The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure proper authorization validation at the object property level to prevent unauthorized data exposure or manipulation. For example, enforce attribute-based access control (ABAC) to restrict access to sensitive object properties based on user roles and permissions; Implement allowlists to explicitly define accessible fields in API responses, preventing excessive data exposure; Prevent mass assignment vulnerabilities by restricting direct updates to sensitive fields and using explicit mappings in API requests; Regularly audit API responses and input validation to detect and mitigate unauthorized property access or modification.
Ensure APIs expose only necessary object properties and prevent unauthorized data access or modification. For example, enforce strict access control to verify that users can only retrieve object properties they are authorized to see; Avoid using generic serialization methods (e.g., to_json() or to_string()) and instead explicitly define the specific object properties to be returned; Prevent mass assignment vulnerabilities by disallowing automatic binding of client-supplied input to internal objects or properties; Restrict modifications to only the object properties that clients are allowed to update, minimizing unintended changes; Implement a schema-based response validation mechanism to enforce strict data output rules, ensuring API methods return only the expected data; Keep response payloads minimal, returning only essential data required for business functionality, reducing exposure of unnecessary or sensitive information.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-03-01-01 | Ensure proper authorization for object properties | When exposing an object through an API, verify that the user has the correct permissions to access the specific properties of the object being returned. | Development | Security Engineers, Backend Developers |
| SSS-02-15-03-01-02 | Avoid generic methods for data exposure | Do not use generic methods like to_json() or to_string() to expose object data. Instead, selectively choose the properties to expose, limiting exposure to sensitive or unnecessary data. | Development | Backend Developers, Security Engineers |
| SSS-02-15-03-01-03 | Prevent mass assignment of client input | Avoid using functions that automatically bind client input to internal objects or object properties (e.g., Mass Assignment), which can lead to unauthorized changes. | Development | Security Engineers, Backend Developers |
| SSS-02-15-03-01-04 | Allow changes only to specific object properties | Ensure that clients can only modify the object properties that they are authorized to update. Do not allow arbitrary changes to sensitive or system-critical properties. | Development | Security Engineers, Backend Developers |
| SSS-02-15-03-01-05 | Implement schema-based response validation | Use schema-based validation to enforce strict controls over the data returned by API methods. This ensures that only expected and authorized data is returned to clients. | