Updates to the OWASP API Security Top 10 Risks

DAR DIAMANT

Product Marketing Manager

July 20, 2023

APIs, essentially digital connectors between applications, have become a fundamental part of today’s technology landscape. They enable swift and efficient data sharing, allowing businesses to operate smoothly, enhance customer service, and reduce costs.

However, as APIs have proliferated, they’ve increasingly been targeted by hackers. Their simple design and widespread usage make them attractive targets.

Upstream’s 2023 Global Automotive Cybersecurity Report revealed that attacks utilizing APIs rose 380% from 2021. As more organizations rely on APIs to drive their innovation, services, and operations, this trend is likely to persist.

This expanding threat landscape necessitated an update to the Open Web Application Security Project (OWASP) API Security Top 10 Risk list, which emphasizes the most significant security risks that companies need to consider when securing their APIs. The organization has released an update to the previous list, published in 2019, in response to the evolution of the API landscape and the growing sophistication of attack methodologies.

OWASP API Security Top 10 2023: Automotive, Mobility, and Fleet perspective:

API 1: Broken Object Level Authorization (BOLA)

BOLA remains at the top and is carried over from the previous list. BOLA encompasses scenarios where unauthorized parties gain access to exposed APIs. For instance, attackers may manipulate API requests to view confidential documents meant only for privileged users. Consider an unauthorized user accessing a company’s internal memos or customer records, posing substantial privacy and compliance risks. One of 2023’s biggest automotive incidents, where several global OEMs were compromised, utilized this type of vulnerability to access data and even accounts.

API 2: Broken Authentication

Similar to API1, API2 is retained from the previous list. This risk indicates flaws in the authentication process that could lead to data leaks or other exposures. An attacker exploiting this flaw could masquerade as a legitimate user. Imagine a scenario where an attacker accesses a user’s account and makes purchases, such as a satellite radio subscription, using stored payment information, causing financial losses and damaging the service providers’ reputation.

API 3: Broken Object Property Level Authorization (BOPLA)

BOPLA is a new addition to the 2023 OWASP list, debuting at number 3. This entry underscores the risk of unauthorized access or modifications to object properties within APIs. For instance, a user could manipulate URL parameters to view or edit others’ account data. An attacker could alter shipment details, falsely indicating a completed shipment, leading to operational disruptions.

API 4: Unrestricted Resource Consumption

Unrestricted resource consumption was also included in the 2019 list. This risk refers to attacks that consume system resources without permission, potentially causing system failures. An attacker might overload the server with fake requests in a DDoS attack, rendering the service, whether an internal or external application, unavailable to legitimate users.

API 5: Broken Function Level Authorization (BFLA)

BFLA, another risk included in the previous OWASP API Top Ten, occurs when users gain access to operations they shouldn’t. Consider a user somehow gaining administrative control. This user could modify application settings or data, for example, linking payment details from another account to their own to evade paying for EV charging. This could also potentially expose sensitive information, like email addresses, ID numbers, and phone numbers.

API 6: Business Logic Flaw

A new and critical addition to the OWASP API risks, this risk focuses on manipulating business operations based on insights gained from the business flows. An attacker understanding your business model could exploit it to cause significant losses. A dealership website may experience massive cancellations when an attacker abuses a no-cancellation-fee policy, booking and then canceling appointments for repairs, resulting in empty car-shops and considerable financial losses.

API 7: Server-Side Request Forgery (SSRF)

SSRF is a new addition to the list of risks and involves users interacting with unintended paths and obtaining unauthorized access or information. An attacker could force the API to make requests to internal resources that should be inaccessible. For instance, an attacker could interact with internal file systems or databases, potentially compromising confidential information.

API 8: Security Misconfigurations

Another risk from the previous list, security misconfigurations, continues to threaten businesses worldwide. This pertains to the security vulnerabilities that can emerge from incorrect API configurations. A common example is a developer accidentally exposing a database due to wrong configuration settings, often due to the high development velocity common in organizations. This could lead to an attacker accessing sensitive information, such as user passwords.

API 9: Improper Assets Management

Improper assets management, on the 2019 list and the 2023 list as well, highlights the risks of “shadow” APIs, which are accessible online but overlooked due to poor management. An attacker could discover and exploit these unsecured APIs, accessing sensitive data or disrupting services.

API 10: Unsafe Consumption of APIs

This final item is new to the list and points to the misuse of APIs by third parties who don’t adhere to the defined specifications. For example, a third-party app lacking proper authentication procedures could compromise user security. Picture a scenario where a mobile app accesses user accounts with only a username and password, potentially leading to unauthorized access and information theft.

 

The updated OWASP API Top 10 Risk list underscores the evolving threat landscape and the crucial need for vigilance and proactive security measures. As APIs are integral to digital services, organizations must be aware of these potential vulnerabilities and maintain a robust security posture.

Upstream’s API Security solution offers the most comprehensive API Security coverage specifically designed to protect business operations, applications, and services. Access comprehensive detection with full coverage of the OWASP API security top ten threats from 2023 and 2019, ensuring your organization’s APIs are secured against the most common risks.

The solution also provides fusion detection by leveraging API data alongside IT and OT data feeds to identify unknown threats and attacks using advanced AI/ML models. It includes an additional layer of business logic anomaly detection, identified using a set of predefined detectors and further refined with detectors built using the platform’s no-code tools for specific use cases.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs

The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Data Imperative

In our ongoing series exploring why SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure, we’ve examined two…

Read more

Ensuring Continuous Operations: The Critical Role of SIM-Enabled IoT in Mobility

In our ongoing series, exploring the critical nature of SIM-enabled IoT devices, we’ve previously discussed the safety implications of these devices. Our H1’2024 report identifies…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Safety Imperative

Upstream’s latest H1’2024 report asserts that SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure. This classification is…

Read more
Skip to content