### Open Web Application Security Project (OWASP)

**OWASP API Top 10**

 1. Broken object level authorization
 2. Broken user authentication
 3. Excessive data exposure
 4. Lack of resources and rate limiting
 5. Broken function level authorization
 6. Mass assignment
 7. Security misconfiguration
 8. Injection
 9. Improper assets management
 10. Insufficient logging and monitoring
 

### 1. Broken object level authorization (BOLA)

> "APIs tend to expose endpoints that handle object identifiers,
> creating a wide attack surface Level Access Control issue.
> Object-level authorization checks should be considered in every
> function that accesses a data source using an input from the user."  by OWASP

 Also known as insecure direct object references (IDORs)
 <br>Access control vulnerabilities 
 <br>Occur when user-supplied input allows abnormal access
 
 **Protecting against BOLA Attacks**

-   Add authorization checks with user policies and hierarchy
-   Avoid including user IDs in API requests
-   Practice using session IDs or tokens
-   Use random, unguessable IDs, unique universal identifiers (UUIDs)
-  Regularly check authorization for clients requesting access
-   Implement a zero-trust model
-   Regularly test!

### 2. Broken user authentication

> "Authentication mechanisms are often implemented incorrectly, allowing
> attackers to compromise authentication tokens or to exploit
> implementation flaws to assume other users' identities temporarily or
> permanently. Compromising a system's ability to identify the
> client/user compromises API security overall."  --OWASP

**Causes of Broken User Authentication**
-   Displaying sensitive details
-   Permitting weak passwords
-   Misconfiguring tokens

**How the App Was Hacked**
-   Password reset improperly implemented
-   No limit on incorrect attempts
-   Too few digits in one-time passcode
-   No account lockout policy

**Protecting against Broken User Authentication**
-   Secure methods to authenticate to APIs
-   Multifactor authentication and captchas
-   Temporary access tokens

### 3. Excessive data exposure

> "Looking forward to generic implementations, developers tend to expose
> all object properties without considering their individual
> sensitivity, relying on clients to perform the data filtering before
> displaying it to the user."  --OWASP

**Preventing Excessive Data Exposure**
-   Filter data of all API responses
-   Limit sensitive data or PII (Personally Identifiable Information) exposure
-   Enforce response checks to prevent leaks
-   Perform checks for sensitive information

### 4. Lack of resources and rate limiting

> "Quite often, APIs do not impose any restrictions on the size or
> number of resources that can be requested by the client/user. Not only
> can this impact the API server performance, leading to Denial of
> Service (DoS), but also leaves the door open to authentication flaws
> such as brute force."  --OWASP

**Rate Limiting**
Strategy for limiting the amount of data sent in a specific time frame. <br>
Without rate limiting, attackers can stop an app from functioning.

**Preventing Rate-Limiting Attacks**
-   Define proper rate limiting
-   Limit payload sizes
-   Define and enforce resource limits
-   Perform rate-limiting tests
-   Determine appropriate limits and rates

### 5. Broken function level authorization (BFLA)

> "Complex access control policies with different hierarchies, groups
> and roles, and an unclear separation between administrative and
> regular functions tend to lead to authorization flaws. By exploiting
> these issues, attackers gain access to other users, resources, and or
> administrative functions."  --OWASP

**Note:**  BOLA looks to access resources, BFLA looks to access functions of equal or higher privileges. 

**Preventing BFLA**

-   Avoid function-level authorization
-   Deny all access by default
-   Only allow authorized users to access the appropriate groups or roles
-   Perform regular authorization tests

### 6. Mass assignment

> "Binding client-provided data ... to data models, without proper
> properties filtering based on an allow list, usually leads to Mass
> Assignment. Either guessing objects' properties, exploring other API
> endpoints, reading the documentation, or providing additional object
> properties in request payloads allows attackers to modify object
> properties they are not supposed to." —OWASP

**Preventing Mass Assignment**
-   Disable mass assignment feature
-   Avoid exposing internal variables or object names as input
-   Approve variables and objects that client can update
-   Use an allow list (only allowing assignment on certain properties or variables)


### 7. Security misconfiguration

> "Security misconfiguration is commonly a result of unsecure default
> configurations, incomplete or ad-hoc configurations, open cloud
> storage, misconfigured HTTP headers, unnecessary HTTP methods,
> permissive Cross-Origin resource sharing (CORS), and verbose error
> messages containing sensitive information." —OWASP


**Security Misconfiguration** 
A broken piece of code that leaves an API vulnerable to attacks

**Preventing Security Misconfiguration**

-   Establish and practice hardening and patching procedures
-   Disable unnecessary applications and features
-   Restrict administrative access
-   Practice least privilege
-   Regularly test for security misconfigurations

### 8. Injection

> "Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur
> when untrusted data is sent to an interpreter as part of a command or
> query. The attacker's malicious data can trick the interpreter into
> executing unintended commands or accessing data without proper
> authorization." —OWASP


**Security Misconfiguration** 
-   Return sensitive information
-   Bypass security checks
-   Take down the tool and app

**Types of Injection**

1. Cross-Site Scripting Malicious scripts are entered into code.
2.   SQL Injection Sophisticated database queries are injected into API.

**Protecting against Injection Attacks**
-   Perform input validation and proper sanitization for all input and special characters
-   Limit the number of records being returned in queries
-   Use filtering to limit the information in API responses