🫀OWASP API Security Top 10 and Beyond!

The OWASP API Security Top 10 was originally released in December 2019 and was driven by several key factors.

1. The Rapid Rise of APIsAPIs power the flow of one of the world's most valuable resources, data. A business no longer needs to specialize in all aspects of creating software, instead, they can use the features of software shared by other companies. Historically, the issue with doing this was the disconnected nature of different programming languages. Web application programming interfaces allowed for a common method to consume or provide data across the Internet. Since the widespread adoption of web APIs, organizations have been enabled to leverage the functionality of other applications. Instead of having to develop custom software for maps, GPS, payment processing, authentication, communication, and much more, developers can leverage APIs to use the functionality of other applications that specialize in that given area. APIs are a major business enabler, which explains the global rapid adoption.

2. A Major Gap in SecurityThe final factor that compounded the effects of the other two is the fact that the tools and techniques of the past were not effective at detecting API-related vulnerabilities. The tools and techniques that were used for enterprise vulnerability management programs, web application scanners, and traditional network security monitoring tools were not designed to handle the unique challenges posed by APIs. As a result, many organizations were not adequately prepared to defend against API attacks, leaving them vulnerable to data breaches.

3. A New Leading Attack VectorOften, when it comes to the rapid adoption of new technologies, security is an afterthought. APIs are no different. The rapid adoption of APIs led to a new attack vector that exposes data application functionality. Public, Internet-facing, APIs often bypassed all of the security measures that had grown with businesses over the past decade. An attacker no longer needs to go through the classic MITRE cyber kill chain (bypass the firewall, gain entry to the network, pivot to a system containing data, and then exfiltrate that data). Instead, an attacker can use an insecure API and have direct access to sensitive data.

In response to the massive adoption of APIs, the security gaps introduced by API providers, and the new wave of API-related security incidents, the OWASP API Security Project published its Top 10 list.

• Es por ello que existe el OWASP API top 10 en respuesta a poder proteger las API’s de todo el mundo bajo un estandar y de esta manera contrarrestar un poco la inseguridad tan alta de las aplicaciones con sus API’s a día de hoy.

Mapped to External Sources

The OWASP API Security risks are associated with references to external sources. These sources include Common Weakness Enumeration (CWE), other OWASP projects, and National Institute of Standards and Technology (NIST) guidance. Most of the references involve CWEs. CWEs are a list of common software and hardware vulnerabilities developed by the community and hosted by MITRE. Each CWE is identified by a unique identifier or CWE-ID. This identifier can be used to refer back to a specific vulnerability.

OWASP Top 10	External Reference
API1:2023 Broken Object Level Authorization	• CWE-285: Improper Authorization
• CWE-639: Authorization Bypass Through User-Controlled Key
API2:2023 Broken Authentication	• CWE-204: Observable Response Discrepancy
• CWE-307: Improper Restriction of Excessive Authentication Attempts
API3:2023 Broken Object Property Level Authorization	• CWE-213: Exposure of Sensitive Information Due to Incompatible Policies
• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
• API3:2019 Excessive Data Exposure - OWASP API Security Top 10 2019
• API6:2019 - Mass Assignment - OWASP API Security Top 10 2019
API4:2023 Unrestricted Resource Consumption	• CWE-770: Allocation of Resources Without Limits or Throttling
• CWE-400: Uncontrolled Resource Consumption
• CWE-799: Improper Control of Interaction Frequency
• NIST Security Strategies for Microservices-based Application Systems
API5:2023 Broken Function Level Authorization	• CWE-285: Improper Authorization
• OWASP Top 10 2013: A7: Missing Function Level Access Control
• OWASP Guidance: Forced Browsing
• OWASP Guidance: Access Control
API6:2023 Unrestricted Access to Sensitive Business Flows	• API10:2019 Insufficient Logging & Monitoring
• OWASP Automated Threats to Web Applications
API6:2023 Server Side Request Forgery	• CWE-918: Server-Side Request Forgery (SSRF)
• URL confusion vulnerabilities in the wild: Exploring parser inconsistencies, Snyk
• Server Side Request Forgery
• Server-Side Request Forgery Prevention Cheat Sheet
API8:2023 Security Misconfiguration	• CWE-2: Environmental Security Flaws CWE-2: Environmental Security Flaws • CWE-16: Configuration • CWE-209: Generation of Error Message Containing Sensitive Information • CWE-319: Cleartext Transmission of Sensitive Information • CWE-388: Error Handling • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') • CWE-942: Permissive Cross-domain Policy with Untrusted Domains • NIST Guide to General Server Security • Let's Encrypt: a free, automated, and open Certificate Authority • OWASP Secure Headers Project • Configuration and Deployment Management Testing - Web Security Testing Guide • Testing for Error Handling - Web Securi
• CWE-16: Configuration
• CWE-209: Generation of Error Message Containing Sensitive Information
• CWE-319: Cleartext Transmission of Sensitive Information
• CWE-388: Error Handling
• CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
• CWE-942: Permissive Cross-domain Policy with Untrusted Domains
• NIST Guide to General Server Security
• Let's Encrypt: a free, automated, and open Certificate Authority
• OWASP Secure Headers Project
• Configuration and Deployment Management Testing - Web Security Testing Guide
• Testing for Error Handling - Web Securi
API9:2023 Improper Inventory Management	• CWE-1059: Incomplete Documentation
API10:2023 Unsafe Consumption of APIs	• CWE-285: Improper Authorization
• CWE-639: Authorization Bypass Through User-Controlled Key

