Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Saturday, 4 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

The 4 Most Common OWASP API Security Threats

Yaniv Balmas, VP of Research at Salt Security, explores four of the most common flaws and vulnerabilities inherent in APIs

by Guru Writer
August 31, 2022
in Insight
The 4 Most Common OWASP API Security Threats
Share on FacebookShare on Twitter

The Open Web Application Security Project (OWASP) works to improve the security of software worldwide. OWASP’s well-known Top 10 lists increase awareness about the most critical security risks to web applications.

 

As the foundation for today’s app-driven economy, APIs have risen to the very top of those risks. API usage has exploded and has become ubiquitous across both external-facing and internal applications. To understand and mitigate unique API vulnerabilities and the growing threats against them, OWASP published its inaugural OWASP API Security Top 10.

 

The list provides companies with a good starting point for learning about the common weaknesses and security flaws that can exist within APIs. Of these, the most common are:

  1. BOLA (Broken Object Level Authorisation)
  2. Broken User Authentication
  3. Excessive Data Exposure
  4. Security Misconfiguration

 

BOLA

Accounting for about 40% of all API attacks, broken object level authorisation – or BOLA – represents the most prevalent API threat. Attackers can easily exploit API endpoints that are vulnerable to BOLA by manipulating the ID of an object sent within an API request. Because the server component typically does not fully track the client’s state, these vulnerabilities are extremely common in API-based applications.

BOLA authorization flaws can lead to data exfiltration as well as unauthorised viewing, modification, or destruction of data. BOLA can also lead to full account takeover (ATO).

Automatic static or dynamic testing cannot easily detect BOLA authorisation flaws. Traditional security controls, such as WAFs and API gateways, also miss these types of attacks because they cannot understand API context and so cannot baseline normal API behaviour.

 

‍Broken User Authentication

Broken user authentication allows attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorised access to applications. Attackers can take over user accounts, gain unauthorised access to another user’s data, and make unauthorised transactions. Authentication mechanisms present an easy target for attackers, particularly if they are fully exposed or public.

Technical factors that can lead to broken authentication in APIs include, among others, weak password complexity, missing account lockout thresholds, excessively long durations for password/certificate rotations, or use of API keys as the only authentication material.

Because traditional security controls lack the ability to track attack traffic over time, they cannot decipher the different forms of advanced attacks that target authentication.

 

‍Excessive Data Exposure

APIs often send more information than is needed in an API response and leave it up to the client application to filter the data. However, relying on client-side code to filter sensitive data causes problems, as attackers regularly bypass client-side web and mobile application code and call APIs directly.

In the case of excessive data exposure, attackers hope that the API will provide more information than needed – ideally, information that they can use in more complex attacks. For example, an API request for user information might also produce the admin’s user name, multifactor authentication status, and other data that is completely unnecessary to the original request.

Traditional security scanning and runtime detection tools will sometimes alert on this type of vulnerability, but they are unable to differentiate between legitimate data returned from the API and sensitive data that should not be returned.

 

‍Security Misconfiguration

Many security misconfigurations exist that often negatively impact API security as a whole and can inadvertently introduce vulnerabilities. Security misconfigurations can include insecure default configurations, incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more.

Misconfigurations enable attackers to gain knowledge of the application and API components during their reconnaissance phase. Attackers can also exploit misconfigurations to pivot their attacks against APIs.

 

Defending Against API Attacks Requires Context

By their nature, APIs expose application logic. Hackers do lots of experimentation to try to identify gaps in that business logic that they can exploit.  The reconnaissance needed to propagate attacks like these take a lot of time. A single API attack can take hours, days, or even weeks to unfold.

To defend against them, organizations must analyse large amounts of API traffic and API activity over time. Spotting abuses, such as BOLA, requires continuous monitoring of millions of API calls and users. Large-scale data analysis, in near real time, is essential to establish a baseline of typical API activity and the anomalies that don’t align – this is the kind of context teams need to spot API abuses.

Differentiating between legitimate requests and requests that lack proper authentication or authorization also requires rich context. Organizations need to analyse all API activity to identify attempts to exfiltrate too much data or gain access to unauthorised private data.

Server- or VM-based API security approaches simply don’t have a broad enough data set over time to identify today’s sophisticated API attacks. Only cloud-scale big data combined with AI and ML can collect, store, and quickly analyse hundreds of attributes across millions of users and API calls and correlate them. Cloud-scale big data provides the breadth and depth of context that organisations need to protect their APIs.

ShareTweet
Previous Post

3 Cybersecurity Trends for 2022

Next Post

Over a Third of Parents Do Not Know What Online Accounts Their Children Use

Recent News

pentesting

Pentesting is dead. Long live pentesting.

July 3, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

The industries being reimagined by AI

July 2, 2026
geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol