Blog - Corsha

A Quick Take on OWASP API Security Top 10

Written by Robert Birdsong | Sep 29, 2024 1:00:00 PM

The Open Worldwide Application Security Project (OWASP) is a nonprofit organization dedicated to improving software security. Through resources, tools, and guidance, OWASP supports developers, application architects, and security professionals in building secure applications. One of OWASP's most well-known contributions is its Top 10 list of the most critical web application security risks. This list helps organizations focus their security efforts on the latest threats and vulnerabilities.

However, as software ecosystems increasingly rely on APIs (Application Programming Interfaces), OWASP has expanded its focus. APIs, which enable communication and data exchange between different software systems, are the backbone of modern enterprises. With API-driven implementations exploding across cloud, on-premise, and edge environments, securing APIs has become more crucial than ever. To address this, OWASP introduced the API Security Top 10—a comprehensive guide detailing the most critical security risks facing APIs.

OWASP API Top 10 (2023 )

The OWASP API Security Top 10 highlights the most significant risks to APIs in 2023:

  1. Broken Object Level Authorization (BOLA)

  2. Broken Authentication

  3. Broken Object Property Level Authorization

  4. Unrestricted Resource Consumption

  5. Broken Function Level Authorization

  6. Unrestricted Access to Sensitive Business Flows

  7. Server Side Request Forgery (SSRF)

  8. Security Misconfiguration

  9. Improper Inventory Management

  10. Unsafe Consumption of APIs

With the rise of API-related attacks, these vulnerabilities present significant risks. According to a recent report ¹, 61% of attacks in the past year were authentication-based, highlighting the importance of robust API security practices.

Addressing API Security with Corsha

Corsha takes an identity-first approach to API security. By dynamically tracking machine identities and enforcing multi-factor authentication (MFA) for every API request, Corsha helps mitigate risks outlined in the OWASP API Top 10. Below is a breakdown of how Corsha helps organizations defend against specific vulnerabilities.

Focus Area

Description

Corsha Protection

API1

Broken Object Level Authorization

Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless of the data type, they are easy to identify in the request target (path or query string parameters), request headers, or even as part of the request payload.

Indirect: Corsha analyzes the behavior of  API clients to identify anomalous activity, and actively drops untrusted clients without proper in-time authentication. This adds a layered defense for applications that are not properly checking access control and simply accepting a user-provided key to provide API access.

Corsha also enables the ability to halt/resume access to API services for a workload or group of workloads through event- or time-based triggers.

API2

Broken Authentication

The authentication mechanism is an easy target for attackers since it’s exposed to everyone. Although more advanced technical skills may be required to exploit some authentication issues, exploitation tools are generally available.

Direct: Corsha detects anomalous authentication behavior, such as reused credentials, and can add an automated, single-use credential to API requests for multi-factor authentication (MFA). This protects both applications that are lacking or properly implemented authentication mechanisms.

API3

Broken Object Property Level Authorization

APIs tend to expose endpoints that return all object’s properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may require crafted requests to specify which properties should be returned. Identifying these additional properties that can be manipulated requires more effort, but there are a few automated tools available to assist in this task.

Direct: Corsha can require strong authentication to access the API service or receive a response from the service. This limits the exposure of the API object properties.

API4

Unrestricted Resource Consumption

Exploitation requires simple API requests. Multiple concurrent requests can be per- formed from a single local computer or by using cloud computing resources. Most of the automated tools available are designed to cause DoS via high loads of traffic, impacting APIs’ service rate.

Direct: For sensitive API services, Corsha acts as a natural rate-limiter when dropping API requests without valid MFA credentials, reducing the load on API services and mitigating Denial of Service (DoS) attacks. Corsha also implements anomaly detection designed to catch exploitation.

API5

Broken Function Level Authorization

Exploitation requires the attacker to send legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. Exposed endpoints will be easily exploited.

Indirect: Corsha provides analytics around re-used credentials and provides access statistics for clients to API services to evaluate if there are broken function level authorizations.

API6

Unrestricted Access to Sensitive Business Flows

Exploitation usually involves understanding the business model backed by the API, find- ing sensitive business flows, and automating access to these flows, causing harm to the business.

Direct: Corsha maps the API services within a business and tracks the behavior of API clients accessing those services. Based on the sensitivity of the service the business can elevate to stronger authentication requirements (eg MFA) on a service by service basis.

API7

Server Side Request Forgery

Exploitation requires the attacker to find  an API endpoint that accesses a URI that’s provided by the client. In general, basic SSRF (when the response is returned to the attacker), is easier to exploit than Blind SSRF in which the attacker has no feedback on whether or not the attack was successful.

Indirect: Corsha actively drops untrusted API clients without proper in- time authentication. This adds a layered defense for applications that are vulnerable to Server Side Request Forgery (SSRF) attacks.

API8

Security Misconfiguration

Attackers will often attempt to find un- patched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. Most of this is public knowledge and exploits may be available.

Direct: Corsha addresses security misconfiguration items and mitigates improper security hygiene practices through automated MFA and API client-driven Identity, and real-time behavior analytics.

API9

Improper Inventory Management

Threat agents usually get unauthorized access through old API versions or endpoints left running unpatched and using weaker security requirements. In some cases exploits are available. Alternatively, they may get access to sensitive data through a 3rd party with whom there’s no reason to share data with.

Direct: Corsha provides real-time visibility into managed API services, highlighting traffic from unmanaged or shadow API clients.  The visibility includes API client to service mapping and behavioral analytics.

API10

Unsafe Consumption of APIs

Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable.

Direct: Corsha provides an authentication input validation that includes MFA and analysis of the secrets used by API clients whether they are internal or external.

 

Why OWASP API Security Matters

As APIs become more prevalent, they introduce unique vulnerabilities that must be prioritized by organizations. The OWASP API Top 10 serves as an important guide for understanding and mitigating API security risks. By addressing the security concerns identified in the Top 10, organizations can prevent data breaches, service disruptions, and other damaging attacks.

OWASP has announced plans to release the OWASP Top 10: 2025 in the first half of next year, further updating its guidance on the most critical web application security risks. To learn more about the OWASP API Top 10 and the OWASP API Security Project, visit OWASP API Security

1 Salt Security’s Q1 2024 State of API Security

About Robert Birdsong
Robert Birdsong serves as Corsha's Chief Marketing Officer. He has twenty years of go-to-market leadership experience with over a decade in early stage SaaS startups. Robert frequently contributes to blogs covering tech and non-tech subjects. 

About Corsha
Corsha is an Identity Provider for Machines that allows an enterprise to securely connect, move data, and automate with confidence from anywhere to anywhere. 

Corsha’s mission is to secure data in motion and bring zero trust to machines, systems, and services. Today Ops and security teams often are forced to compromise by using static, long-lived API keys, tokens, and certificates as weak proxies for non-human identity and access.  Corsha helps teams move past static secrets and generates dynamic identities for trusted machines, bringing innovation like automated, single-use MFA credentials, scheduled access, and deep discovery to machine-to-machine communications. The Identity Provider also offers visibility and control over automated API traffic and enables real-time revocation and rotation of identity without disrupting other workloads.