Uploaded byIndusfacePvtLtd
4,611 views

OWASP Top 10 API Security Risks

The document outlines the OWASP Top 10 API security risks, including broken authentication, excessive data exposure, and security misconfiguration. It highlights vulnerabilities such as lack of proper filtering, insufficient logging, and risks from brute force attacks. The document emphasizes the importance of securing APIs against these common threats.

Technology
Related topics:
Cybersecurity Threats

Embed presentation

Downloaded 11 times
top10 APISecurityRisks OWASP
APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This is when API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
This is when API returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
This is when API is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
When there is no restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if i replace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
Trust us for Web Applica�on and API Protec�on Start your free trial at indusface.com/api
POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commerce site Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
An API component is suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
A�ackers send malicious data to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
A�ackers may break into the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
It occurs when there are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
Scan & Protect Your APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on

More Related Content

PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PDF
API Testing and Hacking (1).pdf
byVishwas N
 
API Security Fundamentals
byJosé Haro Peralta
 
OWASP API Security Top 10 - API World
by42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
OWASP API Security Top 10 Examples
by42Crunch
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
Getting Started with API Security Testing
bySmartBear
 
API Testing and Hacking (1).pdf
byVishwas N
 

What's hot

PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
Rest API
byRohana K Amarakoon
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
PPTX
API Design- Best Practices
byPrakash Bhandari
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PDF
SSRF workshop
byIvan Novikov
 
PPSX
API Test Automation
bySQALab
 
PPTX
API Testing Presentations.pptx
byManmitSalunke
 
PDF
Designing APIs with OpenAPI Spec
byAdam Paxton
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
ODP
Introduction to Swagger
byKnoldus Inc.
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PPTX
Api Testing
byVishwanath KC
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
PPTX
API Security Lifecycle
byApigee | Google Cloud
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Rest API
byRohana K Amarakoon
 
Api security-testing
byn|u - The Open Security Community
 
API Security Best Practices and Guidelines
byWSO2
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
API Design- Best Practices
byPrakash Bhandari
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
SSRF workshop
byIvan Novikov
 
API Test Automation
bySQALab
 
API Testing Presentations.pptx
byManmitSalunke
 
Designing APIs with OpenAPI Spec
byAdam Paxton
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Introduction to Swagger
byKnoldus Inc.
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Api Testing
byVishwanath KC
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
API Security Lifecycle
byApigee | Google Cloud
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 

Similar to OWASP Top 10 API Security Risks

PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
PDF
Top 10 OWASP API Security Threats
byWSO2
 
PDF
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PPTX
How-to-Secure-APIs-to-Defend-Against-Emerging-Cyber-Threats-to-Digital-Web-As...
bykhalidmohammedfci
 
PDF
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
PPTX
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
PDF
HowYourAPIBeMyAPI
byJie Liau
 
PDF
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
PPTX
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
PDF
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PPTX
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
byAPIsecure_ Official
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
Top 10 OWASP API Security Threats
byWSO2
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
How-to-Secure-APIs-to-Defend-Against-Emerging-Cyber-Threats-to-Digital-Web-As...
bykhalidmohammedfci
 
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
Enhancing your Security APIs
byApigee | Google Cloud
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
HowYourAPIBeMyAPI
byJie Liau
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
byAPIsecure_ Official
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 

More from IndusfacePvtLtd

PDF
10 Types of Cybersecurity Attacks
byIndusfacePvtLtd
 
PDF
AppTrana SECaaS (Security as a Service)
byIndusfacePvtLtd
 
PDF
Indusface and CARTA Whitepaper
byIndusfacePvtLtd
 
PDF
AppTrana Competency Matrix for OWASP Top 10
byIndusfacePvtLtd
 
PDF
8 Key Considerations in Choosing the Right WAF
byIndusfacePvtLtd
 
PDF
Why Startups Need to Strengthen Application Security
byIndusfacePvtLtd
 
PDF
True Cost of Ransomware to Your Business
byIndusfacePvtLtd
 
PDF
5 Effective Ways for Website Protection
byIndusfacePvtLtd
 
PDF
5 Top Cyber Threats That Will Ruin Your Business
byIndusfacePvtLtd
 
PDF
Why Manual Pen-Testing is a must have for comprehensive application security ...
byIndusfacePvtLtd
 
PDF
API7:2019 Security Misconfiguration
byIndusfacePvtLtd
 
10 Types of Cybersecurity Attacks
byIndusfacePvtLtd
 
AppTrana SECaaS (Security as a Service)
byIndusfacePvtLtd
 
Indusface and CARTA Whitepaper
byIndusfacePvtLtd
 
AppTrana Competency Matrix for OWASP Top 10
byIndusfacePvtLtd
 
8 Key Considerations in Choosing the Right WAF
byIndusfacePvtLtd
 
Why Startups Need to Strengthen Application Security
byIndusfacePvtLtd
 
True Cost of Ransomware to Your Business
byIndusfacePvtLtd
 
5 Effective Ways for Website Protection
byIndusfacePvtLtd
 
5 Top Cyber Threats That Will Ruin Your Business
byIndusfacePvtLtd
 
Why Manual Pen-Testing is a must have for comprehensive application security ...
byIndusfacePvtLtd
 
API7:2019 Security Misconfiguration
byIndusfacePvtLtd
 

Recently uploaded

PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
PPTX
Full course that Prymehat uploads for you
byOhenebaManu1
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PDF
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PPTX
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
PDF
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
January Patch Tuesday
byIvanti
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
Full course that Prymehat uploads for you
byOhenebaManu1
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 

OWASP Top 10 API Security Risks

  • 1.
  • 2.
    APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This iswhen API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
  • 3.
    This is whenAPI returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
  • 4.
    This is whenAPI is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
  • 5.
    When there isno restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
  • 6.
    GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if ireplace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
  • 7.
    Trust us for WebApplica�on and API Protec�on Start your free trial at indusface.com/api
  • 8.
    POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commercesite Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
  • 9.
    An API componentis suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
  • 10.
    A�ackers send maliciousdata to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
  • 11.
    A�ackers may breakinto the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
  • 12.
    It occurs whenthere are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
  • 13.
    Scan & ProtectYour APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on