchange of data between technologies. As a foundational technology for modern application architecture, APIs enable one application to request information and leverage functionality from other apps and services, rather than having to replicate that data or build those services from scratch. APIs are at the center of our digital world, connecting applications, systems, and data.

Eighty-four percent of organizations have experienced API security incidents within the previous 12 months, according to 1,200+ IT and security professionals who participated in the 2024 API Security Impact Study. With the rapid rise of APIs in modern application architecture, cybercriminals have become increasingly drawn to APIs as an attack vector for several reasons.

• Widespread adoption: APIs are ubiquitous in modern software development, powering web and mobile applications, IoT devices, and integrations between various platforms. This widespread adoption creates many new potential targets for attackers and enlarges an organization’s attack surface.
• Access to sensitive data: APIs often handle sensitive data, including personal information, financial details, and proprietary business data. By exploiting APIs, attackers can gain access to valuable and confidential information that can be used for identity theft, financial fraud, or corporate espionage.
• Direct access to back-end systems: APIs provide direct access to back-end systems and databases, often bypassing traditional user interfaces. This direct access can be exploited to retrieve, modify, or delete data without going through the usual security checks and balances of front-end applications.
• Complexity and misconfigurations: APIs can be complex, with many endpoints and versions, each requiring proper configuration and security. Misconfigurations and security lapses are common, making the odds of success in an API attack fairly high.
• Automation and scalability of attacks: APIs can be targeted using automated tools and scripts, making it easier for attackers to scale their attacks. Automated attacks can rapidly exploit API vulnerabilities such as weak authentication mechanisms and other security flaws.
• Third-party integrations: APIs often facilitate integrations with third-party services, which can introduce additional security risks. If a third-party service is compromised, it can provide an entry point for attackers to exploit the primary API.
• Insufficient logging and monitoring: Many organizations lack proper logging and monitoring for their APIs, making it difficult to detect and respond to suspicious activities in real time. This allows attackers to exploit security vulnerabilities without being detected for extended periods.

To understand the specific threats in the OWASP Top 10 API Security Risks, it’s helpful to review some key concepts and terms related to APIs.

• API endpoints: API endpoints are specific URLs or paths where an API can be accessed by a client. Each endpoint provides access to different functions or resources such as submitting a form, updating a database entry, or retrieving user information.
• Calls and requests: An API call or request is a message sent by a client to an API endpoint to request data or perform an action. An API call or request generates a response from the API endpoint.
• Objects: Objects are data structures that represent real-life entities like users, products, or orders. Objects can have attributes/properties and methods/functions. In a social media API, for example, an object may be a user profile with attributes like name, profile picture, and email, and methods like sending a friend request and updating the profile.
• Data binding: Data binding is the process of mapping input data from API requests to objects.
• Authentication: Authentication is the process of verifying the identity of a user or system making an API request. The purpose of entity authentication or user authentication is to determine that the entity is who or what it claims to be.
• Authorization: Authorization determines what level of access permissions an authenticated user or system is allowed.

The OWASP Top 10 API Security Risks highlight the most critical security risks to APIs.

• API1:2023 – Broken Object Level Authorization: This threat occurs when an API does not properly restrict access to certain objects based on user permissions. This means unauthorized users can access or modify data they shouldn’t be able to, potentially exposing sensitive information or allowing malicious actions.
• API2:2023 – Broken Authentication: Broken authentication happens when the methods used to verify the identity of users are flawed. This can allow attackers to take over user accounts, gain unauthorized access, and perform actions as if they were legitimate users.
• API3:2023 – Broken Object Property Level Authorization: This issue happens when APIs do not properly check permissions at the property level within objects. It may allow attackers to gain unauthorized access or to modify specific data fields within an object, exposing sensitive data or enabling malicious actions.
• API4:2023 – Unrestricted Resource Consumption: APIs need resources like network bandwidth, CPU, memory, and storage to function. When APIs don’t have adequate limits on resource consumption, attackers can overwhelm the API by making excessive requests, leading to denial of service or increased operational costs.
• API5:2023 – Broken Function Level Authorization: Broken function level authorization means that the API does not properly restrict access to certain functions or actions based on user roles. This allows users to perform actions they shouldn’t be able to, such as accessing administrative functions.
• API6:2023 – Unrestricted Access to Sensitive Business Flows: APIs may expose business processes, such as purchasing items or posting comments, without adequately controlling how these functions can be abused. Attackers may automate misuse of these functionalities to harm the business.
• API7:2023 – Server Side Request Forgery (SSRF): SSRF occurs when an API fetches resources from another server without properly validating the user-provided URL. Attackers can exploit this to make the API server send requests to unintended locations, bypassing firewalls or accessing internal systems.
• API8:2023 – Security Misconfiguration: Security misconfiguration involves having incorrect or incomplete settings in an API, making it vulnerable to attacks. This can happen due to default settings, missing patches, or misconfigured security controls that lead to potential exploits.
• API9:2023 – Improper Inventory Management: This risk occurs when APIs expose more endpoints than necessary or lack proper documentation and version management. Attackers can exploit outdated, deprecated, or unsecured endpoints and API versions that developers might have forgotten about.
• API10:2023 – Unsafe Consumption of APIs: Developers may trust data from third-party APIs too much and not apply the same security standards they use for user inputs. Attackers can exploit vulnerabilities in these third-party services to compromise the API indirectly.

