If you’re reading this then you already know: Aside from its widely recognized list of the top 10 Web Application Security Risks, OWASP began publishing a separate list dedicated to API Security. It provides a well-researched, detailed review of the common vulnerabilities exploited to abuse APIs.

But here’s the catch: it’s a technical doc. Very technical. It’s so specific that it becomes hard to look beyond the nuances and find the answer to the one question that matters: 

What can security teams do to lead – and win – the battle to protect their APIs?

APIs: Good for developers, good for attackers

It’s tempting to view API security as a subset of application security, and in many ways it is – but there are also important differences. If you go over OWASP’s list for API security, you’ll easily find some of the usual suspects from web applications – broken authentication, injection, and sensitive data exposure – but you’d also find out that APIs have their fair share vulnerabilities.

For an attacker, every API you have, whether internal or external, is an opportunity to access potentially sensitive and valuable data on public networks. At the same time, the API presents attackers with the challenge of devising a functional attack that targets the business logic itself, manipulating the application. 

It is this combination that makes APIs so attractive to attackers. 

When it comes to API vulnerabilities, we should always remember that every API has a different business logic. What’s more, that business logic is also different from that of the application itself. And the cherry on top? By targeting APIs directly, attackers can also circumvent some of the protections on the client-side application. 

It should come as no surprise that Gartner predicts that within the next few years “API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” 

Giving API security a seat at the table

It’s not just attackers who find APIs attractive. Businesses do too. Industries going through digital transformation encourage businesses to publish more APIs as they seek to enhance the digital experiences and services provided to clients and partners. But this great momentum for publishing APIs also has a by-product: it dramatically increases the overall attack surface.

And yet, as you probably see every day, API security remains a no man’s land. Yes, the security team is responsible for API security, but no single person or team truly owns it end-to-end. 

Actually, it’s the development and IT teams that handle APIs and their security – designing functionalities, writing the code, testing, controlling access, deploying to production, monitoring, and fixing bugs (ultimately, API vulnerabilities are bugs in the code). This situation often leaves security teams in the dark when it comes to APIs.

You can’t afford to have the organization feel comfortable with API blind spots.

Goodbye blind spots

The way leading security teams today handle API security is first and foremost by raising the organization’s awareness through an API catalog. Properly maintaining an API inventory can help you influence other teams to be aware of the risks, set higher security standards throughout the API lifecycle, and turn API security into a priority. Going beyond the technical documentation that developers should maintain for APIs, an API security catalog should focus on the functional aspects of an API and its business logic.

 

This is where the OWASP API Top 10 is most helpful: it can help you set the bar of your API inventory. Beyond access control and rate-limiting, cataloging is the single most important tool at your disposal, paving the way to better security testing, runtime protection, and faster remediation.

 

OWASP API Security Top 10

API1: Broken Object Level Authorization

Why should you care How does it happen What can you do
These vulnerabilities can result in severe data breaches and full account takeovers. Using an API, users should be able to access only the objects relevant and related to them. By replacing objects’ IDs in requests, attackers might be able to retrieve other users’ data objects if the proper authorization mechanisms aren’t in place and the API fails to track the client’s state. When managing the API security catalog, invest in capturing knowledge regarding the specific data access it enables(especially sensitive data), to who and using what IDs. Special attention should also be given to ID generation, being cautious about using IDs that are sequential or otherwise easily guessable.
How can Imvision help:
The platform learns which fields exhibit a statistical relationship with the authenticated user, continuously verifies the relation, and triggers an anomaly when the user tries to access an object it shouldn’t have access to.

Why should you care

These vulnerabilities can result in severe data breaches and full account takeovers.

How does it happen

Using an API, users should be able to access only the objects relevant and related to them. By replacing objects’ IDs in requests, attackers might be able to retrieve other users’ data objects if the proper authorization mechanisms aren’t in place and the API fails to track the client’s state.

What can you do

This is where API visibility is crucial. When managing the catalog, knowledge regarding the business logic around what every API is actually doing, and the data it exposes in the process (especially sensitive data) – should be kept meticulously. Special attention should also be given to ID generation, being cautious about using IDs that are sequential or otherwise easily guessable.

How can Imvision help

The platform learns which fields exhibit a statistical relationship with the authenticated user, continuously verifies the relation, and triggers an anomaly when the user tries to access an object it shouldn’t have access to.

API2: Broken User Authentication

Why should you care How does it happen What can you do
These vulnerabilities can result in full account takeovers. Before accessing an API’s functionality, users need to authenticate themselves. As a result, authentication endpoints are the most exposed and are often the first choice for attackers attempting to exploit a range of potential vulnerabilities, including credential stuffing and brute force. Document the authentication methods used for each API, the testing conducted and last update. This is important to ensure the use of a proper, updated solution, and having those who know what they are doing keep up with industry best practices, without compromise or shortcuts. Consult experienced professionals about the recommended ways to use tokens.
How can Imvision help:
The platform alerts to missing authorization headers and indicates unauthenticated API calls. The platform also analyzes and validates consumer behavior, allowing for the detection of the possible use of stolen credentials.

