The Open Web Application Security Project (OWASP), a non-profit foundation devoted to web application security, recently released the 2023 OWASP API Security Top 10 list. The list aims to raise awareness about the most common API security risks plaguing organisations and how to defend against them.
The 2023 list provides an update to the original list, published in 2019. Since that time, API security threats have accelerated and evolved, which has been reflected in the new list. We at Salt were proud to help craft the first list, and we’ve also been a key contributor to the updated list.
Understanding these areas of vulnerabilities is important for companies to stay ahead of increasing API risks. Below are the key threats and vulnerabilities in the new list and how they’ve changed from the original list:
API1:2023 – Broken Object Level Authorisation (BOLA)
Broken object level authorisation stems from a lack of proper access controls on API endpoints allowing unauthorised users to access and modify sensitive data. BOLA is represented in about 40% of all API attacks and is the most common API security threat. Broken object level authorisation API vulnerabilities have been number one on the OWASP list since 2019 and have kept their top spot in the 2023 version.
API2:2023 – Broken Authentication
Broken authentication enables attackers to use stolen authentication tokens, credential stuffing and brute-force attacks to gain unauthorised access to applications. Improper social login functionality in Booking.com (now remediated) provides a good example of broken authentication, which could have led to potential ATO attacks. This API authentication security vulnerability ..
Support the originator by clicking the read the rest link below.
