# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Steganography
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Hydra
    • Password Cracking
    • Docker
    • Program Life Cycle
    • Snort
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • [I] Broken Object Level Authorization
  • [II] Broken User Authentication
  • [III] Excessive Data Exposure
  • [IV] Lack of Resources & Rate Limiting
  • [V] Broken Function Level Authorization
  • [VI] Mass Assignment
  • [VII] Security Misconfiguration
  • [VIII] Injection
  • [IX] Improper Assets Management
  • [X] Insufficient Logging & Monitoring
  1. Web

OWASP API

https://tryhackme.com/room/owaspapisecuritytop105w

PreviousOWASP Top 10NextSQL Injection

Last updated 1 year ago

API stands for "Application Programming Interface". It is the middleware that facilitates the communication of two software components utilizing a set of protocols and definitions. API is a building block for developing complex and enterprise-level applications.

  • Application > Any software having specific functionality

  • Interface > Service contract between two apps that make communication possible via requests and responses

[I] Broken Object Level Authorization

API endpoints are utilized for a common practice of retrieving and manipulating data through object identifiers. BOLA or "Broken Object Level Authorization" refers to an "Insecure Object Reference" (IDOR), which a user can use input functionality to get access to resources that are supposed to be protected. The absence of controls to prevent unauthorized object access can lead to data leakage and possible account takeover.

[II] Broken User Authentication

BUA reflects a scenario where an API endpoint allows an attacker to access a database or acquire a higher privilege than the existing one. It happens due to an invalid implementation of authentication like using incorrect email/password queries or the absence of security mechanisms like headers and tokens.

[III] Excessive Data Exposure

Excessive data exposure occurs when applications disclose non intended information to a user through an API response. This can cause object properties to be exposed that are meant to be sensitive or confidential.

A malicious actor can successfully sniff traffic and access any exposed confidential data, including personal details, account numbers, access tokens, and more. Tokens could even be used to make calls to other critical endpoints.

[IV] Lack of Resources & Rate Limiting

This is when APIs do not enforce any restriction on the frequency of clients' requested resources or the files' size, which can badly affect the server performance and lead to DOS or non-availability.

[V] Broken Function Level Authorization

This reflects a scenario where a low level privileged user bypasses system checks and gets access to confidential data by impersonating a high privileged user like an admin. This reflects an IDOR permission, where a user can perform administrative-level tasks. APIs with complex user roles and permissions that span the hierarchy are more prone to this attack.

[VI] Mass Assignment

Mass assignment reflects a scenario where client-side data is automatically bound with server-side objects or class variables. This type of feature can be exploited by sending specially crafted data to the server, acquiring administrative access or inserting tampered data.

[VII] Security Misconfiguration

Security misconfiguration depicts an implementation of incorrect and poorly configured security controls that put the security of an API at stake. Several factors include improper/incomplete default configuration, publicly accessible cloud storage, "Cross-Origin Resource Sharing" (CORS), and error messages displayed with sensitive information.

[VIII] Injection

Injection attacks are probably among the oldest API/web-based attacks and are still being carried out on real-world applications. Injection flaws occur when user input is not filtered and is directly processed by an API enabling an attack to perform unintended API actions without authorization. An injection may come from SQL, OS, XML, or other formats. Frameworks usually prevent this type of attack with sanitization, however, applications built in custom frameworks like PHP are still susceptible.

[IX] Improper Assets Management

Inappropriate asset management refers to a scenario where there are two versions of an API available. Although the newer version has been switched to, the older version has not been deleted yet and often doesn't have the updated or the latest security features which may lead to data leakage and server takeover via a shared database amongst versions.

[X] Insufficient Logging & Monitoring

This reflects a scenario when an attacker conducts malicious activity on your server and there is not enough evidence available due to the absence of logging and monitoring mechanisms. Information like the visitor's IP address, endpoints accessed, input data, and more along with a timestamp, enables the identification of threat attack patterns.