Such data could be used to illegally assume the identity of other users and access their confidential information. Broken object property level authorization is a security risk that occurs when an attacker owasp proactive controls can access or modify properties of an object that they should not have access to. This can happen if an API does not correctly validate user permissions before granting access to object properties.

• You’ll learn about the OWASP ASVS project, which contains hundreds of already classified security requirements that will help you identify and set the security requirements for your own project.
• They could also gain access to the API’s database in cases of improper secure password storage or handling.
• From Cross-Site Scripting (XSS) to SQL Injection, inadequate input validation and insecure coding practices are responsible for leaving web applications exposed to compromise.

This may result in unauthorized access and increased attack surfaces, exposing sensitive data to malicious parties. As the volume of APIs that organizations use continues to rise, it’s paramount to keep track of their function, endpoints and accessibility directives to maintain overall protection for your API ecosystem. Injection attacks exploit vulnerabilities in input validation and inadequate data handling. Attackers inject data such as SQL queries, code snippets, or commands into web application forms or URLs. They allow adversaries to access sensitive data and manipulate an application’s behavior.

OWASP Top Ten 2021 : Related Cheat Sheets¶

Smart contract flaws, consensus algorithm attacks, and supply chain-related weaknesses have all contributed to the growing list of blockchain-related threats. This was previously in the number three spot and was called “Sensitive Data Exposure” but it’s since been relabeled because the old name described a symptom rather than the cause. This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. If there’s one habit that can make software more secure, it’s probably input validation. First, security vulnerabilities continue to evolve and a top 10 list simply can’t offer a comprehensive understanding of all the problems that can affect your software.

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture. The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will map to one or more items in the risk based OWASP Top 10.

Server-side request forgery (SSRF)

The OWASP Foundation is a not-for-profit entity that ensures the project’s long-term success. Example
An attacker compromises a third-party API, causing it to respond with a redirect to a malicious site, after which the client blindly follows the redirect without validation. Impact
Unsafe consumption of APIs can result in data breach or theft, or an account takeover resulting in data privacy issues, especially if the API is used to transfer sensitive information between systems. Example
The attacker authenticates themselves as user A and retrieves and/or changes the data of user B.

Attackers can abuse this vulnerability to access sensitive data, interact with internal resources, or perform actions on behalf of the server, potentially leading to a complete compromise of the application or its infrastructure. This vulnerability allows attackers to make unauthorized requests from the server to other internal or external resources. In SSRF attacks, the attacker can manipulate input fields or parameters in the application to trick the server into sending requests to arbitrary URLs, often without the user’s knowledge. A common mistake that webmasters commit is leaving CMS (Content Management System) default configurations unchanged. Many attacks are entirely automated and rely on exploiting default settings, which makes changing these settings during CMS installation crucial for mitigating a significant number of potential attacks.

Validate all the things: improve your security with input validation!

Starting from the bottom of the list, these are the OWASP Top 10 API security risks that organizations need to be aware of in 2023 and specific measures that can be taken to mitigate them. As artificial intelligence and machine learning technologies continue to advance, so do the methods employed by cybercriminals. In 2023, we witnessed an increase in AI and ML-based attacks, which exploit vulnerabilities in poorly implemented algorithms.

This concept is not only relevant for Cross-Site Scripting (XSS) vulnerabilities and the different HTML contexts, it also applies to any context where data and control planes are mixed. Database injections are probably one of the best-known security vulnerabilities, and many injection vulnerabilities are reported every year. In this blog post, I’ll cover the basics of query parameterization and how to avoid using string concatenation when creating your database queries. At the same time, the majority of Internet traffic is driven through API communication.