Why should you care

These vulnerabilities can result in full account takeovers.

How does it happen

Before accessing an API’s functionality, users need to authenticate themselves. As a result, authentication endpoints are the most exposed and are often the first choice for attackers attempting to exploit a range of potential vulnerabilities, including credential stuffing and brute force.

What can you do

Buy a proper, updated solution, and pay those who know what they are doing to keep up with the updates using industry best practices, without compromise or shortcuts. Consult experienced professionals and read about the recommended ways to use tokens.

How can Imvision help

The platform alerts to missing authorization headers and indicates unauthenticated API calls. The platform also analyzes and validates consumer behavior, allowing for the detection of the possible use of stolen credentials.

API3: Excessive Data Exposure

Why should you care How does it happen What can you do
When sniffed by attackers, excessive data exposure equals can equal a sensitive data leak. Users use an API to request specific data fields, but the API response can often include additional unnecessary fields - some of which may include sensitive data being exposed. This is often the result of design flaws - an attempt to be generic for future uses, leftovers from previous uses of an endpoint, or simply an oversight. There’s no easy way to say this, so here goes: you’re probably already doing this. It’s so tempting to do, that avoiding it requires a lot of team discipline and awareness, always assuming zero filterings performed by the consumer. Having an inventory of APIs exposing sensitive data and Personally Identifiable Information (PII), along with a categorization of the business logic, can enable you to double-check if these fields are indeed necessary, and be extra vigilant when changes to those APIs are deployed.
How can Imvision help:
The platform automatically detects sensitive information and PIIs to assess endpoint risks and highlight those for further verification. The platform learns the common responses for high-risk API calls that include sensitive data and alerts on anomalies.

Why should you care

When sniffed by attackers, excessive data exposure equals sensitive data exposure.

How does it happen

Users use an API to request specific data fields, but the API response can often include additional unnecessary fields – some of which may include sensitive data being exposed. This is often the result of design flaws – an attempt to be generic for future uses, leftovers from previous uses of an endpoint, or simply an oversight.

What can you do

There’s no easy way to say this, so here goes: you’re probably already doing this. It’s so tempting to do, that avoiding it requires a lot of team discipline and awareness, always assuming zero filterings performed by the consumer. As with API1 above, visibility is key. Having an inventory of APIs exposing sensitive data and Personally Identifiable Information (PII), along with a categorization of the business logic, can enable you to double-check if these fields are indeed necessary.

How can Imvision help

The platform automatically detects sensitive information and PIIs to assess endpoint risks and highlight those for further verification. The platform learns the common responses for high-risk API calls that include sensitive data and alerts on anomalies.

API4: Lack of Resources and Rate-Limiting

Why should you care How does it happen What can you do
These vulnerabilities can result in sensitive data breaches and even Denial of Service (DoS). For every user group, there is an expected level of usage that the API architecture is built to serve. Too many (or too great) simultaneous requests can bring an API to its knees, slowing down service and even de-facto creating a Denial of Service (DoS). Rate limiting provides solid mitigation for various vulnerabilities, so you should see it is sprinkled generously. Being easily configurable through your API gateway using a rate limit plugin, adding this to your API catalog would help make sure you don’t overlook rate-limiting and constraints for strings, integers, arrays, and so on.
How can Imvision help:
The platform learns the usage patterns and detects abnormal sizes, volumes, and response times for API calls, endpoints and consumers, as well as anomalous usage by authenticated users.

Why should you care

These vulnerabilities can result in sensitive data breaches and even Denial of Service (DoS).

How does it happen

For every user group, there is an expected level of usage that the API architecture is built to serve. Too many (or too great) simultaneous requests can bring an API to its knees, slowing down service and even de-facto creating a Denial of Service (DoS).

What can you do

Rate limiting provides solid mitigation for various vulnerabilities, so you should sprinkle it generously. Being easily configurable through your API gateway using a rate limit plugin, adding this to your API catalog would help make sure you don’t overlook rate-limiting and constraints for strings, integers, arrays, and so on.

How can Imvision help

The platform learns the usage patterns and detects abnormal sizes, volumes, and response times for API calls, endpoints and consumers, as well as anomalous usage by authenticated users.

