OWASP Top 10: 2023 Update and Its Significance for Businesses
OWASP Top 10: 2023 Update and Its Significance for Businesses OWASP Top 10 is a guide that helps identify and prioritize critical security threats for web applications, playing a crucial role in web application security. The 2023 update aims to contribute to businesses’ enhanced security by focusing on important topics such as API security, configuration management, automation, and security audits. Businesses can integrate these updates by assessing security risks, training their staff, updating cybersecurity policies, and conducting vulnerability scans to make their web applications and APIs more secure. In this article, we will examine in detail the significance of OWASP Top 10’s 2023 update for businesses.
Unchanged Categories Broken Object-Level Authorization (BOLA), Broken Function-Level Authorization (BFLA), Security Misconfigurations, these categories maintain their place in the 2023 OWASP API Security Vulnerabilities Top 10 list.
BOLA still holds the number one spot on the OWASP API Top 10 2023 list because it continues to be one of the most commonly exploited attack methods by threat actors and is considered one of the biggest security risks faced by modern APIs. Object-level authorization mechanisms are quite complex and diverse. During rapid development processes, developers may struggle to keep up with this complexity and may overlook authorization issues or fail to thoroughly review and test object access. Additionally, many API frameworks may be vulnerable to such attacks because they do not effectively manage authorization.
BFLA and security misconfigurations remain unchanged in the rankings because they are still commonly encountered issues. These categories can be easily exploited, providing unauthorized access to sensitive data and limited resources. Therefore, addressing these security vulnerabilities remains a top priority.
New Additions The 2023 OWASP API Security Vulnerabilities Top 10 list includes new categories such as: Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery (SSRF), Unsafe Consumption of APIs.
The newly added Unrestricted Access to Sensitive Business Flows (UASFB) category ranks 6th on the OWASP API Top 10 2023 list. UASFB encompasses various threats that can be effectively mitigated, with the recommendation of implementing rate limiting measures.
Server-Side Request Forgery (SSRF), which entered the 2019 OWASP API Top 10 list, now ranks 7th on the 2023 list. SSRF has gained importance over the years due to the increased use of APIs for communication in modern IT architectures. Developers tend to access external resources based on user inputs, such as URL-based file retrieval, custom Single Sign-On (SSO), URL previews, which can facilitate the exploitation of SSRF security vulnerabilities. SSRF security vulnerabilities are dangerous, widespread, and challenging to mitigate.
Unsafe Consumption of APIs (UCA) is the third new category included in the 2023 list, ranking 10th. Attackers are now adopting strategies to jeopardize integrated services dependent on their targets instead of directly targeting APIs. Businesses should take appropriate security measures to understand and counter these new threats.
Updated Categories Broken User Authentication (BUA) has been updated to Broken Authentication (BA) and still holds the 2nd position on the OWASP API 2023 list. This category now includes new risks such as API and microservice authentication failures, allowing users to modify sensitive information without password confirmation, and not verifying JWT expiration dates, among others.
Broken Object Property Level Authorization (BOPLA), which ranks 3rd on the OWASP API Top 10 2023 list, has been created by merging Excessive Data Exposure (EDE:API03:2019) and Mass Assignment (MA:API06:2019). Both security vulnerabilities emphasize the importance of securing API endpoints correctly to prevent unauthorized access and exploitation by threat actors. In addition to rate limiting, other limitations such as runtime limits, maximum allowed memory, and maximum number of processes have been included. These limitations together help ensure the proper functioning of APIs.
Lack of Resources and Rate Limiting (LRRL) has been renamed to Unrestricted Resource Consumption (URC) in the 2023 OWASP API Top 10 list. The previous focus was solely on security vulnerabilities, but now URC also highlights the consequences of not having appropriate rate limits and execution time limits, as well as not limiting maximum memory and process counts.
Potential Impacts on Businesses
API1: Broken Object-Level Authorization (BOLA): BOLA security vulnerabilities can allow attackers to access data objects through unauthorized requests, leading to data exposure, leakage, alteration, and damage. To mitigate this, implement granular access controls, strong authentication and session management, confirm and enforce authorization at each access point, conduct regular security testing and audits, and keep APIs and libraries up to date.
API2: 2023 Broken Authentication: Broken Authentication is a security vulnerability that arises when an API cannot properly authenticate users and determine their legitimacy. As a result, attackers can gain partial or full control over the API, applications, and resources. To prevent this, use strong authentication mechanisms, secure session management, secure storage of credentials, implement rate limiting and account locking, regularly update and patch authentication libraries, practice secure coding, and perform regular security testing and audits.