Update to the API Security TOP 10:

Se han hecho muchos cambios y actualizacion en pro a la seguridad de las APIS top 10

• BOLA,BFLA, SECURITY MISCONFIGURATION: Son de los breaches más comunes en bug bounty reports disclosures.

• El proposito de OWASP API 10 no es darle y definirle a las organizaciones cuales son los riesgos que tienen, sino proveerles una guía detallada SOBRE las métodologías que deben seguir y tener presente para poder evaluar el riesgo asociado dentro de su compañía.

• Y la clasica ecuación para el riesgo es: Riesgo=Likelihood*Impact “Likelihood:Probabilidad”

Quiz:

Question 1
What are the primary factors that drove the creation of the OWASP API Security Top 10?
The rapid adoption of web APIs
A major gap in security and the prevalence of APIs as a leading attack vector
The ease with which an attacker can exploit a vulnerable API
All of the above
Correct answer.

Question 2
In the absence of community data contribution, how was the 2023 OWASP API Security Top 10 list compiled?
Based solely on the project team's personal experiences
Based on internal research using publicly available data such as bug bounty platforms and news
Correct answer.
Solely based on bug bounty publications
Based only on API-related breach data

Question 3
What is the purpose of mapping the OWASP API Security Top 10 risks to external sources like CWE and NIST?
To provide additional insight and depth into the identified risks
Correct answer.
To create a unique identifier or CWE-ID for each risk
To make the list more comprehensive and difficult to understand
None of the above

Question 4
What is the significance of APIs in the modern business landscape?
APIs allow businesses to use the functionality of other applications without needing to specialize in all aspects of creating software
Correct answer.
APIs are a major security threat to businesses
APIs enable the slow and safe transfer of data within a business
All of the above

Question 5
What is a leading challenge posed by APIs in terms of security?
APIs were not considered important enough to warrant specialized security tools
Traditional network security monitoring tools, web application scanners, and enterprise vulnerability management programs were not designed to handle the unique challenges posed by APIs
Correct answer.
APIs were designed to be inherently secure and did not pose any challenges
The API scanners are riddled with false-positive results

---

API 1: Broken Object Level Authorization “BOLA”

• Broken object-level authorization (BOLA) vulnerabilities occur when a user is able to access other users' data due to the flaws in authorization controls validating access to data objects.

• Cuando no se poseen los suficientes controles para reforzar los controles de autorización.

¿Pero que pasa si modifico el ID por 2728? y obtengo automaticamente la info de otro user, ahi entran este tipo de vulnerabilidades.

