Offensive Security

OWASP API Security Top 10 – when interfaces are attacked!

OWASP API Security Top 10 – when interfaces are attacked!

Developers should take a look at the API Security Top 10, because attacking an interface is highly interesting for hackers. In order to better secure sensitive endpoints, the OWASP Top 10 creates a list of the most common vulnerabilities in programmed interfaces. A lack of protection can lead to the outflow of sensitive data on a large scale.

OWASP create another list for the security of APIs.

In the IT security industry, the OWASP Top 10 are a number. Everybody knows them, courses build on them and they are usually discussed during the studies. Seldom is there agreement in the scene. Now the Open Web Application Security project goes one step further and creates extra security or attack surfaces for interfaces. 10 security holes that can have an impact on API security.

Admittedly, capable developers who know the vulnerabilities and intercept them during programming are the best means of choice. But a pentest brings certainty. With the API Security Top 10, a common framework is now created. The importance of this list is fueled by Gartner. It is assumed that by 2021, 90% of the attack surface of web applications will run over the programmed interfaces. The project has agreed on the following Top 10:

DNS AnbieterAdresse
JusProg DNS

ab 0 Jahre
109.235.61.162

194.97.50.3


2A00:19E0:3002:24BE::21

2001:748:308::3
JusProg DNS

ab 6 Jahre
109.235.61.171

194.97.50.4


2A00:19E0:3002:24BE::23

2001:748:308::4
JusProg DNS

ab 12 Jahre
109.235.61.200

194.97.50.5


2A00:19E0:3002:24BE::25

2001:748:308::5
JusProg DNS

ab 16 Jahre
109.235.61.210

194.97.50.6


2A00:19E0:3002:24BE::27

2001:748:308::6
Cloudflare DNS

Malware Filter
1.1.1.2

1.0.0.2


2606:4700:4700::1112

2606:4700:4700::1002
Cloudflare DNS

Malware &
Erwachseneninhalt Filter
1.1.1.3

1.0.0.3


2606:4700:4700::1113

2606:4700:4700::1003
Quad99.9.9.9


2620:fe::fe
OpenDNS208.67.222.123

208.67.220.123


2620:119:35::35

2620:119:53::53
CleanBrowsing

Familien Filter
185.228.168.168

185.228.169.168


2a0d:2a00:1::

2a0d:2a00:2::
CleanBrowsing

Erwachseneninhalt Filter
185.228.168.10

185.228.169.11


2a0d:2a00:1::1

2a0d:2a00:2::1
CleanBrowsing

Security Filter
185.228.168.9

185.228.169.9


2a0d:2a00:1::2

2a0d:2a00:2::2
Yandex Safe77.88.8.88

77.88.8.2
Yandex Family77.88.8.7

77.88.8.3
Norton
ConnectSafe

Richtlinie 1
199.85.126.10

199.85.127.10
Norton
ConnectSafe

Richtlinie 2
199.85.126.20

199.85.127.20
Norton
ConnectSafe

Richtlinie 3
199.85.126.30

199.85.127.30

A case of Excessive Data Exposure was noted in the case of the Mobile World Congress 2020 website.

To prevent the exchange format from becoming a data slingshot: A pentest on the API!

Although many problems can be intercepted by modern gateways, this should always be the last hurdle, but never the protection mechanism itself. As before, inputs should be validated and developed according to the security by design principle. Then already a large attack surface can be reduced. Even if some vulnerabilities overlap with the classic OWASP Top 10, these security holes in the area of APIs must also be detected and closed. This can be done in the form of a penetration test. Then the API security in general can be increased.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.