As I reflect on the release of the new OWASP API Security Top Ten and its new categories, it strikes me that the API is the heart of the modern web. In a conversation within this week’s Application Security Podcast episode with Steve Wilson, we discussed how LLM/AI applications are accessed using standard web applications with backend APIs. The AI tech stack has fancy LLMs behind the scenes, but the modern web is the front door.
Glancing at one of the new items, “API3:2023 – Broken Object Property Level Authorization,” we see that it combines two issues from the 2019 list: Excessive Data Exposure and Mass Assignment.
The API endpoint exposes properties of an object considered sensitive and should not be read by the user, previously named: “Excessive Data Exposure” This one is simple for me — the API endpoint is spewing extra data. Think of a scenario where you call toJSON() without carefully considering the properties of an object. You now get extra properties from the object exposed to the client side.
Now attackers have gained knowledge of application internals and can attempt to manipulate them via the most poorly named concept in AppSec: Mass Assignment. The API endpoint allows a user to change, add/or delete the value of a sensitive object’s property which the user should not be able to access, or Mass Assignment. I don’t know where the “Mass” is coming from. I get the assignment. Perhaps we call it an Unauthorized Assignment or Private Value Assignment? 🤔
Give the new API Top Ten a read, and share it with your development teams. They need to know what has changed. Internalize it, and share it with them.