In today's app-crazy universe, APIs are the secret sauce behind the magic. Think of them as the superheroes of tech, from banking to retail, transport to smart cities, they're the unsung heroes revealing the secrets of business logic and access to the treasure trove of sensitive data. But hold on to your cyberhats because where there's treasure, there are pirates! APIs have become the gold mine for attackers. They're the common thread weaving through those notorious data breaches we've all heard about. Now, how do you turn the tables on these cyber scoundrels? Well, the answer is simple: learn their tricks, and you'll become the ultimate API security hero! We're here to take you on a thrilling, rollercoaster ride into the heart of API security: a hands-on deep dive into the OWASP API Security Top 10!

1. Paulo A. Silva
OWASP API Security TOP 10
from attackers’ perspective
OWASP Beja Meetup
November 2023

2. Illustrations by Pixeltrue on icons8
Agenda

3. Who Am I
Paulo A. Silva
➔
Principal Security Researcher/Pentester @ ​
➔
15+ years as a Software Developer
➔
Long-term OWASP Volunteer
➔
Strong believer in spreading security awareness​
https://pauloasilva.com
@pauloasilva_com
/devpauloasilva
paulo.silva@owasp.org

4. API1:2019 Broken Object-Level Authorization
API2:2019 Broken User Authentication
API3:2019 Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting
API5:2019 Broken Function-Level Authorization
API6:2019 Mass Assignment
API7:2019 Security Misconfiguration
API8:2019 Injection
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging & Monitoring
OWASP API Security Top 10 2019

5. Hacking time

6. API1:2023 Broken Object-Level Authorization
API2:2023 Broken Authentication
API3:2023 Broken Object Property Level Authorization
API4:2023 Unrestricted Resource Consumption
API5:2023 Broken Function-Level Authorization
API6:2023 Unrestricted Access to Sensitive Business Flows
API7:2023 Server Side Request Forgery
API8:2023 Security Misconfiguration
API9:2023 Improper Inventory Management
API10:2023 Unsafe Consumption of APIs
OWASP API Security Top 10 2023

7. API1:2023 Broken Object-Level Authorization
API2:2023 Broken Authentication
API3:2023 Broken Object Property Level Authorization
API4:2023 Unrestricted Resource Consumption
API5:2023 Broken Function-Level Authorization
API6:2023 Unrestricted Access to Sensitive Business Flows
API7:2023 Server Side Request Forgery
API8:2023 Security Misconfiguration
API9:2023 Improper Inventory Management
API10:2023 Unsafe Consumption of APIs
OWASP API Security Top 10 – What’s Changed
API1:2019 Broken Object-Level Authorization
API2:2019 Broken User Authentication
API3:2019 Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting
API5:2019 Broken Function-Level Authorization
API6:2019 Mass Assignment
API7:2019 Security Misconfiguration
API8:2019 Injection
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging & Monitoring +
+
+
−
−

8. What’s Next?

9. OWASP API Security Project Initiatives
Mailing
list
GraphQL
CheatSheet
crAPI–
completely
ridiculous
API
APISecurity
Top102023

10. OWASP API Security Top 10 Translations
ar Arabic
de German
en English
fa Farsi
fr French
el_GR Greek
pt_BR Português (Brasil)
pt_PT Português (Portugal)
ru Russian
id Indonesian (in progress)
fa Farsi (in progress)

11. Q&A