Blog

UA2SBF-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API6:2023 – Unrestricted Access to Sensitive Business Flows

by

APIs enable various business flows, such as purchasing tickets, booking reservations, or posting comments. However, these flows can become liabilities if they are exposed without sufficient protections. *Unrestricted Access to Sensitive Business Flows* refers to a scenario where APIs fail to:

1. Limit access to sensitive operations.
2. Implement controls to prevent abuse, particularly by automated systems (e.g., bots).
3. Consider the broader business implications of such unrestricted access.

For instance, an API for purchasing event tickets might allow unlimited purchases by the same user or bot, leading to scalping and significant financial losses for legitimate customers.

Broken-Function-Level-Authorisation-KrishnaG-CEO

In-depth Exploration of OWASP API Security Top 10 (2023) – API5:2023 – Broken Function Level Authorisation for Software Developers

by

Broken Function Level Authorisation occurs when an attacker is able to access functions or data that they are not authorised to use. This happens due to inadequate enforcement of role-based access controls (RBAC) or a failure to properly segregate administrative and regular user functions. APIs often expose a variety of functions depending on the user’s role (e.g., regular user, administrator, manager, etc.). When these functions are not sufficiently protected or are poorly designed, attackers can bypass these restrictions to gain unauthorised access to sensitive information or perform malicious activities.

Unrestricted-Resource-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API4:2023 – Unrestricted Resource Consumption

by

Unrestricted resource consumption occurs when an API allows users or clients to request resources without proper limits or controls. Every API request consumes a certain amount of resources such as CPU cycles, memory, network bandwidth, storage, and other external services (e.g. email, SMS, or biometric validation). If these resources are not regulated, an attacker can exploit the API to consume disproportionate resources, leading to a range of undesirable consequences including:
Denial of Service (DoS): An attacker may cause the API to become unresponsive by overwhelming it with an excessive number of requests, or by requesting resources that are computationally expensive, leading to system crashes or slowdowns.
Inflated Operational Costs: APIs that involve third-party services, such as SMS or email delivery, may incur costs for each request. Without proper restrictions, malicious actors can generate high volumes of such requests, leading to unexpected cost overruns.
Data Loss or Degradation: APIs that allow unregulated access to large amounts of data or storage can be abused, resulting in slow system performance, data corruption, or loss.

Broken-Authorisation-API-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API3:2023 – Broken Object Property Level Authorisation

by

API3:2023 represents a nuanced security challenge where improper or absent authorisation checks allow attackers to access or manipulate sensitive properties of an object within an API. Unlike broader access control issues, this risk focuses specifically on granular authorisation, which determines the visibility or modifiability of individual object properties.

Broken-Auth-API-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API2:2023 – Broken Authentication

by

Authentication is the process of verifying a user’s identity before granting access to resources. In APIs, authentication mechanisms ensure that only authorised clients or users can interact with the system. Broken authentication compromises this trust, potentially leading to data breaches, identity theft, or unauthorised access to sensitive information. As APIs often handle vast amounts of personal and corporate data, even minor authentication flaws can have catastrophic consequences for businesses.
Broken authentication manifests in various forms, each posing unique challenges to developers and penetration testers.