OWASP API Security Risks: Top 10 Essentials Quiz Quiz

Challenge your understanding of API Security Risks as outlined in the OWASP Top 10. This quiz covers key threats, vulnerabilities, and common pitfalls in API development and security testing, helping you identify and mitigate major API risks.

1. Broken Object Level Authorization

   Which scenario best illustrates the API security risk of Broken Object Level Authorization from the OWASP Top 10?

   1. An API allows users to access account information of other users by modifying the user ID in the request URL.
   2. An API endpoint requires the use of HTTPS but responds to HTTP requests as well.
   3. Sensitive data is transmitted without encryption in the response payload.
   4. API requests with missing headers are rejected with a generic error message.

   Explanation: Broken Object Level Authorization occurs when an API does not properly enforce permissions, allowing attackers to access or manipulate resources they shouldn't, such as viewing another user's data by altering a user ID in a request. The distractors describe issues related to transport security, data exposure, and error handling, but they don't specifically involve improper authorization at the object level.

2. Excessive Data Exposure

   What best describes the risk of Excessive Data Exposure in API responses according to the OWASP Top 10?

   1. The API reveals more user information than necessary, such as returning credit card details when only the name is requested.
   2. A token is sent with every request, regardless of user authentication.
   3. The API URL includes unencrypted session tokens.
   4. API request bodies allow extra fields that are ignored by the server.

   Explanation: Excessive Data Exposure is when an API discloses more information than needed, increasing the risk if sensitive data is unintentionally leaked. Sending tokens with every request, including session tokens in the URL, or ignoring extra fields in requests are security issues but don't specifically match Excessive Data Exposure as outlined by OWASP.

3. Security Misconfiguration

   Which option is an example of a Security Misconfiguration vulnerability in an API based on the OWASP Top 10?

   1. An API is deployed with default admin credentials and no rate limiting.
   2. An API accepts only POST requests for updates but rejects GET requests.
   3. API error messages are always generic and reveal no code details.
   4. Input validation only restricts some special characters in passwords.

   Explanation: Security Misconfiguration includes deploying APIs with unsafe default settings like default credentials and missing security controls such as rate limiting. Rejecting GET requests for updates is correct behavior, generic error messages are a good practice, and partial input validation is an issue but not specifically about configuration.

4. API Injection Attack

   Which situation demonstrates an API Injection risk as described in the OWASP Top 10 for APIs?

   1. User-provided input is inserted directly into a database query, allowing execution of malicious SQL code.
   2. An API limits the number of requests per minute to prevent overloading.
   3. The API only returns a user's own emails after proper authentication.
   4. API responses are always compressed to save bandwidth.

   Explanation: API Injection occurs when untrusted user input is not properly sanitized and is used in queries or commands, leading to attacks like SQL injection. Rate limiting, proper authentication, and data compression are unrelated to code injection vulnerabilities. Only the first option demonstrates the risk described.

5. Improper Asset Management

   According to the OWASP Top 10, which scenario best illustrates Improper Asset Management in API security?

   1. Deprecated API endpoints are still accessible in production and are unlisted in documentation.
   2. The API returns a '404 Not Found' for invalid endpoints.
   3. All public API endpoints are documented and have up-to-date descriptions.
   4. The API version is clearly specified in all request URLs.

   Explanation: Improper Asset Management includes poor tracking or documentation of API versions and endpoints, which can lead to old, vulnerable endpoints remaining exposed. Returning 404 errors, thorough documentation, and clear versioning actually improve asset management, making these distractors incorrect.