APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Shkedy

The Evolution of
the OWASP API
Top 10

whoami
Head of Security Research
@ Traceable.ai
10+ Years in AppSec; 200+
Pen Tests
I’ve grown up with APIs
Government, Military, Financial
Multi Page Apps, On Prem, Waterfall,
Less APIs
Startups, Tier 1 Companies
Single Page Apps, Cloud, CI/CD,
Mostly APIs
www.traceable.ai | Slide 2

Project Background
1
Agenda
New trends in API Sec
2
What to expect?
3

OWASP
“Open Web Application Security Project”
A non-proﬁt organization & community
Educates developers & pen-testers about
AppSec

Known OWASP
Projects
ModSec / CRS
Juice Shop
ZAP
OWASP Top 10

Deﬁnes the Top 10 threats for Web
Apps
1
OWASP Top 10
Is published every few years
1
Helps engineers to navigate the endless
sea of security issues
▪ Focus on the top threats
1

OWASP API
APIs are different from
WebApps
Background
The need for API List

OWASP API
2019
First version
Got a lot of traction
▪ Gartner
▪ Press
▪ Developers trainings
▪ API security products
Things have changed since 2019!

Creation
Process
1. Gather information
● Bug bounty reports
● Public breaches
● Thought Leaders
2. Conduct a draft of the RC
3. Review by initial set of reviewers
4. Publish the RC
5. Gathering feedback from community
6. Adapting the list
7. Releasing the ﬁnal list

What’s changed?
Client
Client
Web
Server
Web
Server
(API)
GET /home.jsp Fetch Data
Fetch Data
HTML
JSON
Traditional
Modern

What’s New?
Clien
t
Web
Server
(API)
Fetch Data
Client
JSON
JSON
JSON
● Clients:
More types, more powerful
● Less Abstraction Layers:
Shared language - JSON

The Good News
Issue Solved By
SQLi ORMs
CSRF
Use of Authorization
Header
XSS Clients are responsible
Path Manipulation Cloud Based Storage
XXE JSON

The Bad News
Larger attack surface
Oversharing
▪ More EPs
▪ More Data
▪ Underlying implementation
Predictable
▪ Easier to guess

Paulo Silva
2023 List
Added a new leader to the project - Paulo Silva
Followed API security trends over the 2019-2022
▪ Bug bounty reports
▪ Public Breachers
▪ Vendors reports
▪ etc..
List is becoming less and less similar to the OWASP Top 10

The new list [Release Candidate]
BOLA
Broken User Authentication
Excessive Data Exposure
Lack of rate limiting
BFLA
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging &
Monitoring
BOLA
Broken Authentication
Broken Object Property Level
Authorization
Unrestricted Resource Consumption
BFLA
Server Side Request Forgery
Security Misconfiguration
Lack of Automated Threat Protection
Inventory Blind Spots
Unsafe Consumption of APIs
Expanded
Expanded

New
Items
BOPLA - Broken Object Property
Level Authorization
01.
SSRF - Server Side Request
Forgery
02.
Lack of Automated Threat
Protection
03.
Unrestricted Resource
Consumption
04.
Unsafe Consumption of APIs
05

Removed
Items
Injection
01.
Insufﬁcient Logging &
Monitoring
02.
Mass Assignment + Excessive
Data Exposure
03.

Expanded
Items
Improper Assets Management →
Inventory Blindspot
01.
Broken User Authentication →
Broken Authentication
02.

Authorization ==
biggest risk
We see more and more AuthZ
issues
Implementing decent AuthZ in API is
becoming more and more challenging

Authz in APIs - The Challenge
Object / Object
Property Level
Function Level
Code (Almost every
controller)
Code, Conﬁguration,
API-gateway
Patients Care Provider Admins
Hugo
Sub
#1
Sub
#2
Bugo
Jon
Jack
Inon
Decentralized
Mechanism
Complex Users & Roles
Hierarchies

The AuthZ
Maze
Function Level
Object Level
Object Property
Level
POST /api/host/accept_reservation
API Endpoint should be accessed
by hosts only
BFLA
Guest user

The AuthZ
Maze
Function Level
Object Level
Object Property
Level
BOLA
POST /api/host/accept_reseravtion?id=919
A host should be able to access only
its own reservations
Host user

