OWASP API Top10 2023 Candidate List, So What’s New?

by | Apr 19, 2023 | Web Applications | 0 comments

OWASP API Top 10 2023 Candidate List

2023 Candidate List

  1. Broken Object Level Authorization
  2. Broken Authentication
  3. Broken Object Property Level Authorization
  4. Unrestricted Resource Consumption
  5. Broken Function Level Authorization
  6. Server Side Request Forgery
  7. Security Misconfiguration
  8. Lack of Protection From Automated Threats
  9. Improper Assets Management
  10. Unsafe Consumption of APIs

 

Broken Authentication and Authorization

Broken authentication and authorization continue to be major concerns in API security. BOLA, also known as IDOR, remains a widespread issue due to insufficient object-level authorization checks. Broken authentication, on the other hand, arises from two key factors:

  1. Lack of protection mechanisms for authentication endpoints.
  2. Misimplementation of authentication mechanisms.

This often results from the complexity of applications or a misunderstanding of the threats.

 

Broken Object Property Level Authorization (BOPLA)

Moving down the list we see Broken Object Property Level Authorization (BOPLA). Both excessive data exposure and mass assignment are now part of this category. It essentially outlines how attackers can exploit endpoints by accessing or modifying object properties without proper authorization. This issue occurs when an application validates user access to functions and objects, but fail at validating access to specific properties within objects.

If you want more details on Mass Assignment which is part of this category, you can check out our previous post here.

 

Server-Side Request Forgery (SSRF)

Following the OWASP Top 10 2021, SSRF has appeared. This is a clear indication of the growing use of unvalidated user-supplied URLs. But why is this an increasing issue?

  1. Webhooks and file fetching from URLs require developers to access external resources based on user input.
  2. Modern technologies like cloud providers, Kubernetes, and Docker expose management and control channels over HTTP on predictable paths making them targets for SSRF.
  3. The connected nature of modern applications makes it challenging to limit outbound traffic.

 

Lack of Protection from Automated Threats

Lack of protection from automated threats in APIs is a growing concern. These attacks are difficult to identify as individual requests appear legitimate and traditional protections like rate limiting and captchas become less effective over time.

Often, vulnerable APIs expose sensitive functionality without considering the potential harm caused by excessive automated access. Identifying sensitive business flows can be tricky, however, with proper design and threat modeling it can likely be minimized. An interesting example of this can be found below, as this person had an entire section of the stadium to himself; it wasn’t exactly automated but really highlights the issue here.

Oosaka man arrested

https://japantoday.com/category/crime/osaka-man-arrested-after-reserving-and-canceling-1-873-seats-at-2-baseball-games-to-get-more-space

Where is Injection?

It’s interesting to see the shift in the application security landscape where injection was once at the top of everyone’s checklist and now it’s gone. The unsafe consumption of APIs does reference injection attacks but is actually more to do with APIs interacting with one another.

Another interesting point for this section is that it’s essentially a trust issue. Data coming from another API should be treated the same as data coming from a user. In previous training, I’ve also touted to teams that they should treat other teams within the same organization as a third party. Just because you are following the guidelines and best practices does not mean they are; this is of particular importance in larger enterprises.

If you want to find our more about hacking APIs, head over to https://academy.tcm-sec.com/p/hacking-apis.

alex olsen

About the Author: Alex Olsen

Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in  TCM Security Academy, as well as the PJWT and PWPT certifications.

Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

 

tel: (877) 771-8911 | email: info@tcm-sec.com