Quiz BOLA:

Question 1
What does BOLA stand for in the context of API security?
Broken Object Level Analysis
Broken Object Level Authentication
Broken Object Level Authorization
Correct answer.
Basic Object Level Authentication

Question 2
In the given example, what demonstrates a BOLA vulnerability?
Bruce was able to access his own user information via API request.
Bruce was able to access another user's information (Harvey Dent's) using his own authorization.
Correct answer.
Harvey Dent's information was stored improperly in the API database.
Bruce sends an unauthenticated GET request to the API endpoint.

Question 3
According to the course content, which statement about BOLA is true?
BOLA vulnerabilities are rare and hard to exploit.
BOLA vulnerabilities are common and require high technical skills to discover.
BOLA vulnerabilities occur when the API provider implements RBAC controls to resources.
BOLA vulnerabilities are common, easily exploitable, and often require minimal technical skills to discover.
Correct answer.

Question 4
If an API provider does not have sufficient access controls, what's the worst that can happen?
The API will perform checks to make sure users can only access their own resources.
The API will not allow users to access any resources.
The API can allow a user to obtain another user's resources via API requests.
Correct answer.
The API will block all incoming requests from unauthenticated users.

API 2: Broken Authentication:

• Es la debilidad que posee una API para no validar que un usuario es quien dice ser en la API, osea Pepito es un user que se hace pasar por CARLOS que es admin, y se autentica como carlos, ahi está el GAP o hueco de seguridad.

• Por que pasan los errores de autenticacion? por errores o politicas debiles como la de arriba:

• Issues que vienen con la Authentication: (Insuficentes tokens randomicos “entropía pobre”, vulns en el proceso de registro, password reset process, multi factor authentication features.)

Soluciones o medidas de sanitización →

Quiz:

Question 1
Which of the following accurately describes "Broken Authentication" in APIs?
API authentication does not allow for multi-factor authentication.
API authentication only allows for a single method of token generation.
API authentication is any weakness within the API authentication process.
Correct answer.
API authentication does not require a unique token for user registration.

Question 2
According to the OWASP, which of the following is NOT considered a direct contributing factor to Broken Authentication in APIs?
Lack of additional protection mechanisms for API endpoints handling authentication.
Misuse or incorrect implementation of the authentication mechanism.
Excessive data exposure through the API.
Correct answer.
Implementing an authentication mechanism without considering attack vectors or the appropriate use case.

Question 3
What can be the potential impact of Broken Authentication in APIs?
Attackers can view the source code of the web application.
Attackers can gain control of other users' accounts, read their personal data, and perform sensitive actions on their behalf.
Correct answer.
Attackers can cause a Denial of Service (DoS) attack.
Attackers can alter the algorithm used for token generation.

Question 4
What does a "Predictable Token" refer to in the context of API security?
A token that is only valid for a predictable amount of time.
A token that is reused for multiple users.
A token that contains sensitive user information.
A token obtained through a weak token generation process that can easily be guessed, deduced, or calculated by an attacker.
Correct answer.

Question 5
Which of the following is NOT recommended by the OWASP API Security project as a preventative measure against Broken Authentication?
Implement an account lockout/captcha mechanisms to prevent brute force attacks.
Make sure you understand how all possible authentication flows work.
Use API keys for user authentication as well as client authentication.
Correct answer.
Treat credential recovery/forgot password endpoints with the same protections as login endpoints.

API 3: Broken Object Property Level Authorization: BOPLA

• Mass asignment entonces ocurre cuando podemos añadir mucho mas parametro de los que se esperaba en una request y de esta forma generar un comportamiento inesperado o hasta escalar privilegios. EJM →

Soluciones o prevenciones a tener en cuenta de BOPLA:

Quiz:

Question 1
Which of the following best describes an "Excessive Data Exposure" vulnerability?
The API allows unrestricted access to all the data in the database.
The API responds with more information than needed to fulfill a request.
Correct answer.
The API does not authenticate user requests.
The API stores sensitive data in plaintext.

Question 2
What could be a consequence of "Mass Assignment" vulnerability?
It could allow a user to execute arbitrary code.
It could lead to a denial of service attack.
It could allow a user to escalate privileges or edit object properties.
Correct answer.
It could lead to an information disclosure within a compromised JWT.

