search

OWASP / Top10

Official OWASP Top 10 Document Repository
Other
4.32k stars 833 forks source link

A10: add examples to Am I Vulnerable and maybe increase impact #58

Closed vanderaj closed 7 years ago

vanderaj commented 7 years ago

• Unprotected APIs (A10) is a welcome addition. We encounter API security issues regularly in our practice, and they seem to be increasing due to rapid adoption of SOA, RIA, REST, microservices, and API commerce. A case could be made for moving it higher on the list (above CSRF); if not in 2017, then in the near future based on observed trends.

Regardless of whether it stays at the bottom of the list, we recommend raising its impact to Severe based on the types of services and data that organizations are exposing via APIs (payments, medical charts, social network profiles, tax history, etc.). Under “Am I Vulnerable to Attack?” it would be worth mentioning two very common API authentication anti-patterns: a) Service account password passed in message body, often insecurely stored on client (e.g., properties file); b) weak mutual TLS where service provider accepts any certificate issued form a trusted CA (instead of white-listing trusted client certs).

Mike McCormick

jmanico commented 7 years ago

+1 Very astute comments

-- Jim Manico @Manicode

On Jun 13, 2017, at 8:33 AM, Andrew van der Stock notifications@github.com wrote:

• Unprotected APIs (A10) is a welcome addition. We encounter API security issues regularly in our practice, and they seem to be increasing due to rapid adoption of SOA, RIA, REST, microservices, and API commerce. A case could be made for moving it higher on the list (above CSRF); if not in 2017, then in the near future based on observed trends.

Regardless of whether it stays at the bottom of the list, we recommend raising its impact to Severe based on the types of services and data that organizations are exposing via APIs (payments, medical charts, social network profiles, tax history, etc.). Under “Am I Vulnerable to Attack?” it would be worth mentioning two very common API authentication anti-patterns: a) Service account password passed in message body, often insecurely stored on client (e.g., properties file); b) weak mutual TLS where service provider accepts any certificate issued form a trusted CA (instead of white-listing trusted client certs).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

sslHello commented 7 years ago

I like the suggestions made for 'Am I Vulnerable to Attack?'

taprootsec commented 7 years ago

Thanks for all the positive feedback on our comment.

Neil-Smithline commented 7 years ago

Based on the results of the industry survey (background on survey), API vulnerabilities will not be in the Top-10. Where appropriate, mentions of API vulnerabilities will be added to other risks. I apologize that this is not the outcome you were hoping for, but we decided to go with user feedback for determining what A10 should be.