APIs, essentially digital connectors between applications, have become a fundamental part of today’s technology landscape. They enable swift and efficient data sharing, allowing businesses to operate smoothly, enhance customer service, and reduce costs.
However, as APIs have proliferated, they’ve increasingly been targeted by hackers. Their simple design and widespread usage make them attractive targets.
Upstream’s 2023 Global Automotive Cybersecurity Report revealed that attacks utilizing APIs rose 380% from 2021. As more organizations rely on APIs to drive their innovation, services, and operations, this trend is likely to persist.
This expanding threat landscape necessitated an update to the Open Web Application Security Project (OWASP) API Security Top 10 Risk list, which emphasizes the most significant security risks that companies need to consider when securing their APIs. The organization has released an update to the previous list, published in 2019, in response to the evolution of the API landscape and the growing sophistication of attack methodologies.
OWASP API Security Top 10 2023: Automotive, Mobility, and Fleet perspective:
API 1: Broken Object Level Authorization (BOLA)
BOLA remains at the top and is carried over from the previous list. BOLA encompasses scenarios where unauthorized parties gain access to exposed APIs. For instance, attackers may manipulate API requests to view confidential documents meant only for privileged users. Consider an unauthorized user accessing a company’s internal memos or customer records, posing substantial privacy and compliance risks. One of 2023’s biggest automotive incidents, where several global OEMs were compromised, utilized this type of vulnerability to access data and even accounts.
API 2: Broken Authentication
Similar to API1, API2 is retained from the previous list. This risk indicates flaws in the authentication process that could lead to data leaks or other exposures. An attacker exploiting this flaw could masquerade as a legitimate user. Imagine a scenario where an attacker accesses a user’s account and makes purchases, such as a satellite radio subscription, using stored payment information, causing financial losses and damaging the service providers’ reputation.
API 3: Broken Object Property Level Authorization (BOPLA)
BOPLA is a new addition to the 2023 OWASP list, debuting at number 3. This entry underscores the risk of unauthorized access or modifications to object properties within APIs. For instance, a user could manipulate URL parameters to view or edit others’ account data. An attacker could alter shipment details, falsely indicating a completed shipment, leading to operational disruptions.
API 4: Unrestricted Resource Consumption
Unrestricted resource consumption was also included in the 2019 list. This risk refers to attacks that consume system resources without permission, potentially causing system failures. An attacker might overload the server with fake requests in a DDoS attack, rendering the service, whether an internal or external application, unavailable to legitimate users.
API 5: Broken Function Level Authorization (BFLA)
BFLA, another risk included in the previous OWASP API Top Ten, occurs when users gain access to operations they shouldn’t. Consider a user somehow gaining administrative control. This user could modify application settings or data, for example, linking payment details from another account to their own to evade paying for EV charging. This could also potentially expose sensitive information, like email addresses, ID numbers, and phone numbers.
API 6: Business Logic Flaw
A new and critical addition to the OWASP API risks, this risk focuses on manipulating business operations based on insights gained from the business flows. An attacker understanding your business model could exploit it to cause significant losses. A dealership website may experience massive cancellations when an attacker abuses a no-cancellation-fee policy, booking and then canceling appointments for repairs, resulting in empty car-shops and considerable financial losses.
API 7: Server-Side Request Forgery (SSRF)
SSRF is a new addition to the list of risks and involves users interacting with unintended paths and obtaining unauthorized access or information. An attacker could force the API to make requests to internal resources that should be inaccessible. For instance, an attacker could interact with internal file systems or databases, potentially compromising confidential information.
API 8: Security Misconfigurations
Another risk from the previous list, security misconfigurations, continues to threaten businesses worldwide. This pertains to the security vulnerabilities that can emerge from incorrect API configurations. A common example is a developer accidentally exposing a database due to wrong configuration settings, often due to the high development velocity common in organizations. This could lead to an attacker accessing sensitive information, such as user passwords.
API 9: Improper Assets Management
Improper assets management, on the 2019 list and the 2023 list as well, highlights the risks of “shadow” APIs, which are accessible online but overlooked due to poor management. An attacker could discover and exploit these unsecured APIs, accessing sensitive data or disrupting services.
API 10: Unsafe Consumption of APIs
This final item is new to the list and points to the misuse of APIs by third parties who don’t adhere to the defined specifications. For example, a third-party app lacking proper authentication procedures could compromise user security. Picture a scenario where a mobile app accesses user accounts with only a username and password, potentially leading to unauthorized access and information theft.
The updated OWASP API Top 10 Risk list underscores the evolving threat landscape and the crucial need for vigilance and proactive security measures. As APIs are integral to digital services, organizations must be aware of these potential vulnerabilities and maintain a robust security posture.
Upstream’s API Security solution offers the most comprehensive API Security coverage specifically designed to protect business operations, applications, and services. Access comprehensive detection with full coverage of the OWASP API security top ten threats from 2023 and 2019, ensuring your organization’s APIs are secured against the most common risks.
The solution also provides fusion detection by leveraging API data alongside IT and OT data feeds to identify unknown threats and attacks using advanced AI/ML models. It includes an additional layer of business logic anomaly detection, identified using a set of predefined detectors and further refined with detectors built using the platform’s no-code tools for specific use cases.
Upstream’s 2023 Global Automotive Cybersecurity Report
Cleared for takeoff? Upstream’s vSOC is the traffic control center for vehicles
Air traffic control centers play a critical role in ensuring the safety and efficiency of air traffic. The control centers help prevent aircraft collisions, maintain…Read more
Discovery: An Essential First Step in Securing APIs
API security is a crucial facet of cybersecurity in this era of rapid digitalization. While APIs serve as potent tools operating across every aspect of…Read more
Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules
Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to…Read more
Upstream Security joins AWS ISV Accelerate: What does it mean for Connected Mobility and SDV makers?
On May 24, 2023 Upstream was selected to join the AWS Independent Software Vendor (ISV) Accelerate Partner Program. This marks an important milestone in our…Read more