Question 3
When an API exposes an object, which of the following is NOT a recommended preventative measure?
Use generic methods such as to_json() and to_string().
Correct answer.
Cherry-pick specific object properties you specifically want to return.
Implement a schema-based response validation mechanism as an extra layer of security.
Keep returned data structures to the bare minimum, according to the business/functional requirements for the endpoint.

Question 4
What is the potential impact of unauthorized access to an API endpoint due to broken object property level authorization?
Data disclosure to unauthorized parties, data loss, or data manipulation.
Correct answer.
The application could crash, leading to a denial of service.
The attacker could perform remote code execution.
The provider could perform a local file inclusion attack.

Question 5
How can you detect if an API endpoint is vulnerable to excessive data exposure?
By sending a large number of requests in a short period of time and checking if the server crashes.
By reviewing the web page's HTML to find security flaws.
By sending requests to the target API endpoints and reviewing the information sent in response.
Correct answer.
By analyzing the HTTP request headers for sensitive information.

API 4: Unrestricted Resource Consumption:

“consumo de resourc.. sin restricciones”: Los rate limits mal establecidos para que te hagas una idea felipe, hubo un massive data breach a TRELLO la compañia por una api mal expuesta la cual se podia consultar sobre un correo y devolvia la info de ese email, bueno buscaron millones de correos y los enviaron consecutivos a la api y pudieron extraer millones de datos de muchos users registrados a trello.

• Number of operations to perform in a single API client request (e.g. GraphQL batching)

• Number of records per page to return in a single request-response

• RapidAPI: le ayuda a las compañias a poder manejar el numero de requests de sus API’s de una forma más segura y adecuada, mejorando significativamente y previniendo los costos asociados a la infraestructura de la misma.

Quiz:

Question 1
Which of the following is NOT a recommended preventative measure for limiting resource consumption in APIs?
Implement server-side validation for query string and request body parameters.
Notify the consumer when the limit is exceeded, providing the limit number and the time at which the limit will be reset.
Allow an unlimited number of elements in request arrays.
Correct answer.
Limit how often a consumer can call the API within a defined timeframe.

Question 2
Which of the following best describes the threat associated with the lack of rate limiting?
The API allows unauthorized access to sensitive data.
The API allows uncontrolled interactions or resource consumption which can lead to Denial of Service (DoS) or increased financial costs.
Correct answer.
The API responds with improper HTTP headers.
The API exposes unnecessary data in its response.

Question 3
Why is rate limiting important for the monetization and availability of APIs?
Rate limiting allows API providers to control the flow of their data.
Correct answer.
Rate limiting prevents unauthorized access to the API.
Rate limiting secures data transfer between the consumer and the API provider.
Rate limiting allows for secure storage of data in the API's database.

Question 4
In regards to API rate limiting, what is indicated by an HTTP 429 response status code.?
The consumer is not authorized to make the request.
The consumer has requested too many resources.
The consumer has requested unprocessable content.
The consumer has made too many requests.
Correct answer.

Question 5
According to OWASP, what is the primary consequence of not implementing API rate limiting?
Unauthorized access to data.
Consumers will be able to automate requests to business flows and create spam.
DoS due to resource starvation or a negative impact to the service provider's billing.
Correct answer.
Data leakage due to insecure data transfer methods.

API 5: Broken Function Level Authorization: BFLA

• Es una vulnerabilidad donde las funciones de la API tienes controles insuficientes, mientras que BOLA trata sobre acceder a data BFLA es sobre alterar o eliminar esa Data. Acordemos del ejemplo de bumble

• Si se puede eliminar con el metodo DELETE pero está permitida es por el user admin, asi que:

Quiz:

Question 1
According to the OWASP API Security Project, which of the following is NOT a recommended preventative measure for Broken Function Level Authorization?
Implement a consistent and easy-to-analyze authorization module invoked from all your business functions.
Make sure that all administrative functions inside a regular controller do not implement authorization checks based on the user's group and role.
Correct answer.
Ensure that the enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.
Review API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy.

