[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures

Overview

Takahiro Oda

--

We will cover the OWASP top 10 API security basics

1:Broken Object Level Authorization (Insecure direct object reference)

what is it?

For example,

Let’s pretend that when I type this URL, I can see my credentials. But if I type

https://takahiro-oda.medium.com/messages/12344

and credentials of another person show up?

This is Broken Object Level Authentication.

Why happens?

  • Lack of authorization (No code to validate )
  • Human error ( API mixing sensitive and non-sensitive data)

Automated Attack

Burp Suite

For example

https://takahiro-oda.medium.com/messages/<ID>

Countermeasures

  • Use unpredictable IDs ( random, hard to guess, not sequential)
  • Validate user input
  • Confirm authorized access
  • Use automated testing to check

2:Broken User Authentication

What is broken user authentication?

It shows up when an API should have an authentication system but does not in practice, or when the authentication system is established but fails in specific instances, allowing attackers to impersonate a legitimate user.

Why this happens?

  • When the public-facing instance authentication systems are too complex to be handled properly which opens vulnerabilities.

Common root cause and countermeasures

2.1:Insecure password storage

  • should be hidden on client entry
  • encrypted in transit & at rest
  • avoid plaintext > hashing

2.2: Credential stuffing

--

--