OWASP API Security Top 10

Summary

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2019.

Definitions

Definition	Requirements
API1. Broken Object Level Authorization	030. Avoid object reutilization 033. Restrict administrative access 035. Manage privilege modifications 095. Define users with privileges 176. Restrict system objects 265. Restrict access to critical processes
API2. Broken User Authentication	228. Authenticate using standard protocols 229. Request access credentials 264. Request authentication
API3. Excessive Data Exposure	032. Avoid session ID leakages 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 300. Mask sensitive data 375. Remove sensitive data from client-side applications
API4. Lack of Resources & Rate Limiting	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
API5. Broken Function Level Authorization	096. Set user's required privileges 176. Restrict system objects 264. Request authentication 320. Avoid client-side control enforcement
API6. Mass Assignment	062. Define standard configurations 176. Restrict system objects 266. Disable insecure functionalities
API7. Security Misconfiguration	043. Define an explicit content type 062. Define standard configurations 131. Deny multiple password changing attempts 134. Store passwords with salt 266. Disable insecure functionalities
API8. Injection	160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs
API9. Improper Assets Management	050. Control calls to interpreted code 262. Verify third-party components 266. Disable insecure functionalities
API10. Insufficient Logging & Monitoring	046. Manage the integrity of critical files 075. Record exceptional events in logs 083. Avoid logging sensitive data 085. Allow session history queries 322. Avoid excessive logging 376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.