Question 2
When testing for BFLA vulnerabilities, what functionality should you look for that could be exploited?
Functionality that allows a user to make an unlimited number of requests to the API.
Functionality that allows a user to add themselves to any user group.
Functionality that allows a user to change their own user name or password.
All of the above.
Correct answer.

Question 3
What is the primary impact of exploiting a Broken Function Level Authorization vulnerability according to OWASP?
An attacker could execute a Denial of Service (DoS) attack.
An attacker could escalate their privileges to domain admin.
An attacker could access unauthorized functionality, with administrative functions being key targets.
Correct answer.
An attacker could inject malicious scripts into the API.

Question 4
According to OWASP, what makes implementing proper authorization checks challenging in modern applications?
APIs are structured and predictable.
There are very few tools that can help perform authorization checks.
Modern applications have complex user hierarchies and many types of roles or groups.
Correct answer.
There is a high cost associated with implementing proper authorization checks.

Question 5
What is the primary threat associated with Broken Function Level Authorization in API Security?
An attacker could manipulate or delete their own data.
The API could accidentally leak data during a response.
An attacker could gain unauthorized access to certain endpoints they should not have access to.
Correct answer.
The server could be overwhelmed by too many requests

API 6: Unrestricted Access to Sensitive Business Flows:

• Es cuando una API permite acceder libremente a acciones críticas del negocio, sin verificar adecuadamente si el usuario debería poder hacerlo.

• Es el riesgo y vulnerabilidad de un atacante poder ser capaz de identificar y explotar flujos funcionales de la API, si es vulnerable el atacante podría aprovechar la estructura y el flujo de las peticiones para obstaculizar a otros usuarios.

Quiz:

Question 1
What is Unrestricted Access to Sensitive Business Flows about?
Restricting users from accessing sensitive data through API endpoints.
It's about the risk of an attacker identifying and exploiting API-driven workflows.
Correct answer.
It's about setting access controls on API endpoints.
It's about protecting APIs from server-side attacks.

Question 2
What is a possible way to detect non-human patterns during the exploitation of Unrestricted Access to Sensitive Business Flows?
Monitor network traffic for any suspicious activity.
Check user access history for any unusual API requests.
Analyze the user flow to detect actions that happen too quickly for a human user.
Correct answer.
Force the user to complete a captcha before each API request.

Question 3
Which of the following is NOT a recommended preventative measure against Unrestricted Access to Sensitive Business Flows?
Perform device fingerprinting and deny service to unexpected client devices.
Implement a robust authentication mechanism.
Block IP addresses of Tor exit nodes and well-known proxies.
Allow unlimited access to APIs that are consumed directly by machines.
Correct answer.

Question 4
Which of the following is an impact of an attacker exploiting an API with Unrestricted Access to Sensitive Business Flows?
It can cause a data breach by exposing sensitive user data.
It can hurt the business by preventing legitimate users from purchasing a product.
Correct answer.
It can cause a technical outage of the API.
It can inject malware into the API server.

Question 5
What kind of requests does an attack under Unrestricted Access to Sensitive Business Flows usually involve?
Requests that are illegitimate and easily identifiable as an attack.
Requests that are individually legitimate and unidentifiable as an attack.
Correct answer.
A large number of requests sent simultaneously to overwhelm the API.
Requests sent from unauthenticated users.

API 7: Server Side Request Forgery:

• Sin embargo para el caso de out of band, debemos tener un server externo el cual tendremos que especificar para que nos pueda llegar la speticiones o lo que intentemos ya que de esta forma es como funcionan los SSRF Ciegos fuera de banda.

Quiz:

Question 1
What is Server-Side Request Forgery (SSRF)?
An attack where an attacker uses the server as a proxy to hide malicious activities.
An attack where the attacker controls remote resources retrieved by a server.
An attack that can be used to expose private data and scan the victim's internal network.
All of the above.
Correct answer.

Question 2
What is a potential consequence of an SSRF vulnerability?
The server can be used as a proxy to hide malicious activities.
Information disclosure, bypassing firewalls, or other security mechanisms.
It can lead to DoS.
All of the above.
Correct answer.

