OWASP API TOP 10 MindMap

API1: Broken Object Level Authorization (BOLA)

  • Description: API users should access only their sensitive resources. BOLA allows attackers to access other users' data.

  • Testing: Look for resource IDs, user identifiers, usernames, JWTs, and ID-based downloadable resources.

API2: Broken Authentication

  • Description: Results from weak authentication mechanisms or implementation errors, leading to various vulnerabilities.

  • Testing:

    • Weak JWT and password policies

    • Credential stuffing

    • Sensitivity in URL parameters

    • Lack of password confirmation

    • Weak encryption keys

    • Captcha attacks, API keys attacks, and token-based attacks

API3: Broken Object Property Level Authorization

  • Description: API exposes sensitive object properties to users, allowing unauthorized access or modification.

  • Testing:

    • Look for leaky responses revealing victim's PII info.

    • Test the possibility of adding parameters using tools like param-miner.

API4: Unrestricted Resource Consumption

  • Description: Lack of restrictions on resource usage exposes APIs to DoS attacks and unnecessary financial costs.

  • Testing:

    • Execution timeouts

    • Maximum allocable memory

    • Maximum file descriptors and processes

    • Maximum upload file size

    • Operations per client request

    • Records per page in request-response

    • Third-party service providers' spending limit

API5: Broken Function Level Authorization (BFLA)

  • Description: Allows unauthorized alteration or deletion of data, enabling attackers to perform actions of other roles.

  • Testing:

    • Fuzzing for administrative functions

    • Changing request methods for sensitive calls

    • Testing anonymous user access to functions requiring authentication

API6: Unrestricted Access to Sensitive Business Flows

  • Description: Exposing sensitive business flows in APIs may harm the business if accessed excessively.

  • Testing: Understand business logic, read documentation, and identify potential abuse of features.

API7: Server Side Request Forgery (SSRF)

  • Description: Attack where an attacker forces an API to make unintended requests to a remote server.

  • Testing: Use tools like Burp Collaborator to test user-input URL parameters.

API8: Security Misconfiguration

  • Description: Security issues arise from incorrectly or insecurely configured APIs and supporting systems.

  • Testing: Check for CORS misconfigurations, stack traces, outdated systems, exposed storage, insecure default configurations, and third-party vulnerabilities.

API9: Improper Inventory Management

  • Description: Exposure of unsupported or underdeveloped APIs leads to vulnerabilities, data exposure, and exploitation.

  • Testing: Look for unsupported API versions, accounts, and endpoints. Analyze API version parameters.

API10: Unsafe Consumption of APIs

  • Description: Insecure consumption of APIs can lead to various attacks. Treating third-party APIs like user input is essential.

  • Testing:

    1. Identify all consumed APIs.

    2. Analyze each API's security posture.

    3. Simulate attacks (SQLi, XSS, DoS) against the APIs.

OWASP API top 10 Mind Map

PreviousExcessive Data ExposureNextScanning APIs with OWASP ZAP

Last updated