API security threats – TSH’s work with the OWASP top 10

Cybersecurity is not only about ensuring the security of web applications, but also providing it to mobile applications or API. Why API? In order to make the styling, UX, and performance perfect, you can’t forget about API – the application that will communicate with our backend. The safety of the backend is crucial to your app’s safety, function, and your users’ sensitive data. The attacker will not only focus on clients (web app, mobile app, sensors, etc.) but will look deeper into the vulnerability. 

A very popular SQL injection vulnerability is strictly related to data manipulation in a database. It’s a preventable vulnerability. 

An example is the broken API Authorization vulnerability that was found in a friendly way by Omkar Bhagwat (th3_hidd3n_mist). This vulnerability made it possible to delete, take over or learn the sensitive data of thousands of subdomains without interacting with the user

Now that you know you want this and need this in your project, let’s take a look at API security tests (an application that is used to communicate with other applications/devices on the backend). It’s worth noting that the OWASP (Open Web Application Security Project) organization 2019 prepared a ranking of the 10 most common API vulnerabilities, called API Security Top 10 2019.

The project updates data every few years, and so will we – once OWASP publishes again, probably sometime in 2023.

API security and types of projects

Ensuring API security is important because it may not only apply to one device, but it has the ability to connect to several, e.g. sensors, telephone, web applications, cars, and TV.

A ton of vulnerabilities are easy to check for – ensuring they’re covered should always be in your project plan. I am a fan of the OWASP organization, and I based my examples of fighting with vulnerabilities on their research.

API Security Top 10, similar to the OWASP Top 10 report for web applications, includes the 10 most common vulnerabilities like

  • Broken Object Level Authorization,
  • Broken User Authentication,
  • Excessive Data Exposure,
  • Lack of Resources & Rate Limiting,
  • Broken Function Level Authorization,
  • Mass Assignment,
  • Security Misconfiguration,
  • Injection,
  • Improper Assets Management,
  • Insufficient Logging & Monitoring.

An interesting fact is that 6 out of 10 of the API vulnerabilities are identical to known web application vulnerabilities.

It is worth noting that

  • A1. Broken Object Level Authorization is the same as the web-based Insecure Direct Object Reference,
  • A2. Broken User Authentication with web-based Broken Authentication and Session Management
  • A3 Excessive Data Exposure with web-based Sensitive Data Exposure.