Question 3
Which of the following is NOT a preventative measure against SSRF?
Validate and sanitize all client-supplied input data.
Disable HTTP redirections.
Use a well-tested and maintained URL parser to avoid issues caused by URL parsing inconsistencies.
Enable X-SSRF Headers
Correct answer.

Question 4
What is a key characteristic of SSRF exploitation?
Requires the attacker to send malicious emails.
Requires the attacker to find an API endpoint that receives a URI as a parameter and then accesses the provided URI.
Correct answer.
Requires the attacker to break into the physical server.
Requires the attacker to create a false user account.

Question 5
What could be a business risk from successful exploitation of SSRF?
It could lead to internal services enumeration or information disclosure.
It could lead to the server being used as a proxy.
It could bypass firewalls or other security mechanisms.
All of the above.
Correct answer.

API 8: Security Misconfiguration:

Security Misconfiguration represents a catch-all for many vulnerabilities related to the systems that host APIs. When an API's security is misconfigured it can be detrimental to the confidentiality, integrity, and availability of the API provider's data. Due to the wide variety of flaws that could exist, the impacts of an exploited security misconfiguration can range from information disclosure to data breach.

Ejemplos:

• Security misconfigurations are really a set of weaknesses that includes misconfigured headers, misconfigured transit encryption, the use of default accounts, the acceptance of unnecessary HTTP methods, a lack of input sanitization, and verbose error messaging.

For example, if the API’s supporting security configuration reveals an unpatched vulnerability, there is a chance that an attacker could leverage a published exploit to easily pwn the API and its system.

A lack of input sanitization could allow attackers to upload malicious payloads to the server. APIs often play a key role in automating processes, so imagine being able to upload payloads that the server automatically processes into a format that could be remotely executed or executed by an unsuspecting end-user.

OWASP Attack Vector Description

Attackers will often attempt to find unpatched flaws, common endpoints, or unprotected files and directories to gain unauthorized access or knowledge of the system.

OWASP Security Weakness Description

Security misconfiguration can happen at any level of the API stack, from the network level to the application level. Automated tools are available to detect and exploit misconfigurations such as unnecessary services or legacy options.

OWASP Impacts Description

Security misconfigurations can not only expose sensitive user data, but also system details that can lead to full server compromise.

Quiz:

Question 1
Which of the following is a potential outcome of having a security misconfiguration in an API?
Disclosure of sensitive user data
Full server compromise due to revealed system details
API documentation may be outdated
Both A and B
Correct answer.

Question 2
What can happen if Transport Layer Security (TLS) is missing in an API?
Sensitive information can be disclosed through the API documentation
Attackers can intercept and read the API data being communicated over the network
Correct answer.
Cross-Origin Resource Sharing (CORS) policy can be manipulated
All of the above

Question 3
Which of the following is NOT a security misconfiguration?
Use of default accounts
Acceptance of unnecessary HTTP methods
Exposing an unsupported version of the API
Correct answer.
Verbose error messaging

Question 4
Which of the following is NOT a recommended measure for preventing API security misconfigurations?
Allow all HTTP verbs for each API
Correct answer.
Where applicable, define and enforce all API response payload schemas
Implement a proper Cross-Origin Resource Sharing (CORS) policy on APIs expected to be accessed from browser-based clients
Ensure that all API communications happen over an encrypted communication channel (TLS)

Question 5
How can security misconfigurations in an API be detected?
Through web application vulnerability scanners like Burp Suite, Nessus, Qualys, OWASP ZAP, and Nikto
Manually, by inspecting the headers, SSL certificate, cookies, and parameters
By monitoring network traffic and developing expected workflows
Both A and B
Correct answer.

API 9: Improper Inventory Management:

Represents the risks involved with exposing non-production and unsupported API versions. When this is present the non-production and unsupported versions of the API are often not protected by the same security rigor as the production versions.

• no tener un control adecuado sobre los activos relacionados con la API. Esto incluye versiones, endpoints, entornos, y servicios externos conectados.

