SlideShare a Scribd company logo

OWASP Top 10 API Security Risks

I
IndusfacePvtLtd

The OWASP Top 10 API security outlines the most common attacks that occur against APIs and provides tips on protecting your API from these threats.

Technology
1 of 13
Download to read offline
top10 APISecurityRisks OWASP
APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This is when API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
This is when API returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
This is when API is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
When there is no restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if i replace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
Trust us for Web Applica�on and API Protec�on Start your free trial at indusface.com/api
POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commerce site Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
An API component is suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
A�ackers send malicious data to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
A�ackers may break into the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
It occurs when there are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
Scan & Protect Your APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSSAymeric Lagier
 

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSSAymeric Lagier
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Design Web Api
Design Web ApiDesign Web Api
Design Web ApiTailor Fontela
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantNCCOMMS
 

More Related Content

What's hot

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 

What's hot (20)

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Security testing
Security testingSecurity testing
Security testing
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Command injection
Command injectionCommand injection
Command injection
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 

Similar to OWASP Top 10 API Security Risks

SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantNCCOMMS
 
NahamConEU2022.pdf
NahamConEU2022.pdfNahamConEU2022.pdf
NahamConEU2022.pdfseed4mexyz
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
RefCard RESTful API Design
RefCard RESTful API DesignRefCard RESTful API Design
RefCard RESTful API DesignOCTO Technology
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...apidays
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guideZenita Smythe
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013Eric Shupps
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersJaap Karan Singh
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Build REST API's using Swagger and IBM Integration Bus IIB v10
Build REST API's using Swagger and IBM Integration Bus IIB v10Build REST API's using Swagger and IBM Integration Bus IIB v10
Build REST API's using Swagger and IBM Integration Bus IIB v10Julian Smiles
 

Similar to OWASP Top 10 API Security Risks (20)

Design Web Api
Design Web ApiDesign Web Api
Design Web Api
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
 
NahamConEU2022.pdf
NahamConEU2022.pdfNahamConEU2022.pdf
NahamConEU2022.pdf
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
RefCard RESTful API Design
RefCard RESTful API DesignRefCard RESTful API Design
RefCard RESTful API Design
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...
APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guide
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013
TechEd NA 2014 - DEVB389 - Working with OAuth in SharePoint 2013
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
testupload
testuploadtestupload
testupload
 
Build REST API's using Swagger and IBM Integration Bus IIB v10
Build REST API's using Swagger and IBM Integration Bus IIB v10Build REST API's using Swagger and IBM Integration Bus IIB v10
Build REST API's using Swagger and IBM Integration Bus IIB v10
 
Webhooks
WebhooksWebhooks
Webhooks
 

More from IndusfacePvtLtd

API7:2019 Security Misconfiguration
API7:2019 Security MisconfigurationAPI7:2019 Security Misconfiguration
API7:2019 Security MisconfigurationIndusfacePvtLtd
 
Indusface and CARTA Whitepaper
Indusface and CARTA WhitepaperIndusface and CARTA Whitepaper
Indusface and CARTA WhitepaperIndusfacePvtLtd
 
AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10IndusfacePvtLtd
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)IndusfacePvtLtd
 
Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...IndusfacePvtLtd
 
10 Types of Cybersecurity Attacks
10 Types of Cybersecurity Attacks10 Types of Cybersecurity Attacks
10 Types of Cybersecurity AttacksIndusfacePvtLtd
 
Why Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application SecurityWhy Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application SecurityIndusfacePvtLtd
 
True Cost of Ransomware to Your Business
True Cost of Ransomware to Your BusinessTrue Cost of Ransomware to Your Business
True Cost of Ransomware to Your BusinessIndusfacePvtLtd
 
8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAF8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAFIndusfacePvtLtd
 
5 Effective Ways for Website Protection
5 Effective Ways for Website Protection5 Effective Ways for Website Protection
5 Effective Ways for Website ProtectionIndusfacePvtLtd
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)IndusfacePvtLtd
 
5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your BusinessIndusfacePvtLtd
 

More from IndusfacePvtLtd (12)

API7:2019 Security Misconfiguration
API7:2019 Security MisconfigurationAPI7:2019 Security Misconfiguration
API7:2019 Security Misconfiguration
 
Indusface and CARTA Whitepaper
Indusface and CARTA WhitepaperIndusface and CARTA Whitepaper
Indusface and CARTA Whitepaper
 
AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 
Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...
 
10 Types of Cybersecurity Attacks
10 Types of Cybersecurity Attacks10 Types of Cybersecurity Attacks
10 Types of Cybersecurity Attacks
 
Why Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application SecurityWhy Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application Security
 
True Cost of Ransomware to Your Business
True Cost of Ransomware to Your BusinessTrue Cost of Ransomware to Your Business
True Cost of Ransomware to Your Business
 
8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAF8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAF
 
5 Effective Ways for Website Protection
5 Effective Ways for Website Protection5 Effective Ways for Website Protection
5 Effective Ways for Website Protection
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
 
5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

OWASP Top 10 API Security Risks

  • 2. APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This is when API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
  • 3. This is when API returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
  • 4. This is when API is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
  • 5. When there is no restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
  • 6. GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if i replace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
  • 7. Trust us for Web Applica�on and API Protec�on Start your free trial at indusface.com/api
  • 8. POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commerce site Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
  • 9. An API component is suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
  • 10. A�ackers send malicious data to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
  • 11. A�ackers may break into the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
  • 12. It occurs when there are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
  • 13. Scan & Protect Your APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on