OWASP Top 10 API Security 2019
The OWASP Top 10 API Security 2019 is released in the year of 2019. This project shows the top ten most critical security risks in API.
A01:2019 - Broken Object Level Authorization
Attacker substitutes ID of their resource in API call with an ID of a resource belonging to another user. Lack of proper authorization checks allows access. This attack is also known as IDOR (Insecure Direct Object Reference).
Mitigation
- Implement authorization checks with user policies and hierarchy
- Don’t rely on IDs sent from client. Use IDs stored in the session object instead.
- Check authorization each time there is a client request to access database
- Use random non-guessable IDs (UUIDs)
A02:2019 - Broken Authentication
Poorly implemented API authentication allowing attackers to assume other users’ identities.
Mitigation
- Check all possible ways to authenticate to all APIs
- Password reset APIs and one-time links also allow users to get authenticated and should be protected just as seriously
- Use standard authentication, token generation, password storage, Multi-factor authentication
- Use short-lived access tokens
- Authenticate your apps (so you know who is talking to you)
- Use stricter rate-limiting for authentication, implement lockout policies and weak password checks
A03:2019 - Excessive Data Exposure
API exposing a lot more data than the client legitimately needs, relying on the client to do the filtering. Attacker goes directly to the API and has it all.
Mitigation
- Never rely on client to filter data
- Review all responses and adapt responses to what the API consumers really need
- Define schemas of all the API responses
- Don’t forget about error responses
- Identify all the sensitive or PII info and justify its use
- Enforce response checks to prevent accidental data and exception leaks
A04:2019 - Lack of Resources & Rate Limiting
API is not protected against an excessive amount of calls or payload sizes. Attackers use that for DoS and brute force attacks.
Mitigation
- Rate limiting
- Payload size limits
- Rate limits specific to API methods, clients, addresses
- Checks on compression ratios
- Limits on container resources
A05:2019 - Broken Function Level Authorization
API relies on client to use user level or admin level APIs. Attacker figures out the “hidden” admin API methods and invokes them directly.
Mitigation
- Don’t rely on app to enforce admin access
- Deny all access by default
- Grant access based on specific roles
- Properly design and test authorization
A06:2019 - Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allow-list, usually leads to Mass Assignment.
Mitigation
- Don’t automatically bind incoming data and internal objects
- Explicitly define all the parameters and payloads you are expecting
- For object schemas, use the readOnly set to true for all properties that can be retrieved via APIs but should never be modified
- Precisely define at design time the schemas, types, patterns you will accept in requests and enforce them at runtime
A07:2019 - Security Misconfiguration
Poor configuration of the API servers allows attackers to exploit them.
Mitigation
- Repeatable hardening and patching processes
- Automated process to locate configuration flaws
- Disable unnecessary features
- Restrict administrative access
- Define and enforce all outputs including errors
A08:2019 - Injection
Attacker constructs API calls that include SQL-, NoSQL-, LDAP-, OS- and other commands that the API or backend behind it blindly executes.
Mitigation
- Never trust your API consumers, even if internal
- Strictly define all input data: schemas, types, string patterns — and enforce them at runtime
- Validate, filter, sanitize all incoming data
- Define, limit, and enforce API outputs to prevent data leaks
A09:2019 - Improper Assets Management
Attacker finds non-production versions of the API: such as staging, testing, beta or earlier versions — that are not as well protected, and uses those to launch the attack.
Mitigation
- Inventory all API hosts
- Limit access to anything that should not be public
- Limit access to production data. Segregate access to production and non-production data.
- Implement additional external controls such as API firewalls
- Properly retire old versions or backport security fixes
- Implement strict authentication, redirects, CORS, etc.
A10:2019 - Insufficient Logging & Monitoring
Lack of proper logging, monitoring, and alerting let attacks go unnoticed.
Mitigation
- Log failed attempts, denied access, input validation failures, any failures in security policy checks
- Ensure that logs are formatted to be consumable by other tools
- Protect logs as highly sensitive
- Include enough detail to identify attackers
- Avoid having sensitive data in logs — If you need the information for debugging purposes, redact it partially.
- Integrate with SIEMs and other dashboards, monitoring, alerting tools
