The OWASP API Security Project has just released an updated version of the OWASP Top 10 for APIs. A lot has changed in the field of API Security since the first edition was published four years ago (2019). Updating the list required us to keep up with new trends and talk to security experts from different industries to make the information more accessible to everyone.
The 2023 list is a result of the amazing effort put in by the OWASP community and project contributors.
Here are three new trends from the list:
- Authorization remains the biggest challenge in API Security. Three out of the top five items are related to authorization (access control). Modern API-based applications are becoming increasingly complex, with thousands of API endpoints and countless parameters. When you add user hierarchies into the mix, it becomes a recipe for unpredictable behaviors that may not only hurt the system but also organizations’ reputation.
- We’ve added a new item called “Unrestricted Access to Sensitive Business Flows” to address emerging risks like Scalping and Fake Account Creation. This trend highlights the importance of not only secure coding but also secure planning and design when building a new application. With APIs allowing easy access for bots, it’s crucial to identify sensitive business flows and choose appropriate protection measures.
- Server Side Request Forgery (SSRF) has been added to the list. While SSRF is not a new vulnerability, it has become more prevalent and severe in API-based applications. The popularity of web hooks, for example, has made it easier for hackers to exploit SSRF vulnerabilities. Furthermore, the management/control REST APIs of Cloud, K8S, and Docker make exploitation easier.