Why the inclusion of API exploitations in the OWASP 2021
in Top 10 Web Vulnerabilities list is so dangerous

Tomer Nuri

Why the inclusion of API exploitations in the OWASP 2021 Top10 Web Vulnerabilities list is so dangerous

By Tomer Nuri, Cybersecurity Expert December 16, 2021 09:42 am

APIs (Application Programming Interfaces) have been around since the 1970s during the early days of the symbiotic hardware-software driven APIs. APIs became more prevalent following the natural advancement of ANSI protocols and the emerging Java standards resulting in the modern multi-tier API approach that is the foundation of the current multi-channel digital transformation.

The meteoric rise of APIs has resulted in groundbreaking application agility. On the flip side, it has made the organizations that use them vulnerable to cyberattacks. According to Gartner, API abuses will be the most-frequent attack vector in 2020, resulting in data breaches for enterprise applications. Current cybersecurity defenses were never designed to protect APIs.

This makes them an ideal target for threat actors, as the large numbers and scale of API cyber incidents have shown. These incidents have resulted in financial losses of billions of dollars, leakage of petabytes of private data, and compromising the stability and integrity of critical applications and systems.

The Open Web Application Security Project® (OWASP), as the competent authority for everything related to web security, has been trying to address the enormous volume of vulnerabilities collections existing in the domain sequence from browser-to-web application servers. That’s why OWASP is publishing its updated Top10 Web Vulnerabilities list, including updates that shape and impact the design and functionality of every major WAF (Web Application Firewall) solution in the market.

Due to their nature, APIs are very complicated to analyze since it requires an in-depth analytical analysis. As the backbone of almost every web and mobile application, APIs require their own cyber-governance and guidelines. OWASP addresses this issue with its updated dedicated Top10 Vulnerability list for 2021

When comparing the OWASP Top10 Web Vulnerability list to the Top10 API Vulnerability list, it is clear that not only are key vulnerabilities not addressed by WAF design, but also other significant API threat potentials are beyond the focus and capabilities of WAF solutions.

Although WAF solutions and services are essential for securing web traffic, they lack the ability to secure APIs. CISOs, CIOs, and the heads of DevOps departments understand that their critical business-related applications are not secure, but exposed and vulnerable.

OWASP 2022

As shown in the diagram above, the lack of API-1 Risk analysis capability of WAF solutions cannot detect all “Broken Object-level authorization” based exploitation. This means that they cannot address one of the most common attack surfaces used in hundreds of API-driven breach events. Due to the widespread use of object-based authorization and access control mechanisms in all modern applications, a minor variation in the API syntax (e.g., the JSON statement) can expose the API endpoint and result in leakage of sensitive information. Also, the exploitation of API-4 risk can be used effortlessly for service exhaustion and denial of service if no rate limiting variables are set.

Two years after the first OWASP API risk publication was launched, the correlation between API risks and massive cyber incidents became evident. This entails that the preliminary API risk factors published by OWASP are not aligned anymore with the current challenges. The potential for massive cyberattacks abusing the vulnerabilities in modern APIs is more prominent than ever before.

OWASP responded with its 2021 Top 10 List which focus on WEB Risks but starts to addresses API exploitation as the key trigger in major cyber events in every key market segment, from finance and open banking to IoT and 5G networking and commercial digital communication.

However, there are still multiple risk factors and vulnerabilities that threaten APIs directly, but are not addressed in the OWASP Top 10 2021 yet.

To identify those threats and their potential impact, an analytical AI-driven Application security platform must be put into place to mitigate all the detailed API and covered web risks. This provides a wide security framework to mitigate advanced API threats.

The optimal way to protect APIs is a holistic approach resulting in an advanced threat mitigation strategy and consist of a balanced blend of technologies & tactics. A fully automated AI-based API security that adopting such an approach is Ammune™ by L7 Defense. Its AI/ML-driven analytical security technologies allow for resulting in a micro protection shield for each analyzed APIs. L7 Defense’s advanced API adaptive protection capabilities and cutting-edge API discovery abilities allow for detecting APIs down to the argument level resolution. Furthermore, AmmuneTM offers a complete defense strategy that allows the fusion of multiple threat mitigation mechanisms with trailblazing automation features for real-time inline mitigation based on a holistic approach to API security.

To conclude, AmmuneTM by L7 Defense actively protects APIs in real time against cybersecurity attacks. The fully automated AI-based API security offering actively protects APIs in real time - Inline, automated, and highly accurately against the most advanced cyberattacks, on cloud & on-premise.

For more information or to request a demo, contact L7 Defense at info@L7Defense.com or visit L7 Defense.