The OWASP API Top 10 is a powerful awareness document for web application security that represents a broad consensus about the most critical security risks to web APIs. Here are 10 pieces of pseudo-code or conceptual examples, each showcasing a different item from the OWASP API Top 10 list:
API1:2019 Broken Object Level Authorization:
// Accessing sensitive user data without proper authorization checks app.get('/api/user/:userId', (req, res) => { let userData = getUserData(req.params.userId); res.json(userData); });API2:2019 Broken User Authentication:
// Insecure authentication mechanism app.post('/api/login', (req, res) => { let user = authenticateUser(req.body.username, req.body.password); if (user) { // Issue token without verifying the user's identity sufficiently res.json({ token: generateToken(user) }); } });API3:2019 Excessive Data Exposure:
// Returning more data than necessary app.get('/api/user/:userId', (req, res) => { let userData = getUserData(req.params.userId); // userData contains sensitive details like password, email, etc. res.json(userData); });API4:2019 Lack of Resources & Rate Limiting:
// No rate limiting on a sensitive endpoint app.post('/api/password-reset', (req, res) => { resetUserPassword(req.body.email); res.send('Password reset link sent'); });API5:2019 Broken Function Level Authorization:
// Function accessible by any authenticated user, not checking for admin role app.delete('/api/deleteUser/:userId', (req, res) => { deleteUser(req.params.userId); res.send('User deleted'); });API6:2019 Mass Assignment:
// Vulnerable to mass assignment app.post('/api/user/update', (req, res) => { updateUser(req.user.id, req.body); res.send('User updated'); });API7:2019 Security Misconfiguration:
// Insecure server configuration const server = http.createServer(app); server.listen(3000, () => { console.log('Server running on port 3000'); }); // Missing security headers, HTTPS, etc.API8:2019 Injection:
// SQL Injection vulnerability app.get('/api/search', (req, res) => { let query = `SELECT * FROM products WHERE name LIKE '%${req.query.name}%'`; db.query(query, (err, results) => { res.json(results); }); });API9:2019 Improper Assets Management:
// Exposing sensitive endpoints in production if (process.env.NODE_ENV !== 'production') { app.use('/api/test', testRoutes); }API10:2019 Insufficient Logging & Monitoring:
// Inadequate logging of user actions and errors app.post('/api/transfer', (req, res) => { transferMoney(req.user.id, req.body.targetAccountId, req.body.amount); // No logging of the transaction details or user activity res.send('Transfer completed'); });
These examples are designed to illustrate common API security issues aligned with the OWASP API Top 10. It's important to use these examples as a starting point for understanding and teaching the security considerations necessary when developing and working with APIs.