The AuthZ
Maze
{“total_stay_price”:$1,000,000}
Object’s property “total_stay_price”
should not be set by the host
Host user
Function Level
Object Level
Object Property
Level
BOPLA

API #4 -
Unrestricted
Resource
Consumption

DoS
POST /upload_image
socialnetwork.com
408 Error
{“file_size”:”10000gb”}
Create thumbnails

The Raise of API Bots
Many industries are suffering from
automated threats activity

Challenges!
Bots are becoming more proﬁtable.
Becoming smarter & more human (AI, ML)
● Fake reviews
Like AuthZ, the protection isn’t generic &
depends on business needs.

Scalping Bots == Emerging Threat

Malicious
Patterns of
Bots
Gain advantage over normal users
01.
Excessive consumption
02.

Advantage over
legit users
Speed Advantage
• Bots can buy items faster
• Bots can join rafﬂes faster
Quantity Advantage
• Can vote many times
• Can post many comments

Excessive
Consumption
Carding
Credential Stufﬁng

Bots - Protection in Layers
Rate Limiting
Stricter Rate Limiting for machine
consumed APIs
Restrict IP Addresses (reputation/geo/thor/proxies)
Restrict Devices (headless browsers)
Human Detection
Analyze Trafﬁc for Abnormal Activity

SSRF
POST api/upload_proﬁle_pic_from_url
{“image_url”:”evil.com/10000GB.zip”}
GET /10000GB.zip
API evil.com

SSRF in APIs
More dangerous in APIs:
• Exposed management consoles (K8S/API gateways/etc)
More common in APIs:
• Web Hooks
• SSO (custom IDP)

Inventory Blindspots - what you expose
v1/payment v1/post_review v2/search
v1.2/old_export_user_dat
a
airbnb.com/users/api/
“Shadow APIs” - Endpoint aren’t
documented/forgotten

Inventory Blindspots - what you expose
airbnb.com/users/api/ airbnb.com/host/api/ qa3.airbnb.com/backup_api/v1
“Shadow APIs” - forgotten APIs

Inventory Blindspots
- what you expose
Unintentionally exposed APIs & Assets
Direct Access
Allowed

Inventory Blindspots - what you share
Clients
Airbnb API
Gateway
Tax Microservice Guesty
Payment
Microservice
Services..
/b2b/sync_user_data
Why sharing
Payment details
with Guesty?

API #10 -
Unsafe
Consumption
of APIs

Developers Trust 3rd Party APIs
POST /create_users
{“user_name”:”aa’ OR ‘1’=’1”}
twitter_stats.com Twitter APIs
X
GET /top_users
400 Error {[{“user_name”:”’or ‘1’=’1”}]}

Why did we remove Injection?
Why injections used to be common in the past?
- SQL Injections
- Command Injections
- Others, less common

SQL Injection - Less Common
GET /search?query=’or ‘1’=’1
shop.com
string query1 = "SELECT title FROM [Product] WHERE [Name] = '" + ‘OR ‘1’=’1 + "' ;

SQL Injection - Less Common
GET /search?query=’or ‘1’=’1
shop.com
{
var query = context.Product
.where(s => s.Name == "
’or ‘1’=’1")
.FirstOrDefault<Student>();
}

Shell Injection - Less Common
POST /resize_image
{“new_size”:”& format C:/ &”, photo:<base64>}
album.com
strCmdText= "convert original.png -resize " +& format C:/ & + " new.png";
System.Diagnostics.Process.Start("CMD.exe",strCmdText);

Shell Injection - Less Common
POST /resize_image
{“new_size”:”& format C:/ &”, photo:<base64>}
album.com
imageFactory.Load(inStream).Resize(”& format C:/ &);
● Code the uses Shell Commands isn’t scalable in microservices environment
● Abundance of 3rd party libraries & APIs replaces CLI tools

GraphQL, gRPC, WebSockets
o Share similar risks with traditional
protocols (REST/SOAP)
o We had a discussion what to do with
them
▪ Add speciﬁc examples/use-cases
▪ Expand Security Misconﬁguration
New Protocols

Contribute!

Questions?

APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Shkedy

Recommended

Recommended

More Related Content

Similar to APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Shkedy

Similar to APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Shkedy (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Shkedy