API3: 2023 Broken Object Property Level Authorization: Broken Object Property Level Authorization vulnerabilities grant unlimited access to object properties that should be restricted, allowing attackers to access, modify, add, or delete object properties. To prevent such situations, implement attribute-based access control (ABAC), validate and sanitize inputs, apply appropriate authorization checks, follow the principle of least privilege, secure object property manipulation, and monitor and log object property access.
API4: 2023 Unrestricted Resource Consumption: Resources are fundamental to APIs, but their presence also introduces security risks, as they can be programmatically exposed without proper limitations. Without adequate restrictions, attackers can overload APIs with multiple requests, leading to service disruptions, DoS/DDoS attacks, performance delays, crashes, etc. To address these issues, consider implementing restrictions and rate limiting, usage quotas, monitor and analyze resource utilization, use caching and content delivery networks (CDNs), employ efficient algorithms and data structures, validate and sanitize inputs, and implement resource monitoring and scaling.
API5: 2023 Broken Function Level Authorization: APIs use function-level authorization to control user access to specific user functions and actions based on their authorization levels. When function-level authorizations fail, attackers can perform restricted actions such as data/property manipulation, unauthorized access, privilege escalation attacks, etc. To address this, implement fine-grained and detailed access controls based on function-level authorization, validate and enforce authorization checks for each function or action within the API, regularly review and update authorization rules to reflect changes in user roles or permissions, and provide the minimum privileges required to users for specific functions while adhering to the principle of least privilege.
API6: 2023 Unrestricted Access to Sensitive Business Flows: Inadequate access restrictions at API endpoints can expose sensitive business flows. Carefully consider the flows exposed by API endpoints, as some flows may contain highly sensitive information, and unrestricted access can result in serious damage. To mitigate this, define and classify sensitive business flows within the API, implement appropriate access controls and restrictions to ensure that only authorized users can access sensitive flows, consider role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms for proper authorization of sensitive flows.
API7: 2023 Server-Side Request Forgery (SSRF): Server-Side Request Forgery occurs when APIs process user-controlled URLs and retrieve internal/remote server resources without verifying user requests. Attackers can manipulate URLs to gain access to internal servers protected by firewalls. This can lead to unauthorized access to sensitive information and other malicious activities. To address this, implement strict input validation and sanitization to prevent the consumption of malicious or unexpected inputs by the API, use a whitelist approach to restrict allowed URLs or IP addresses, employ strict validation of URLs to accept only valid ones, and ensure secure authentication and authorization mechanisms to ensure server-side requests are made with appropriate permissions.
API8: 2023 Security Misconfigurations: Security misconfigurations in APIs occur when security best practices are not followed, and the security of the API stack is not properly certified. Examples include failure to apply the latest patches, inadvertent exposure of error logs, revealing outdated options, enabling unnecessary features/services, incorrect implementation of CORS policies, and enabling unnecessary HTTP verbs. Security misconfigurations expose APIs to a range of security risks. To mitigate this, follow secure configuration best practices for all components of the API, including web servers, application servers, database servers, and other supporting software. Ensure that all software components are regularly updated to run secure and up-to-date versions.
API9: 2023 Improper Inventory Management: The security risk of Improper Inventory Management arises from organizations having numerous internal and third-party APIs that are not properly inventoried, documented, or managed. Examples include having multiple versions of used APIs, exposing development APIs, and lacking proper access control policies. Improper inventory management exposes APIs, business logic, and resources. The lack of visibility, security misconfigurations, weak authorization, authentication, and more vulnerabilities further exacerbate the situation. To address this, implement an inventory management system to track and monitor all API-related assets, hardware, software, and network components. Establish processes and responsibilities for managing and maintaining the API inventory and regularly audit to verify accuracy and completeness.
API10: 2023 Unsafe Consumption of APIs: Developers tend to trust data received, especially from well-known third-party providers and suppliers, and may apply less stringent security policies and standards. For example, they may fail to limit permissions, inadequately validate data/inputs, and have loose authentication and authorization policies. If developers can be tricked or exploited by third-party providers and suppliers, they may leave their APIs and resources vulnerable to breaches and attacks. To mitigate this, implement strict input validation and sanitization to prevent the consumption of malicious or unexpected inputs by the API. Allow only authorized users or systems to consume the API through appropriate authentication and authorization mechanisms. Use secure communication protocols such as TLS/SSL to encrypt data transmitted between the API and API consumers.