RatSec Blog

Code Red: Navigating the Maze of API Security with the OWASP Top 10

- Posted in API by

The OWASP API Top 10 is a powerful awareness document for web application security that represents a broad consensus about the most critical security risks to web APIs. Here are 10 pieces of pseudo-code or conceptual examples, each showcasing a different item from the OWASP API Top 10 list:

  1. API1:2019 Broken Object Level Authorization:

    // Accessing sensitive user data without proper authorization checks
    app.get('/api/user/:userId', (req, res) => {
       let userData = getUserData(req.params.userId);
  2. API2:2019 Broken User Authentication:

    // Insecure authentication mechanism
    app.post('/api/login', (req, res) => {
       let user = authenticateUser(req.body.username, req.body.password);
       if (user) {
           // Issue token without verifying the user's identity sufficiently
           res.json({ token: generateToken(user) });
  3. API3:2019 Excessive Data Exposure:

    // Returning more data than necessary
    app.get('/api/user/:userId', (req, res) => {
       let userData = getUserData(req.params.userId);
       // userData contains sensitive details like password, email, etc.
  4. API4:2019 Lack of Resources & Rate Limiting:

    // No rate limiting on a sensitive endpoint
    app.post('/api/password-reset', (req, res) => {
       res.send('Password reset link sent');
  5. API5:2019 Broken Function Level Authorization:

    // Function accessible by any authenticated user, not checking for admin role
    app.delete('/api/deleteUser/:userId', (req, res) => {
       res.send('User deleted');
  6. API6:2019 Mass Assignment:

    // Vulnerable to mass assignment
    app.post('/api/user/update', (req, res) => {
       updateUser(req.user.id, req.body);
       res.send('User updated');
  7. API7:2019 Security Misconfiguration:

    // Insecure server configuration
    const server = http.createServer(app);
    server.listen(3000, () => {
       console.log('Server running on port 3000');
    // Missing security headers, HTTPS, etc.
  8. API8:2019 Injection:

    // SQL Injection vulnerability
    app.get('/api/search', (req, res) => {
       let query = `SELECT * FROM products WHERE name LIKE '%${req.query.name}%'`;
       db.query(query, (err, results) => {
  9. API9:2019 Improper Assets Management:

    // Exposing sensitive endpoints in production
    if (process.env.NODE_ENV !== 'production') {
       app.use('/api/test', testRoutes);
  10. API10:2019 Insufficient Logging & Monitoring:

    // Inadequate logging of user actions and errors
    app.post('/api/transfer', (req, res) => {
        transferMoney(req.user.id, req.body.targetAccountId, req.body.amount);
        // No logging of the transaction details or user activity
        res.send('Transfer completed');

These examples are designed to illustrate common API security issues aligned with the OWASP API Top 10. It's important to use these examples as a starting point for understanding and teaching the security considerations necessary when developing and working with APIs.