The previous blog in this series addressed the basics of Dynamic Application Security Testing (DAST). This blog is a deep dive into issues related to API Security. In particular, we’ll explore the OWASP Top 10 API Security issues.
What is API?
API stands for “Application Programming Interface” and it is an intermediary (or connection) between two computers or between computer programs to communicate with each other.
Why is API Security Important?
API security is necessary because—APIs which act as communication bridges between two systems, are prone to attacks from bad actors. Without these measures, organizations risk exposing sensitive data, disrupting services, and damage to reputation.
OWASP API Security
To manage these risks, the Open Web Application Security Project (OWASP) has identified the OWASP API Top 10—a comprehensive list of the most critical API security risks. ZAP (Zed Attack Proxy), is a powerful open-source tool, to identify and mitigate these risks.
This blog covers OWASP’s 2023 list of Top 10 API Security Risks. And a step-by-step guide to equip you with the knowledge and tools to secure your APIs.
OWASP API TOP 10
OWASP API Top 10 provides the standard guidelines for top 10 API vulnerabilities.
OWASP Top 10 API Security Risks – 2023
Below are the latest API Top 10 vulnerabilities.
| Risk | Description | |
|---|---|---|
|
API1:2023 |
Broken Object Level Authorization |
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. |
|
API2:2023 |
Broken Authentication |
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall. |
|
API3:2023 |
Broken Object Property Level Authorization |
This category combines API3:2019 Excessive Data Exposure and API6:2019 – Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. |
|
API4:2023 |
Unrestricted Resource Consumption |
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. |
|
API5:2023 |
Broken Function Level Authorization |
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. |
|
API6:2023 |
Unrestricted Access to Sensitive Business Flows |
APIs vulnerable to this risk expose a business flow – such as buying a ticket, or posting a comment – without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn’t necessarily come from implementation bugs. |
|
API7:2023 |
Server Side Request Forgery |
Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. |
|
API8:2023 |
Security Misconfiguration |
APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don’t follow security best practices when it comes to configuration, opening the door for different types of attacks. |
|
API9:2023 |
Improper Inventory Management |
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. |
|
API10:2023 |
Unsafe Consumption of APIs |
Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. |
How to import Swagger API Definition(.yml)
1. We can import the Swagger definition by clicking on the Import button(Top)
2. And then click the Import a file containing a URL
3. Select the SWAGGER API file(filename.yml)
Note: This file you have to download for your API,it will be in .yml file
4. Once imported, we’ll see the endpoints listed under Sites in the left-hand pane.
5. We can then right click on the site and select Attack → Active Scan to scan the endpoints.
6. Active Scan WIndow Pop Up → Click on policy & click “Start Scan” button
The Default Policy tab will have the following options.
- Client Browser
- Information Gathering
- Injection
- Miscellaneous
- Server Security
Default Profile configured with below mentioned rules
7. Active Scan in Progress
8. Sample API DAST Scan Report
Benefits of Integrating OpsMx with OWASP ZAP
You can use OpsMx to automate security scans in your CI/CD pipeline. Integrate OpsMx with OWASP ZAP to enhance API security.
- Automated Security Scanning—Detect vulnerabilities early by embedding OWASP ZAP in CI/CD pipelines
- Policy-Driven Security Enforcement—Define and enforce security policies across your application delivery
- Continuous Risk Assessment—Get real-time insights into API vulnerabilities and risks
- Effortless Compliance—Automate security controls to align with compliance frameworks
- Frictionless Developer Experience—Empower developers with security insights without disrupting workflows
Conclusion
API security is no longer optional—it’s a critical component of modern application development. By understanding the OWASP API Top 10 risks and leveraging tools like OWASP ZAP, you can identify and mitigate API security risks.
Integrating OWASP ZAP and OpsMx can help you shift left security and enable DevSecOps teams to manage risks without slowing down innovation. For seamless integration into your CI/CD pipeline, explore OpsMx’s automated security solutions to ensure continuous protection.
About OpsMx
OpsMx is a leading innovator and thought leader in the Application Security space. Leading technology companies such as Google, Cisco, Western Union, among others rely on OpsMx to secure their application lifecycle.
OpsMx Secure CD is the industry’s first CI/CD solution designed for software supply chain security. With built-in compliance controls, automated security assessment, and policy enforcement, OpsMx Secure CD can help you deliver software quickly without sacrificing security.
