OWASPNIST

🔌 API Security

Protecting APIs with authentication, rate limiting, input validation, and defenses against the OWASP API Top 10 vulnerabilities.

Vani

Choose a section to learn

Overview

APIs are the connective tissue of modern applications — and a primary attack vector. API security ensures that interfaces are protected against unauthorized access, data exposure, injection attacks, and abuse. As organizations adopt microservices and cloud-native architectures, the API attack surface expands dramatically. The OWASP API Security Top 10 provides the primary framework for API threat identification.

OWASP API Security Top 10 (2023)

Rank	Vulnerability	Severity	Description
API1	Broken Object Level Authorization	Critical	Accessing other users' objects by manipulating IDs
API2	Broken Authentication	Critical	Weak authentication mechanisms allowing unauthorized access
API3	Broken Object Property Level Auth	High	Exposing or modifying object properties without proper checks
API4	Unrestricted Resource Consumption	High	No rate limiting leading to DoS or financial damage
API5	Broken Function Level Authorization	High	Accessing admin functions through regular user endpoints
API6	Unrestricted Access to Sensitive Flows	Medium	Automated exploitation of business-critical workflows
API7	Server Side Request Forgery	High	Fetching attacker-provided URLs without validation
API8	Security Misconfiguration	Medium	Missing security headers, CORS misconfig, verbose errors
API9	Improper Inventory Management	Medium	Shadow APIs, deprecated endpoints still accessible
API10	Unsafe Consumption of APIs	Medium	Blindly trusting third-party API responses

Key Concepts

API Gateway

Centralized entry point for API traffic. Handles authentication, rate limiting, request routing, SSL termination, and logging. Tools: Kong, Apigee, AWS API Gateway.

OAuth 2.0 / OIDC

Standard authorization framework for API access. OAuth 2.0 for delegated authorization, OpenID Connect for authentication. Use Authorization Code + PKCE flow for security.

Rate Limiting & Throttling

Prevent API abuse by limiting request rates per client/IP. Implement token bucket or sliding window algorithms. Critical for preventing DDoS and credential stuffing.

Input Validation & Schema Enforcement

Validate all API inputs against OpenAPI/Swagger schemas. Reject unexpected fields, enforce type checking, and limit payload sizes.

API Discovery & Inventory

Maintaining a complete inventory of all APIs (internal, external, partner). Discovering shadow APIs. Critical for governance and security coverage.

API Monitoring & WAF

Real-time monitoring for anomalous API usage patterns. API-specific WAF rules for injection, abuse detection, and bot mitigation.

Interview Preparation

💡 Interview Question

How do you prevent Broken Object Level Authorization (BOLA)?

BOLA (also called IDOR) occurs when the API doesn't verify that the authenticated user has permission to access the requested object. Mitigations: 1) Implement authorization checks on every object access — don't rely on obscurity of IDs. 2) Use UUIDs instead of sequential IDs (defense in depth, not primary control). 3) Check object ownership: if(object.userId !== currentUser.id) deny. 4) Log and alert on authorization failures. 5) Write automated tests for authorization. 6) Use API gateway policies for object-level enforcement.