search
githubEdit

OWASP API TOP 10 MindMap

hashtag
API1: Broken Object Level Authorization (BOLA)

  • Description: API users should access only their sensitive resources. BOLA allows attackers to access other users' data.

  • Testing: Look for resource IDs, user identifiers, usernames, JWTs, and ID-based downloadable resources.

hashtag
API2: Broken Authentication

  • Description: Results from weak authentication mechanisms or implementation errors, leading to various vulnerabilities.

  • Testing:

    • Weak JWT and password policies

    • Credential stuffing

    • Sensitivity in URL parameters

    • Lack of password confirmation

    • Weak encryption keys

    • Captcha attacks, API keys attacks, and token-based attacks

hashtag
API3: Broken Object Property Level Authorization

  • Description: API exposes sensitive object properties to users, allowing unauthorized access or modification.

  • Testing:

    • Look for leaky responses revealing victim's PII info.

    • Test the possibility of adding parameters using tools like param-miner.

hashtag
API4: Unrestricted Resource Consumption

  • Description: Lack of restrictions on resource usage exposes APIs to DoS attacks and unnecessary financial costs.

  • Testing:

    • Execution timeouts

    • Maximum allocable memory

    • Maximum file descriptors and processes

    • Maximum upload file size

    • Operations per client request

    • Records per page in request-response

    • Third-party service providers' spending limit

hashtag
API5: Broken Function Level Authorization (BFLA)

  • Description: Allows unauthorized alteration or deletion of data, enabling attackers to perform actions of other roles.

  • Testing:

    • Fuzzing for administrative functions

    • Changing request methods for sensitive calls

    • Testing anonymous user access to functions requiring authentication

hashtag
API6: Unrestricted Access to Sensitive Business Flows

  • Description: Exposing sensitive business flows in APIs may harm the business if accessed excessively.

  • Testing: Understand business logic, read documentation, and identify potential abuse of features.

hashtag
API7: Server Side Request Forgery (SSRF)

  • Description: Attack where an attacker forces an API to make unintended requests to a remote server.

  • Testing: Use tools like Burp Collaborator to test user-input URL parameters.

hashtag
API8: Security Misconfiguration

  • Description: Security issues arise from incorrectly or insecurely configured APIs and supporting systems.

  • Testing: Check for CORS misconfigurations, stack traces, outdated systems, exposed storage, insecure default configurations, and third-party vulnerabilities.

hashtag
API9: Improper Inventory Management

  • Description: Exposure of unsupported or underdeveloped APIs leads to vulnerabilities, data exposure, and exploitation.

  • Testing: Look for unsupported API versions, accounts, and endpoints. Analyze API version parameters.

hashtag
API10: Unsafe Consumption of APIs

  • Description: Insecure consumption of APIs can lead to various attacks. Treating third-party APIs like user input is essential.

  • Testing:

    1. Identify all consumed APIs.

    2. Analyze each API's security posture.

    3. Simulate attacks (SQLi, XSS, DoS) against the APIs.

hashtag
OWASP API top 10 Mind Map

LogoOWASP API TOP 10 | Xmindapp.xmind.comchevron-right
OWASP TOP 10 Mind Map
PreviousExcessive Data ExposureNextScanning APIs with OWASP ZAP

Last updated