API5: Broken Function-Level Authorization

Why should you care How does it happen What can you do
These vulnerabilities create various threats resulting from unauthorized access to functionalities. Users have their endpoints, and admins have theirs. When attackers successfully discover (or guess) an admin endpoint, too often they find it has loose access control policies that enable access to unauthorized functionalities. In other cases, attackers can find that user endpoints that lack proper separation of roles and enable them to tamper with the data. This is another type of vulnerability where cataloging can mean the world: all admin access endpoints should be monitored closely and deployed with proper authorization and authentication methods so attackers can’t crash the party. And yes, that applies to all your shadow APIs as well.
How can Imvision help:
The platform automatically clusters authenticated users and API calls to groups reflecting privileges, and triggers an anomaly on deviations from privileges.

Why should you care

These vulnerabilities create various threats resulting from unauthorized access to functionalities.

How does it happen

Users have their endpoints, and admins have theirs. When attackers successfully discover (or guess) an admin endpoint, too often they find it has loose access control policies that enable access to unauthorized functionalities. In other cases, attackers can find that user endpoints that lack proper separation of roles and enable them to tamper with the data.

What can you do

This is another type of vulnerability where cataloging can mean the world: all admin access endpoints should be monitored closely and deployed with proper authorization and authentication methods so attackers can’t crash the party. And yes, that applies to all your shadow APIs as well.

How can Imvision help

The platform automatically clusters authenticated users and API calls to groups reflecting privileges, and triggers an anomaly on deviations from privileges.

API6: Mass Assignment

Why should you care How does it happen What can you do
These vulnerabilities come in various forms, but generally result in data tampering. Endpoints can be used to input specific data by the user. However, if the specific data allowed isn’t properly whitelisted, attackers can exploit the same endpoint to input or manipulate other data fields. Knowing the fields at risk can be as easy as reading the documentation, reviewing responses, or guessing. The key is to understand that every endpoint has a purpose. Only what enables it to fulfill its purpose should be allowed, and constraints should be set for anything else. Your API catalog should clearly explain what is the endpoint’s business logic, and what’s the expected and allowed usage by the user - enabling the developer to whitelist only that.
How can Imvision help:
The platform clusters API calls to analyze the data in the right context and learn the required and frequently used fields. This enables alerts on any irregular fields added and parameter tampering, while keeping false positives to a minimum.

Why should you care

These vulnerabilities come in various forms, but generally result in data tampering.

How does it happen

Endpoints can be used to input specific data by the user. However, if the specific data allowed isn’t properly whitelisted, attackers can exploit the same endpoint to input or manipulate other data fields. Knowing the fields at risk can be as easy as reading the documentation, reviewing responses, or guessing.

What can you do

The key is to understand that every endpoint has a purpose. Only what enables it to fulfill its purpose should be allowed, and constraints should be set for anything else. Your API catalog should clearly explain what is the endpoint’s business logic, and what’s the expected and allowed usage by the user – enabling the developer to whitelist only that.

How can Imvision help

The platform clusters API calls to analyze the data in the right context and learn the required and frequently used fields. This enables alerts on any irregular fields added and parameter tampering, while keeping false positives to a minimum.

API7: Security Misconfiguration

Why should you care How does it happen What can you do
These vulnerabilities can lead to sensitive data exposure and even result in compromised servers. The API stack has various security configurations set across the different system layers. Any misconfiguration, such as missing security patches or missing TLS, can result in various attack scenarios that compromise the API. Don’t slack, check the stack. Always remember that API security is performed across its lifecycle, from creation to deprecation, so manage the knowledge around it in the catalog. Accordingly, security configurations for the entire stack need to be checked periodically and adhere to industry best practices.
How can Imvision help:
The platform routinely performs risk assessment for default security configuration based on the use of authentication, HTTP headers, and so on. The platform highlights high-risk endpoints and APIs so the security team can proactively adjust the security configurations as needed.

Why should you care

These vulnerabilities can lead to sensitive data exposure and even result in compromised servers.

How does it happen

The API stack has various security configurations set across the different system layers. Any misconfiguration, such as missing security patches or missing TLS, can result in various attack scenarios that compromise the API.

What can you do

Don’t slack, check the stack. Always remember that API security is performed across its lifecycle, from creation to deprecation, so manage the knowledge around it in the catalog. Accordingly, security configurations for the entire stack need to be checked periodically and adhere to industry best practices.

How can Imvision help

The platform routinely performs risk assessment for default security configuration based on the use of authentication, HTTP headers, and so on. The platform highlights high-risk endpoints and APIs so the security team can proactively adjust the security configurations as needed.

API8: Injection

Why should you care How does it happen What can you do
These vulnerabilities can lead to data leaks, Denial of Service (DoS), and even complete host takeover. In these attacks, malicious data is delivered as input to the API, and includes data that can execute various backend commands if processed by the interpreter without authorization. This happens when the data provided in the request is not validated, filtered, or sanitized by the API. When in doubt, sanitize! Requests should always go through validation, filtering, and sanitization first. To begin with, available schemas should define string parameters as strictly as possible, and be used for message validation.
How can Imvision help:
The platform learns the normal character distribution and pattern of values for every field and alerts to deviations from the pattern. The platform also allows adding specific rules to further sanitize fields if necessary.

