The OWASP (Open Worldwide Application Security Project) Top 10 is a regularly released report that details the security risks for web application security, focusing on the top 10 security concerns. It aims to provide tools and resources to make web applications more secure.
In this article, we will look at the top 10 OWASP web application risks of 2023:
BOLA (Broken Object-Level Authentication) - OWASP#1
BOLA is ranked as the most common, often most damaging, and most difficult to detect in applications (OWASP 2023). Broken Object-Level Authentication allows manipulation of APIs to access data/objects belonging to another user.
This risk can lead to data loss, disclosure, and data manipulation. An example of a real-life data breach caused by BOLA was the US Postal Service data breach in which the application required authentication allowing user A to access any other users’ account details.
BOLA is an application authorizing issue and can be mitigated through continuous testing.
Broken Authentication - OWASP#2
Broken Authentication refers to weak or poor authentication controls within your application. Examples of this OWASP include weak password requirements, non-validation of token expiration, and insecure password storage.
A real-life data breach caused by broken authentication was experienced by Bumble, where 95 million account details were accessed without authentication. They also used incremental user IDs i.e., 001,002,003 which would make it easier for an attacker to manipulate their data once they got hold of the API endpoints
Broken Authentication can be mitigated through:
Defining authentication policies and standards and adhering to these best practices
Continuous testing
Broken Object Property Level Authentication - OWASP #3
This refers to the manipulation of data/objects through an API endpoint.
This category combines two vulnerabilities:
Mass assignment is where an attacker can modify or update the values of objects through an API for example modifying a user from a free-plan user to a premium-plan user.
Excessive data exposure is where an API endpoint reveals more data than is required for a specific functionality, for example, an endpoint requires the name and phone number of a user, but the API endpoint exposes other PII.
Unrestricted Resource Consumption - OWASP #4
Unrestricted Resource Consumption, previously known as “Lack of Resources and Rate Limiting” is an API risk that would lead to mass data harvesting.
This breach occurs when API traffic controls are not implemented, including:
Timeouts
Rate controls
Maximum number of files/upload size
Restrict the number of records returned in a single request
This can be mitigated by implementing controls to limit the data that can be accessed from your APIs and continuously testing the effectiveness of these controls
Broken Function Level Authorization - OWASP #5
This OWASP refers to the abuse of API functionality to improperly modify objects - to create, update, and delete objects within your environment.
This vulnerability can be abused to modify user account details and escalate user privileges to potentially administrator privileges.
To mitigate this:
Identify functions that expose high-sensitivity capabilities and implement access controls
Continuous testing to ensure the behavior is as intended.
Unrestricted Access to Sensitive Business Flows - OWASP #6
This is the first time an OWASP top 10 specifically mentioned business risks that can be exploited through APIs.
This typically results from the application logic flow. If an attacker abused a legitimate business workflow through excessive automation, it could prevent legitimate users from accessing the services.
To mitigate this:
Implement fraudulent traffic detention and controls.
Setup and automate testing of control mechanisms.
Server Side Request Forgery - OWASP #7
API endpoints that accept URLs as input parameters provide an opening for malicious actors to provide malicious input/malware.
To prevent this, it is important to:
Validate and sanitize user inputs including URL parameters
Ensure communication is only permitted with trusted resources
Test the effectiveness of the URL.
Security Misconfiguration - OWASP #8
These vulnerabilities occur from infrastructure misconfiguration, such as unpatched systems, improperly configured permissions, and improperly set or missing CORS policies.
Improper Inventory Management - OWASP #9
This API risk occurs when you do not have a comprehensive and complete view of your API environment. Having a complete view of your API environment means understanding your running APIs, older API versions, and who has access to them, for example, 3rd parties, and how they use your APIs.
It is important to understand how older API versions are treated and retired and how to deal with vulnerabilities in older API versions - if they are still in use/production.
To mitigate this risk:
Approve, test, and validate APIs before they go live
Define rules for API versioning and retirement
Periodically audit 3rd party access
Unsafe Consumption of APIs - OWASP #10
This is a risk that exists when you make use of 3rd party APIs in your application. If attackers gain a foothold in the 3rd party’s environment, they may exploit your application.
To mitigate this:
Validate data returned by 3rd party APIs
Validate security controls implemented by third parties
Encrypt all API communication
Conclusion
The OWASP Top 10 offers a structured framework for consistently evaluating and enhancing the security of web applications throughout the development lifecycle. By integrating these principles into our development processes, we can proactively identify and mitigate common security risks. Embracing the OWASP Top 10 not only helps to protect against known threats but also fosters a culture of security awareness and diligence within development teams. As cyber threats evolve, adhering to OWASP guidelines empowers organizations to stay ahead of emerging risks and maintain trust in an increasingly digital world.
