© 2023 Prancer, Inc.

Blog

Developers guide to OWASP top 10 API Security vulnerabilities and MITRE Attack framework relation

Prancer
January 13, 2023

Introduction to OWASP top 10 API Security

The OWASP API Security Top 10 is a list of the most common and critical risks that organizations face when developing and exposing APIs (Application Programming Interfaces). APIs allow different systems and applications to communicate with each other, and are often used to expose data and functionality to external parties. However, exposing APIs can also introduce a variety of security risks if not properly secured. The OWASP API Security Top 10 aims to provide guidance on the most important security risks to consider when developing and exposing APIs.

1. Broken Object Level Authorization: This refers to the risk of improper authorization controls, where APIs may allow unauthorized access to sensitive data or functionality.

2. Broken Authentication: This refers to the risk of weak or inadequate authentication controls, which can allow attackers to gain unauthorized access to APIs.

3. Excessive Data Exposure: This refers to the risk of exposing sensitive data through APIs, either intentionally or unintentionally.

4. Lack of Resources and Rate Limiting: This refers to the risk of APIs being overwhelmed or exhausted by excessive requests, which can lead to denial of service attacks.

5. Broken Function Level Authorization: This refers to the risk of improper authorization controls at the function level, where APIs may allow unauthorized access to sensitive functionality.

6. Mass Assignment: This refers to the risk of allowing untrusted parties to set values for sensitive fields, which can lead to unauthorized access or manipulation of data.

7. Security Misconfiguration: This refers to the risk of APIs being improperly configured, which can lead to vulnerabilities being exposed.

8. Injection: This refers to the risk of injecting malicious code into APIs, which can lead to unauthorized access or manipulation of data.

9. Improper Asset Management: This refers to the risk of failing to properly manage APIs and the data and functionality they expose, which can lead to vulnerabilities being introduced.

10. Insufficient Logging and Monitoring: This refers to the risk of failing to properly log and monitor API activity, which can make it difficult to detect and respond to security incidents.

MITRE ATT&CK framework relation

Cross-referencing these API Security issues with the MITRE ATT&CK framework, the OWASP API Security Top 10 can be mapped to the following tactics and techniques:

1. Broken Object Level Authorization:

  • Tactic: Privilege Escalation
  • Techniques: Exploitation of Uncontrolled Linkage to a Third-party Domain, Uncontrolled Search Path Element

2. Broken Authentication:

  • Tactic: Initial Access
  • Techniques: Brute Force, Credential Dumping

3. Excessive Data Exposure:

  • Tactic: Discovery
  • Techniques: Data from Information Repositories

4. Lack of Resources and Rate Limiting:

  • Tactic: Denial of Service
  • Techniques: Flooding

5. Broken Function Level Authorization:

  • Tactic: Privilege Escalation
  • Techniques: Exploitation of Uncontrolled Linkage to a Third-party Domain, Uncontrolled Search Path Element

6. Mass Assignment:

  • Tactic: Privilege Escalation
  • Techniques: Exploitation of Uncontrolled Linkage to a Third-party Domain, Uncontrolled Search Path Element

7. Security Misconfiguration:

  • Tactic: Initial Access
  • Techniques: Peripheral Device Discovery, System Information Discovery

8. Injection:

  • Tactic: Execution
  • Techniques: Command Injection, SQL Injection

9. Improper Asset Management:

  • Tactic: Defense Evasion
  • Techniques: Disabling Security Tools, Modify Registry

10. Insufficient Logging and Monitoring:

  • Tactic: Defense Evasion
  • Techniques: Disabling Security Tools, Modify Registry

Conclusion

API security is of utmost importance as it ensures the protection of sensitive data and the integrity of systems when utilizing APIs. APIs are often used to connect different systems and applications, making them a common entry point for attackers. To ensure the security of APIs, it is essential to follow industry best practices and guidelines. One of the most widely recognized and respected sets of guidelines for API security is the OWASP Top 10 API Security Project. This project provides a list of the top 10 most critical security risks for APIs and recommendations for mitigating them. By following these recommendations, organizations can effectively protect against their APIs’ most common and severe security threats. The OWASP Top 10 API Security Project is a valuable resource for any organization that utilizes APIs and wants to ensure the security of their systems and sensitive data.