Updates to the OWASP API Security Top 10 Risks

DAR DIAMANT

Product Marketing Manager

July 20, 2023

APIs, essentially digital connectors between applications, have become a fundamental part of today’s technology landscape. They enable swift and efficient data sharing, allowing businesses to operate smoothly, enhance customer service, and reduce costs.

However, as APIs have proliferated, they’ve increasingly been targeted by hackers. Their simple design and widespread usage make them attractive targets.

Upstream’s 2023 Global Automotive Cybersecurity Report revealed that attacks utilizing APIs rose 380% from 2021. As more organizations rely on APIs to drive their innovation, services, and operations, this trend is likely to persist.

This expanding threat landscape necessitated an update to the Open Web Application Security Project (OWASP) API Security Top 10 Risk list, which emphasizes the most significant security risks that companies need to consider when securing their APIs. The organization has released an update to the previous list, published in 2019, in response to the evolution of the API landscape and the growing sophistication of attack methodologies.

OWASP API Security Top 10 2023: Automotive, Mobility, and Fleet perspective:

API 1: Broken Object Level Authorization (BOLA)

BOLA remains at the top and is carried over from the previous list. BOLA encompasses scenarios where unauthorized parties gain access to exposed APIs. For instance, attackers may manipulate API requests to view confidential documents meant only for privileged users. Consider an unauthorized user accessing a company’s internal memos or customer records, posing substantial privacy and compliance risks. One of 2023’s biggest automotive incidents, where several global OEMs were compromised, utilized this type of vulnerability to access data and even accounts.

API 2: Broken Authentication

Similar to API1, API2 is retained from the previous list. This risk indicates flaws in the authentication process that could lead to data leaks or other exposures. An attacker exploiting this flaw could masquerade as a legitimate user. Imagine a scenario where an attacker accesses a user’s account and makes purchases, such as a satellite radio subscription, using stored payment information, causing financial losses and damaging the service providers’ reputation.

API 3: Broken Object Property Level Authorization (BOPLA)

BOPLA is a new addition to the 2023 OWASP list, debuting at number 3. This entry underscores the risk of unauthorized access or modifications to object properties within APIs. For instance, a user could manipulate URL parameters to view or edit others’ account data. An attacker could alter shipment details, falsely indicating a completed shipment, leading to operational disruptions.

API 4: Unrestricted Resource Consumption

Unrestricted resource consumption was also included in the 2019 list. This risk refers to attacks that consume system resources without permission, potentially causing system failures. An attacker might overload the server with fake requests in a DDoS attack, rendering the service, whether an internal or external application, unavailable to legitimate users.

API 5: Broken Function Level Authorization (BFLA)

BFLA, another risk included in the previous OWASP API Top Ten, occurs when users gain access to operations they shouldn’t. Consider a user somehow gaining administrative control. This user could modify application settings or data, for example, linking payment details from another account to their own to evade paying for EV charging. This could also potentially expose sensitive information, like email addresses, ID numbers, and phone numbers.

API 6: Business Logic Flaw

A new and critical addition to the OWASP API risks, this risk focuses on manipulating business operations based on insights gained from the business flows. An attacker understanding your business model could exploit it to cause significant losses. A dealership website may experience massive cancellations when an attacker abuses a no-cancellation-fee policy, booking and then canceling appointments for repairs, resulting in empty car-shops and considerable financial losses.

API 7: Server-Side Request Forgery (SSRF)

SSRF is a new addition to the list of risks and involves users interacting with unintended paths and obtaining unauthorized access or information. An attacker could force the API to make requests to internal resources that should be inaccessible. For instance, an attacker could interact with internal file systems or databases, potentially compromising confidential information.

API 8: Security Misconfigurations

Another risk from the previous list, security misconfigurations, continues to threaten businesses worldwide. This pertains to the security vulnerabilities that can emerge from incorrect API configurations. A common example is a developer accidentally exposing a database due to wrong configuration settings, often due to the high development velocity common in organizations. This could lead to an attacker accessing sensitive information, such as user passwords.

API 9: Improper Assets Management

Improper assets management, on the 2019 list and the 2023 list as well, highlights the risks of “shadow” APIs, which are accessible online but overlooked due to poor management. An attacker could discover and exploit these unsecured APIs, accessing sensitive data or disrupting services.

API 10: Unsafe Consumption of APIs

This final item is new to the list and points to the misuse of APIs by third parties who don’t adhere to the defined specifications. For example, a third-party app lacking proper authentication procedures could compromise user security. Picture a scenario where a mobile app accesses user accounts with only a username and password, potentially leading to unauthorized access and information theft.

 

The updated OWASP API Top 10 Risk list underscores the evolving threat landscape and the crucial need for vigilance and proactive security measures. As APIs are integral to digital services, organizations must be aware of these potential vulnerabilities and maintain a robust security posture.

Upstream’s API Security solution offers the most comprehensive API Security coverage specifically designed to protect business operations, applications, and services. Access comprehensive detection with full coverage of the OWASP API security top ten threats from 2023 and 2019, ensuring your organization’s APIs are secured against the most common risks.

The solution also provides fusion detection by leveraging API data alongside IT and OT data feeds to identify unknown threats and attacks using advanced AI/ML models. It includes an additional layer of business logic anomaly detection, identified using a set of predefined detectors and further refined with detectors built using the platform’s no-code tools for specific use cases.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Mike Lexa Joins Upstream Security Advisory Board to Accelerate Cybersecurity Resilience in the Automotive & Mobility IoT Sector

The mobility ecosystem is experiencing a profound digital transformation. The increasing reliance on mobility services and Internet of Things (IoT) devices is not just reshaping…

Read more

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more