Aqui lo que pasa es que si encontramos una api vieja como puede ser /v1/ y ya actualmente está es la API v/3/ por ejm si encontramos que en v1 tenemos endpoints que ya no existen en v3, son posibles endpoints que SI O SI podemos probar con el fin de ver si aun existen pero estan ocultos o si podemos encontrar debilidad, u know

Quiz:

Question 1
When running multiple versions of an API, what risk does this pose?
Increased response time
Decreased user satisfaction
Increased management resources and expanded attack surface
Correct answer.
Increased network bandwidth usage

Question 2
Which of the following can aid an attacker in identifying improperly managed APIs?
Outdated API documentation
Correct answer.
The server's response times
The number of concurrent API users
The server's IP address

Question 3
Which of the following is the most severe impact related to API inventory management?
Outdated API documentation
Information dislosure
Verbose errors
Enables an attacker to exploit other known vulnerabilities
Correct answer.

Question 4
Which of the following is an indication that an API has a "data flow blindspot"?
Increased data redundancy
There is no visibility of which type of sensitive data is shared
Correct answer.
Improved system reliability
Enhanced API response times

Question 5
Which of the following practices can help mitigate risks associated with improper API inventory management?
Make all API documentation publicly available
Expose all API versions without an web application firewall
Automatically generate documentation with open standards and including it in the CI/CD pipeline
Correct answer.
Update documentation through a manual process

API 10: Unsafe Consumption of APIs: third parties

Is the only item on the top ten list that focuses less on the risks of being an API provider and more on the API consumer. Unsafe consumption is really a trust issue. When an application is consuming the data of third-party APIs it should treat those with a similar trust to user input. By that, I mean, there should be little to no trust. So, data consumed from third-party APIs should be treated with similar security standards as end-user-supplied input. If a third-party API provider is compromised then that insecure API connection back to the consumer becomes a new vector for the attacker to leverage.

• Unsafe Consumption of APIs: Cuando una aplicación cliente consume APIs externas sin validar ni filtrar correctamente las respuestas, confiando ciegamente en que esas APIs externas son seguras, están bien configuradas y nunca se comportarán mal.

OWASP Attack Vector Description

Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable.

OWASP Security Weakness Description

Developers tend to trust and not verify the endpoints that interact with external or third-party APIs, relying on weaker security requirements such as those regarding transport security, authentication/authorization, and input validation and sanitization. Attackers need to identify services the target API integrates with (data sources) and, eventually, compromise them.

OWASP Impacts Description

The impact varies according to what the target API does with pulled data. Successful exploitation may lead to sensitive information exposure to unauthorized actors, many kinds of injections, or denial of service.

Summary

Most of the 2023 OWASP API Security Top 10 is about APIs and the API provider. An API can often serve as the path of least resistance for an attacker. So, if an attacker compromises a third-party API provider, then that third party's connections to other businesses can become an additional attack vector. If that API is over an unencrypted connection then an attacker would be able to capture sensitive data in clear text. If that third-party API isn't held to similar security standards as an Internet-facing API then it could also be vulnerable to injection, authorization, and other compromising attacks.

QUIZ:

Question 1
How does OWASP describe the risk regarding Unsafe Consumption of APIs?
Developers will tend to adopt weaker security standards
Correct answer.
APIs could have an increased number of dependencies
Developers will tend to adopt stronger security standards
Developers will be able to compromise third parties

Question 2
What is a potential risk when an API interacts with other APIs over an unencrypted channel?
Enhanced system reliability
Faster throughput of data
Exposure of sensitive information due to cleartext transmission
Correct answer.
Decreased system scalability

Question 3
Why is it important to maintain an allow list of well-known locations integrated APIs may redirect to?
To increase the number of available resources for processing third-party services responses
To avoid blindly following redirects and potential security threats
Correct answer.
To increase the speed of API interactions
To encourage the usage of unencrypted channels for interactions

Question 4
What is a crucial step to ensure the security of data received from integrated APIs?
Always process data as soon as it is received
Always follow redirects without any verification
Ignore the need for a secure communication channel
Validate and properly sanitize data before using it
Correct answer.

