API access control Archives

Improper-API-Inventory-Mgmt-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API9:2023 – Improper Inventory Management

20 February 2025 by Krishna

Improper inventory management refers to the failure to adequately track and manage the lifecycle of APIs within an organisation. This includes:

– Keeping track of all deployed API versions.
– Documenting endpoints, their functions, and access control requirements.
– Managing deprecated or unused versions.
– Ensuring that sensitive or debug information is not exposed via endpoints.
– Auditing and monitoring API usage regularly.

When APIs are not properly inventoried, organisations may unknowingly expose insecure or deprecated API versions to the public. This can lead to serious security issues, as older versions may lack critical patches or expose debugging functionality that provides attackers with valuable information.

Broken-Function-Level-Authorisation-KrishnaG-CEO

In-depth Exploration of OWASP API Security Top 10 (2023) – API5:2023 – Broken Function Level Authorisation for Software Developers

16 February 202516 February 2025 by Krishna

Broken Function Level Authorisation occurs when an attacker is able to access functions or data that they are not authorised to use. This happens due to inadequate enforcement of role-based access controls (RBAC) or a failure to properly segregate administrative and regular user functions. APIs often expose a variety of functions depending on the user’s role (e.g., regular user, administrator, manager, etc.). When these functions are not sufficiently protected or are poorly designed, attackers can bypass these restrictions to gain unauthorised access to sensitive information or perform malicious activities.

OWASP Top 10 API Security Risks – 2023: API2:2023 – Broken Authentication

13 February 202513 February 2025 by Krishna

Authentication is the process of verifying a user’s identity before granting access to resources. In APIs, authentication mechanisms ensure that only authorised clients or users can interact with the system. Broken authentication compromises this trust, potentially leading to data breaches, identity theft, or unauthorised access to sensitive information. As APIs often handle vast amounts of personal and corporate data, even minor authentication flaws can have catastrophic consequences for businesses.
Broken authentication manifests in various forms, each posing unique challenges to developers and penetration testers.