[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures

Overview

Takahiro Oda
5 min readJan 28, 2022

We will cover the OWASP top 10 API security basics

1:Broken Object Level Authorization (Insecure direct object reference)

what is it?

For example,

Let’s pretend that when I type this URL, I can see my credentials. But if I type

https://takahiro-oda.medium.com/messages/12344

and credentials of another person show up?

This is Broken Object Level Authentication.

Why happens?

  • Lack of authorization (No code to validate )
  • Human error ( API mixing sensitive and non-sensitive data)

Automated Attack

Burp Suite

For example

https://takahiro-oda.medium.com/messages/<ID>

Countermeasures

  • Use unpredictable IDs ( random, hard to guess, not sequential)
  • Validate user input
  • Confirm authorized access
  • Use automated testing to check

--

--