[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures
Overview
5 min readJan 28, 2022
We will cover the OWASP top 10 API security basics
1:Broken Object Level Authorization (Insecure direct object reference)
what is it?
For example,
Let’s pretend that when I type this URL, I can see my credentials. But if I type
https://takahiro-oda.medium.com/messages/12344
and credentials of another person show up?
This is Broken Object Level Authentication.
Why happens?
- Lack of authorization (No code to validate )
- Human error ( API mixing sensitive and non-sensitive data)
Automated Attack
Burp Suite
For example
https://takahiro-oda.medium.com/messages/<ID>
Countermeasures
- Use unpredictable IDs ( random, hard to guess, not sequential)
- Validate user input
- Confirm authorized access
- Use automated testing to check