[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures

Overview

We will cover the OWASP top 10 API security basics

1:Broken Object Level Authorization (Insecure direct object reference)

what is it?

For example,

Let’s pretend that when I type this URL, I can see my credentials. But if I type

https://takahiro-oda.medium.com/messages/12344

and credentials of another person show up?

This is Broken Object Level Authentication.

Why happens?

• Lack of authorization (No code to validate )
• Human error ( API mixing sensitive and non-sensitive data)

Automated Attack

Burp Suite

For example

https://takahiro-oda.medium.com/messages/<ID>

Countermeasures

• Use unpredictable IDs ( random, hard to guess, not sequential)
• Validate user input
• Confirm authorized access
• Use automated testing to check