### Open Web Application Security Project (OWASP)

**OWASP API Top 10**

 1. Broken object level authorization
 2. Broken user authentication
 3. Excessive data exposure
 4. Lack of resources and rate limiting
 5. Broken function level authorization
 6. Mass assignment
 7. Security misconfiguration
 8. Injection
 9. Improper assets management
 10. Insufficient logging and monitoring
 

### 1. Broken object level authorization (BOLA)

> "APIs tend to expose endpoints that handle object identifiers,
> creating a wide attack surface Level Access Control issue.
> Object-level authorization checks should be considered in every
> function that accesses a data source using an input from the user."  by OWASP

 Also known as insecure direct object references (IDORs)
 <br>Access control vulnerabilities 
 <br>Occur when user-supplied input allows abnormal access
 
 **Protecting against BOLA Attacks**

-   Add authorization checks with user policies and hierarchy
-   Avoid including user IDs in API requests
-   Practice using session IDs or tokens
-   Use random, unguessable IDs, unique universal identifiers (UUIDs)
-  Regularly check authorization for clients requesting access
-   Implement a zero-trust model
-   Regularly test!

### 2. Broken user authentication

> "Authentication mechanisms are often implemented incorrectly, allowing
> attackers to compromise authentication tokens or to exploit
> implementation flaws to assume other users' identities temporarily or
> permanently. Compromising a system's ability to identify the
> client/user compromises API security overall."  --OWASP

**Causes of Broken User Authentication**
-   Displaying sensitive details
-   Permitting weak passwords
-   Misconfiguring tokens

**How the App Was Hacked**
-   Password reset improperly implemented
-   No limit on incorrect attempts
-   Too few digits in one-time passcode
-   No account lockout policy

**Protecting against Broken User Authentication**
-   Secure methods to authenticate to APIs
-   Multifactor authentication and captchas
-   Temporary access tokens

### 3. Excessive data exposure

> "Looking forward to generic implementations, developers tend to expose
> all object properties without considering their individual
> sensitivity, relying on clients to perform the data filtering before
> displaying it to the user."  --OWASP

**Preventing Excessive Data Exposure**
-   Filter data of all API responses
-   Limit sensitive data or PII (Personally Identifiable Information) exposure
-   Enforce response checks to prevent leaks
-   Perform checks for sensitive information