An earlier version of the OWASP API security project included several additional types of attacks and vulnerabilities that still pose great threat to organizations:

• Excessive Data Exposure: Excessive data exposure occurs when APIs provide more data than necessary in their responses. This can unintentionally reveal sensitive information to attackers, even if the information is not directly requested by the user.
• Lack of Rate Limiting: This threat involves APIs not limiting the number of requests a user can make in a given period. Without rate limiting, attackers can overload the API with too many requests, causing a denial of service or exploiting resource-intensive operations.
• Mass Assignment: Mass assignment happens when APIs automatically bind input from requests to program objects, allowing attackers to modify or set unintended data fields. This can lead to unauthorized changes to data or configurations that the user should not be able to control.
• Injection: Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. Examples include SQL, NoSQL, and command injections, which can lead to data theft, loss, or corruption by tricking the API into executing unintended commands.
• Insufficient Logging & Monitoring: When administrators don’t properly record logs and monitor APIs, suspicious activities may go unnoticed, delaying the detection of breaches and making it difficult to respond to security incidents effectively.
• Improper Assets Management: Improper assets management refers to not properly maintaining and monitoring an API’s endpoints and versions. This can lead to exposure of old, deprecated, or insecure endpoints that attackers can exploit.

To protect their APIs against the OWASP Top 10 API Security Risks and other threats, IT and security teams should deploy a multilayered strategy for API security.

At the core of this approach: deploying a complete API security solution that provides four key functions: API discovery, API security posture management, runtime protection, and API security testing. 

This comprehensive approach works as an important complement to an organization’s existing tools for managing and securing APIs, such as API gateways and web application firewalls (WAFs).

API discovery: Most organizations have little to no visibility into a large percentage of their API traffic, often because they assume all of their APIs are routed through an API gateway. But that is not the case. Many of a typical organization’s APIs are unmanaged (e.g., dormant APIs that are forgotten about, but still running and still in contact with sensitive data). Your enterprise is exposed to a range of risks without a complete and accurate inventory. Core capabilities needed: 

• Locating and inventorying all of your APIs, regardless of configuration or type
• Detecting dormant, legacy, and zombie APIs
• Identifying forgotten, neglected, or otherwise unknown shadow domains
• Eliminating blind spots and uncovering potential attack paths 

API posture management: With a complete API inventory in place, it’s critical to understand what types of data flow through your APIs and how that affects your ability to comply with regulatory requirements. API posture management provides a comprehensive view of traffic, code, and configurations to assess your organization’s API security posture. Core capabilities needed:

• Automatically scanning infrastructure to uncover misconfigurations and hidden risks
• Creating custom workflows to notify key stakeholders of vulnerabilities
• Identifying which APIs and internal users are able to access sensitive data
• Assigning severity rankings to detected issues to prioritize remediation

API runtime security: You’re no doubt familiar with the concept of “assume breach.” API-specific breaches and attacks are reaching that same degree of inevitability. For all of your APIs that are live in production, you need to be able to detect and block attacks in real time. Core capabilities needed:

• Monitoring for data tampering and leakage, policy violations, suspicious behavior, and API attacks
• Analyzing API traffic without additional network changes or difficult-to-install agents
• Integrating with existing workflows (ticketing, SIEM, etc.) to alert security/ operations teams
• Preventing attacks and misuse in real time with partially or fully automated remediation 

API security testing: API development teams are under pressure to work as quickly as possible. Speed is essential for every application developed, making it easier for a vulnerability or design flaw to happen and subsequently go undetected. Testing APIs in development before they are released into production greatly reduces both risk and the cost of fixing a vulnerable API. Core capabilities needed:

• Running a wide range of automated tests that simulate malicious traffic
• Discovering vulnerabilities before APIs enter production, reducing the risk of successful attacks
• Inspecting your API specifications against established governance policies and rules
• Running API-focused security tests that run on demand or as part of a CI/CD pipeline

Note: In addition to API security solutions, organizations can explore the capabilities of web application and API protection (WAAP). Designed to quickly identify and mitigate threats from multiple attack vectors, WAAP extends the traditional protections of a WAF. An API security solution — working in tandem with WAF and WAAP — extends protections even further beyond the firewall to create the strongest defense possible.

Organizations seeking to strengthen their API security approaches can also use the following techniques and technologies.

Authentication and authorization

• Implement fine-grained authorization: Ensure that every API request checks the user’s permissions for accessing specific objects. Use role-based access control (RBAC) or attribute-based access control (ABAC) to enforce these rules.
• Use strong authentication mechanisms: Implement multi-factor authentication (MFA) and use secure protocols like OAuth 2.0 and OpenID Connect to verify user identities.
• Enforce strong password policies: Require complex passwords and enforce password rotation policies to enhance security.

Access control

• Property-level access control: Apply access controls at the property level within objects to ensure that users can only access or modify properties they have permissions for.
• Function-level access control: Ensure that access to each API function is restricted based on user roles and permissions. Use least-privilege principles to minimize access.

Rate limiting, throttling, and resource monitoring

• Implement rate limiting and throttling: Set limits on the number of API requests a user can make in a given period to prevent resource exhaustion.
• Resource monitoring and scaling: Continuously monitor resource usage and scale infrastructure dynamically to handle legitimate traffic spikes without compromising availability.

Validation and sanitization

• Validate and sanitize user inputs: Ensure that URLs or other inputs in server-side requests are properly validated and sanitized to prevent malicious requests.
• Validate and sanitize API responses: Treat data from third-party APIs with the same scrutiny as user inputs by validating and sanitizing it before use.

Segmentation

• Network segmentation: Restrict server-side requests to only necessary internal services and use network segmentation to limit the impact of potential SSRF attacks.

Configuration and inventory

• Harden configuration settings: Regularly review and update API configuration settings to follow security best practices. Disable unnecessary features and services.
• Automate security configuration management: Use automated tools to manage and enforce security configurations consistently across all environments.

Testing and audits

• Continuous security testing: Regularly test API endpoints for vulnerabilities and fix any issues promptly.
• Regular audits: Conduct regular security audits to identify and fix authorization flaws.

Inventory, documentation, and reviews

• Maintain an API inventory: Keep an up-to-date inventory of all API endpoints, including their versions and usage. Ensure deprecated endpoints are properly decommissioned.
• Document and monitor APIs: Document API functionality and monitor their usage to detect and mitigate security risks associated with improper management.
• Monitor for abnormal activity: Implement continuous monitoring to detect and respond to unusual patterns of API usage that may indicate an attempt to exploit business flows.
• Regular security reviews: Periodically review and update access control policies to ensure they remain effective.
• Use secure libraries and frameworks: Ensure that the libraries and frameworks used to interact with third-party APIs are secure and regularly updated.

Encryption

Encrypt data in transit: Use Transport Layer Security (TLS) to encrypt data in transit to protect sensitive information from being intercepted by attackers.

Firewalls and gateways

• Implement web application firewalls (WAFs): Web application firewalls protect APIs from common web-based attacks, such as SQL injection and cross-site scripting (XSS), by blocking malicious requests.
• Use an API gateway: API gateways serve as an entry point for all API requests and perform security tasks like authenticating clients, implementing rate limiting, managing traffic, and preventing DDoS attacks in real time.

Patching and updating

• Patch management: Regularly apply patches, updates, and security fixes to address known vulnerabilities. Establish a test environment to ensure that patches do not introduce any compatibility issues or unintended consequences.

Zero Trust

• Adopt a Zero Trust approach: A Zero Trust framework assumes that no user, device, or application inside or outside an IT environment can be inherently trusted. By requiring every client that requests access to APIs to be continuously authenticated and validated, a Zero Trust approach prevents unauthorized access and limits the damage of successful attacks.