OWASP API Security Top 10 2019 Checklist
home
OWASP API Security Top 10 2019 Checklist
This project is designed to address the ever-increasing number of organizations that are deploying potentially sensitive APIs as part of their software offerings. These APIs are used for internal tasks and to interface with third parties. Unfortunately, many APIs do not undergo the rigorous security testing that would help make them secure from an attack.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
Links:
- OWASP API Security Project (homepage)
- API Security Top 10 2019 (PDF)
- Github repository
Implemented in this ruleset:
| OWASP Risk Name | Implemented Rule(s) | Implementation Description |
|---|---|---|
| API1:2019 Broken Object Level Authorization | broken-object-level-authorization-use-guids | Looks for parameters containing "id" in their name. |
| API2:2019 Broken User Authentication | broken-user-authentication-use-tls, broken-user-authentication-authenticate-api | Makes sure API is using HTTPS, and that any operations have a security scheme defined. |
| API3:2019 Excessive Data Exposure | excessive-data-exposure-mandatory-schema | Checks that all payloads have a schema defined. |
| API4:2019 Lack of Resources & Rate Limiting | lack-of-resources-and-rate-limiting-too-many-requests | Checks that any operations defined return a 429 status code. |
| API5:2019 Broken Function Level Authorization | Not implemented | This check must be manually performed. |
| API6:2019 Mass assignment | Not implemented | This check must be manually performed. |
| API7:2019 Security Misconfiguration | Not implemented | This check must be manually performed. |
| API8:2019 Injection | injection-pattern-on-string-parameters | Checks that any parameters of string type define some pattern. |
| API9:2019 Improper Assets Management | improper-assets-management-environment-info, improper-assets-management-version | Checks that the API is properly described and versioned. |
| API10:2019 Insufficient logging & monitoring | Not implemented | This check must be manually performed. |
Rules in this Ruleset
Violations
- broken-object-level-authorization-use-guids
- excessive-data-exposure-mandatory-schema
- lack-of-resources-and-rate-limiting-too-many-requests
- injection-pattern-on-string-parameters
- improper-assets-management-environment-info
- improper-assets-management-version
- broken-user-authentication-use-tls
- broken-user-authentication-authenticate-api