OpsMx Delivery Shield adds DevSecOps capabilities to enterprise deployments by providing Application Security Posture Management (ASPM), unified visibility, compliance automation, and security policy enforcement to your existing application lifecycle.
Frequently Asked Questions on OWASP ZAP and API Security
1. What is API Security?
API Security refers to the practices, tools, and protocols used to secure APIs from malicious attacks, unauthorized access, and data breaches.
API Security involves
- Authentication: Ensuring only authorized users or systems can access the API.
- Authorization: Restricting what actions users or systems can perform.
- Encryption: Protecting data in transit and at rest using protocols like HTTPS and TLS.
- Input Validation: Preventing malicious inputs from exploiting vulnerabilities.
- Monitoring and Logging: Detecting and responding to suspicious activities in real-time
2. What is the need for API Security?
API Security is important because it can:
- Mitigate threats
- Prevent exposure of secrets
- Prevent unauthorized access
- Avoid disruption to business continuity
- Ensure compliance with regulations
3. Why use OWASP ZAP for API security testing?
OWASP ZAP is a powerful open-source API security testing tool. It helps identify vulnerabilities/security risks in web applications and APIs. In particular, it can detect issues such as SQL injection, XSS (Cross Site Scripting), and Broken Authentication, and API misconfigurations.
4. How do I import a Swagger file into OWASP ZAP?
Follow these steps to import a Swagger file into OWASP ZAP:
- Install the OpenAPI Add-on –
In ZAP, go to “Marketplace” and install the OpenAPI Support add-on
- Import the Swagger File –
– Navigate to “Import” and click on “Import an OpenAPI Definition”.
– Select the Swagger file in .json or .yaml from your local system or provide a URL
- Start Scanning –
ZAP will parse the API endpoints, populate them in the sites tree, and allow active or passive security testing
5. Can OWASP ZAP detect OWASP API Top 10 vulnerabilities like Broken Object Level Authorization?
Yes, OWASP ZAP can detect “Broken Object Level Authorization” as well as all other OWASP API top 10 vulnerabilities. How? ZAP intercepts API traffic, performs fuzzing, access control checks, and parameter tampering to identify unauthorized data access.
You will have to integrate ZAP with authorization testing tools like AuthZAP or Burp Suite for advanced API Security testing.
6. Does OWASP ZAP support non-OpenAPI APIs like SOAP or GraphQL?
Yes, ZAP supports other non-OpenAPI APIs such as SOAP and GraphQL.
SOAP: ZAP can scan WSDL-based SOAP APIs by importing the WSDL file or capturing traffic via proxy mode.
GraphQL: ZAP supports GraphQL introspection, query fuzzing, and detecting common vulnerabilities like injections and excessive data exposure, but may require custom scripts for deeper testing.
7. How long does an API Active Scan take in ZAP?
Not too long, probably around 30 minutes. But the time taken completely depends on total API end points.
Typically, small APIs may take a few minutes, while larger or complex APIs can take hours. Fine-tuning scan settings helps balance speed and coverage.
8. What security checks are included in ZAP’s Default Policy?
OWASP ZAP’s Default Policy includes key security checks covering common web vulnerabilities. Some of them are:
- Injection Attacks: SQL Injection, Command Injection, and Cross-Site Scripting (XSS).
- Broken Authentication: Weak credentials, missing security headers, and session-related issues.
- Sensitive Data Exposure: Missing TLS/SSL, weak encryption, and information leakage.
- Broken Access Control: Forced browsing, IDOR, and privilege escalation risks.
Security Misconfigurations: Outdated components, directory listing, and missing headers
9. How do I interpret ZAP’s API DAST scan report?
OWASP ZAP’s API DAST scan report includes the following details:
- Summary: Overview, including duration, number of requests, and vulnerabilities found.
- Alerts: Findings based on categories (High, Medium, Low) with descriptions, affected endpoints, and remediation guidance.
- Request & Response Details: Raw HTTP requests and server responses to investigate issues.
- Risk Breakdown: OWASP API Top 10 risks, such as BOLA or excessive data exposure
About OpsMx :
OpsMx is a leading innovator and thought leader in the Application Security space. Leading technology companies such as Google, Cisco, Western Union, among others rely on OpsMx to secure their application lifecycle.
OpsMx Delivery Shield offers Risk Prioritization, Remediation, and Compliance Automation—all with an integrated suite of open source Application Security tools to help you enforce security policies and achieve unified visibility.
0 Comments