Why should you care

These vulnerabilities can lead to data leaks, Denial of Service (DoS), and even complete host takeover.

How does it happen

In these attacks, malicious data is delivered as input to the API, and includes data that can execute various backend commands if processed by the interpreter without authorization. This happens when the data provided in the request is not validated, filtered, or sanitized by the API.

What can you do

When in doubt, sanitize! Don’t let requests through without validation, filtering, and sanitization first. To begin with, define string parameters as strictly as possible, and use available schemas for message validation.

How can Imvision help

The platform routinely performs risk assessment for default security configuration based on the use of authentication, HTTP headers, and so on. The platform highlights high-risk endpoints and APIs so the security team can proactively adjust the security configurations as needed.

API9: Improper Assets Management

Why should you care How does it happen What can you do
This vulnerability can lead to sensitive data exposure and full account takeover. Throughout the API lifecycle, old API versions or unused endpoints may be left behind when development is rushed. Over time, these may remain unpatched and not have the same security standard as the newer APIs. Centralized management of all APIs can go a long way in securing them by maintaining an inventory. Since outdated documentation makes it difficult to fix vulnerabilities, proper inventorying of hosts is much more than just a well-documented list - it goes deep into the team’s culture and discipline.
How can Imvision help:
The platform’s data-driven discovery shows all servers and API versions being used, and alerts when an obsolete API version or an unexpected host is accessed.

Why should you care

This vulnerability can lead to sensitive data exposure and full account takeover.

How does it happen

Throughout the API lifecycle, old API versions or unused endpoints may be left behind when development is rushed. Over time, these may remain unpatched and not have the same security standard as the newer APIs.

What can you do

Centralized management of all APIs can go a long way in securing them by maintaining an inventory. Since outdated documentation makes it difficult to fix vulnerabilities, proper inventorying of hosts is much more than just a well-documented list – it goes deep into the team’s culture and discipline.

How can Imvision help

The platform’s data-driven discovery shows all servers and API versions being used, and alerts when an obsolete API version or an unexpected host is accessed.

API10: Insufficient Logging and Monitoring

Why should you care How does it happen What can you do
This vulnerability provides attackers with time and freedom to conduct reconnaissance and execute attacks. Attackers exploring for vulnerabilities leave a trace that can potentially be picked up through sufficient logging and monitoring. Insufficient logging can also mean that if a breach occurred, the organization may not retrace it and be aware of it. Log. Everything. Meticulously. Encourage full monitoring and logging of API traffic to enable behavior modeling and detection of anomalies, geared towards enabling investigations, improving security configurations and policies, and fixing bugs.
How can Imvision help:
The platform structures anomalies into events and then into contextual incidents where all of the relevant information is displayed and available for the operator in one place. The platform’s attack analytics also analyzes the alerts and automatically assesses severity and recommends countermeasures.

Why should you care

This vulnerability provides attackers with time and freedom to conduct reconnaissance and execute attacks.

How does it happen

Attackers exploring for vulnerabilities leave a trace that can potentially be picked up through sufficient logging and monitoring. Insufficient logging can also mean that if a breach occurred, the organization may not retrace it and be aware of it.

What can you do

Log. Everything. Meticulously. Encourage full monitoring and logging of API traffic to enable behavior modeling and detection of anomalies, geared towards enabling investigations, improving security configurations and policies, and fixing bugs.

How can Imvision help

The platform structures anomalies into events and then into contextual incidents where all of the relevant information is displayed and available for the operator in one place. The platform’s attack analytics also analyzes the alerts and automatically assesses severity and recommends countermeasures.

Want to learn more? Download our White Paper – API Security: Why Your WAF is Not Enough

To OWASP and beyond

It’s important to remember that while OWASP covers the common denominator for API vulnerabilities, each API is different and has its own unique characteristics and logic. 

Since an API has a unique business logic, its vulnerabilities are also unique. There may be common characteristics, as listed in the OWASP Top 10, but every API needs to be protected in a specific way to stop zero-day attacks relevant only to it.

It’s about positive security modeling over general-purpose application security solutions that detect known vulnerabilities. But to do so means that you have to be aware of every API, its business context, and the exposure of sensitive data.

Vulnerabilities related to business logic, processes, or user behavior are more contextual than others, and we can expect such attacks to grow in numbers and severity.

Using a data-driven API discovery can uncover all your APIs, consumers, methods, and sensitive data, all without the need for documentation. Once in-depth, granular behavioral models of API functionality are learned, it becomes possible to automatically detect and block breaches. 

By identifying anomalous user activities and breaks within the functionality of the APIs, the learned application behavior and business logic generate a unique advantage in mitigating attacks on APIs.