Question 5
What could be a potential outcome of weaker security standards in API integrations?
Improved API performance
Exposure of unsupported API versions to the Internet
Exposure of sensitive information to unauthorized actors
Correct answer.
Increased system scalability

---

Beyond the top Business Logic Flaws

• The exploitation of business logic takes place when an attacker leverages misplaced trust or features of an application against the API. Identifying business logic vulnerabilities can be challenging due to the unique nature of each business. The impact of these vulnerabilities can range based on the severity of the vulnerable policy or feature.

Attack Vector Description

Business logic vulnerabilities are unique to each application and exploit the normal intended functioning of an application's business processes. They often require specific knowledge of the application's functionality and the flow of transactions or data. Since these vulnerabilities are specific to the business logic of each application, there's no one-size-fits-all approach to identifying them.

Security Weakness Description

Business logic vulnerabilities arise when the assumptions and constraints of a given business process aren't properly enforced in the application's control structures. This allows users to manipulate the application's functionality to achieve outcomes that are detrimental to the business. These weaknesses typically occur when developers fail to anticipate the various ways that an application's features can be misused or when they don't consider the wider context of the business rules. This is often due to a lack of comprehensive understanding of the application's business logic, a lack of input validation, or incomplete function-level authorization checks.

• The experian PARTNER API leak in 2021 fue un GRAN EJEMPLO DE UNA API QUE FALLO:

Quiz:

Question 1
What is the most common area where injection flaws are often found?
Within input parameters that are expected to be sent to an interpreter
Correct answer.
With the webpage's HTML
API requests that involve XML instead of JSON.
Within HTTP DELETE requests

Question 2
When is an API considered to be vulnerable to injection flaws?
If client-supplied data is validated, filtered, or sanitized by the API.
If data coming from external systems is validated, filtered, or sanitized by the API.
If client-supplied data is directly used or concatenated to SQL/NoSQL/LDAP queries, OS commands, XML parsers, and ORM/ODM without validation.
Correct answer.
If the API uses secure data transmission channels.

Question 3
What is a key prevention strategy for injection flaws in APIs?
Disable user input in API endpoints.
Allowing unrestricted data flow from integrated systems.
Keep data separate from commands and queries, and ensuring data validation using a reliable library.
Correct answer.
Accept all special characters in user input data.

Question 4
Which of the following is NOT a vulnerability in terms of API logging and monitoring?
API does not produce any logs.
Log integrity is guaranteed.
Correct answer.
Logs are not continuously monitored.
API infrastructure is not continuously monitored.

Question 5
What are the key measures to prevent the misuse of APIs due to lack of sufficient logging and monitoring?
Log all failed authentication attempts, denied access, and input validation errors.
Use a Security Information and Event Management (SIEM) system to aggregate and manage logs from all components of the API stack and hosts.
Configure custom dashboards and alerts, enabling suspicious activities to be detected and responded to earlier.
All of the above.
Correct answer.

Question 6
Which of the following can be considered a business logic vulnerability?
An application that uses base64 to encode data
An application that posts unvalidated input publicly
An application that allows trusted end users to upload and execute code without restrictions
Correct answer.
An application that exposes unsupported endpoints

Question 7
A rule of thumb to identify business-logic vulnerabilities is:
Fuzzing request parameters
Brute-forcing user authentication processes
Understanding business functions and how a feature could be leveraged in an attack
Correct answer.
Making requests to endpoint versions that are not included in documentation

Question 8
According to OWASP, which vulnerability is still an unsolved problem, but is more relevant to the 2019 OWASP API Security Top 10?
Insecure Design
Business Logic Flaws
Broken Object Level Authorization
Injection
Correct answer.

Question 9
Which of the vulnerabilities beyond the 2023 OWASP Top 10 is the most difficult to identify generically?
Injection
Business Logic Flaws
Correct answer.
Broken Function Level Authorization
Insufficient Logging and Monitoring

Question 10
Which of the vulnerabilities beyond the 2023 OWASP Top 10 will most likely lead to user-supplied code being executed?
Injection
Correct answer.
Insufficient Logging and Monitoring
Mass Assignment
Business Logic Flaws