Lack of injection in 2023 API10

[cyn8]

Hi team,

I have noticed whilst going through the new API10 guidelines that there is no dedicated page for injection-based attacks. I realise going into 2023, pure injection-based are becoming less common, but I believe it should still be prevalent enough to test for these issues?

Is it intended for the 2023RC that the injection category is removed?

[planetlevel]

Take a look at the issues starting with https://github.com/OWASP/API-Security/issues/77. The team excluded injection because they think it's not specific to APIs. It doesn't matter that recent reports have shown it to be the largest attack vector on APIs. The philosophy is that this T10 should only include things that are uniquely risks to APIs. I think this is wrong and will mislead teams to ignore critical problems like injection on APIs.

[ynvb]

@planetlevel - to further strengthen your point: If this list is supposed to include only attacks unique to APIs, why is there a new "SSRF" category in this list? This is clearly not an exclusive attack on APIs - but it is very relevant (which is why I believe it found its way into the list).

Also, Injections were not excluded - they are part of API-10 - however, I agree it is not very clear to understand that reading trough the categories description.

[cyn8]

@ynvb

Also, Injections were not excluded - they are part of API-10 - however, I agree it is not very clear to understand that reading trough the categories description.

Could you link me where injections are included in the 2023 API10? I can't seem to find them.

[securitylevelup]

After a GitHub search in the repo, I see two mentions of 'Injection' now in API10 with two additional links. This is definitely not enough focus on API Injection attacks, especially with the threat of GraphQL Injection attacks looming ahead.

https://github.com/OWASP/API-Security/blob/c56e753eb08e28c6c6d4d756bb3038bcc0ca804a/2023/en/src/0xaa-unsafe-consumption-of-apis.md

[llegaz]

I think Remote Execution is not mentioned either. IMO, that points well the lack on the injection topic and the threats that are overlooked here.

[tebbers]

@planetlevel - to further strengthen your point: If this list is supposed to include only attacks unique to APIs, why is there a new "SSRF" category in this list? This is clearly not an exclusive attack on APIs - but it is very relevant (which is why I believe it found its way into the list).

Also, Injections were not excluded - they are part of API-10 - however, I agree it is not very clear to understand that reading trough the categories description.

And isn't an SSRF just one TYPE of Injection? Why leave the others out and just name that one...Seems odd to not have all of the injection types in one place.

[planetlevel]

SSRF is a top-level item in main OWASP T10 (as opposed to being included in the Injection category). I expect that someday it will be subsumed into the injection category. But this decision was made based on an absolutely massive data collection effort and months of data science by a highly qualified team. Personally, I support having SSRF as a top-level category for APIs... but that's because I have a ton of data about how prevalent this vulnerability is for APIs and how often it is attacked in production.

[tebbers]

SSRF is a top-level item in main OWASP T10 (as opposed to being included in the Injection category). I expect that someday it will be subsumed into the injection category. But this decision was made based on an absolutely massive data collection effort and months of data science by a highly qualified team. Personally, I support having SSRF as a top-level category for APIs... but that's because I have a ton of data about how prevalent this vulnerability is for APIs and how often it is attacked in production.

Is that data public that we can all look at? @planetlevel

[planetlevel]

I offered to share data with the project leads, but never heard anything back.

[d0znpp]

I shared this, but no feedback. According to what we see in CVE and bug bounties, Injections are API1:

Hi guys!

I finally did that! The classification and data source is available here: https://drive.google.com/drive/folders/1IyygtOohhCWlA-mbHUw9w-xgv0dXn7v3?usp=share_link

That's all the CVEs, HackerOne, and more than ten other sources. Mapped to CWEs.

[ErezYalon]

Hi team,

I have noticed whilst going through the new API10 guidelines that there is no dedicated page for injection-based attacks. I realise going into 2023, pure injection-based are becoming less common, but I believe it should still be prevalent enough to test for these issues?

Is it intended for the 2023RC that the injection category is removed?

Hi @cyn8, Yes, the general Injection category was removed. The OWASP API Security Top 10 is an awareness document that expands the general OWASP Security Top 10. Being an expansion, we tried to cover categories unique to APIs, categories that have different consequences/mitigations/mechanisms in APIs, or categories that have a particular interest in an API-centric application. Injections are indeed prevalent. But they exist in every application regardless of whether it uses APIs.

[ErezYalon]

I shared this, but no feedback. According to what we see in CVE and bug bounties, Injections are API1:

Hi guys!

I finally did that! The classification and data source is available here: https://drive.google.com/drive/folders/1IyygtOohhCWlA-mbHUw9w-xgv0dXn7v3?usp=share_link

That's all the CVEs, HackerOne, and more than ten other sources. Mapped to CWEs.

Thanks, @d0znpp, for the effort, but you sent the data after the call-for-data was closed and not in the requested format.

[LaurentCB]

The OWASP API Security Top 10 is an awareness document that expands the general OWASP Security Top 10. Being an expansion, we tried to cover categories unique to APIs, categories that have different consequences/mitigations/mechanisms in APIs, or categories that have a particular interest in an API-centric application.

A first page disclaimer (with this explanation written bold and an url link to the main OWASP Security top 10) as it has already be mentioned would be really nice for newcomers in order to understand the purpose of the project.

Because this project (as pointed out several times now) is REALLY perturbing especially for those accustomed to the main Top 10 for years.

Regards, L.

[planetlevel]

I disagree with the "expands main T10" philosophy. But if that is the plan, then I suggest you delete these categories which are duplicated from main OWASP T10:

• 0xa2-broken-authentication
• 0xa6-server-side-request-forgery
• 0xa7-security-misconfiguration

If you're planning to stick with some that duplicate the OWASP T10, then I suggest the first one you ought to duplicate is Injection.

[ErezYalon]

A first page disclaimer (with this explanation written bold and an url link to the main OWASP Security top 10) as it has already be mentioned would be really nice for newcomers in order to understand the purpose of the project.

@LaurentCB, we agree. While the RC is just the bare-boned Top 10 list, the final list will be published with a clear introduction (and disclaimer) about the purpose and meaning of the project.

...I suggest you delete these categories which are duplicated from main OWASP T10:

• 0xa2-broken-authentication
• 0xa6-server-side-request-forgery
• 0xa7-security-misconfiguration

@planetlevel, while these categories are not unique to APIs, they do have different consequences/mitigations/mechanisms in APIs.

[planetlevel]

And "injection" doesn't?

All of the main T10 are important for APIs and yet they all need some interpretation for APIs.

This document should capture the T10 risks to APIs. Period.

I don't believe that API developers will read the main T10 and then read the API T10 as an extension.

And API risks like unsafe libraries, injection, weak crypto, and others from the main T10 must be there.

[d0znpp]

I guess we have to agree that the main criteria of this work were to make it look different from OWASP's Web Top 10. That’s why we have Injections renamed and moved down. There is no other reason, and many prove, that Injections are Top-1, including CVE, bug-bounty reports, and data breach analysis, by both amount and risk score.

And in fact, the classic OWASP Top 10 now represents API risk priorities much better than OWASP API Top 10. Which is valid, if we agree that WebApps are in fact just legacy API, a subset of a broader APIs definition.

[ErezYalon]

Thanks, @planetlevel, your opinion was noted.

@d0znpp, API10 is not a renamed Injection category. It is about the false trust feeling that developers have when recining data via responses and not directly from a user. If you missed it, others will as well, so thanks for pointing out it is not clear enough. We will consider re-wording.

[wenz]

SSRF is a top-level item in main OWASP T10 (as opposed to being included in the Injection category). I expect that someday it will be subsumed into the injection category. But this decision was made based on an absolutely massive data collection effort and months of data science by a highly qualified team.

In all fairness, SSRF came from the community survey and would not have made it onto the list based on the data alone ("the data shows a relatively low incidence rate"). I'm guessing it will be eventually moved, but not into Injection, but rather into Broken Access Control (where also CSRF is).