A critical vulnerability in API security, specifically concerning broken object level authorization, is gaining increased attention following the release of the OWASP API Security Top 10 2023 report. The report highlights how APIs, essential components of modern applications ranging from banking to autonomous vehicles, are increasingly targeted by attackers due to their exposure of sensitive data, including Personally Identifiable Information (PII).
The OWASP report identifies “Broken Object Level Authorization” (API1:2023) as a primary concern. This vulnerability arises when APIs expose endpoints that handle object identifiers, creating opportunities for attackers to exploit access control issues. According to the report, authorization checks at the object level should be implemented in every function accessing data using user-provided IDs.
Beyond object level authorization, the report also flags “Broken Authentication” (API2:2023) as a significant risk. Incorrectly implemented authentication mechanisms can allow attackers to compromise authentication tokens or exploit flaws to assume user identities. The OWASP project emphasizes that compromising a system’s ability to identify users fundamentally undermines API security.
A related issue, “Broken Object Property Level Authorization” (API3:2023), combines concerns from previous reports regarding excessive data exposure and mass assignment. This stems from a lack of, or improper, authorization validation at the object property level, potentially leading to unauthorized information exposure or manipulation.
The increasing focus on API security coincides with a broader awareness of cloud security vulnerabilities. A publicly available list maintained on GitHub details publicly disclosed vulnerabilities across major cloud providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Recent AWS vulnerabilities listed include issues related to CloudFormation service accounts, IAM cross-account access, and S3 Replication Service limitations. Azure vulnerabilities documented include issues with Cosmos DB, App Service, and PostgreSQL.
Several cybersecurity firms offer API protection solutions. F5 Distributed Cloud API Security, for example, automatically discovers and protects APIs, including those that are undocumented or “shadow” endpoints, using traffic analysis. Akamai also provides API security solutions focused on visibility and protection for both legacy and modern APIs, including those supporting GenAI and LLM servers.
The OWASP API Security Project aims to provide strategies and solutions to mitigate the unique risks associated with APIs. The project’s release of the Top 10 vulnerabilities serves as a crucial resource for developers and security professionals seeking to improve the security posture of their applications.
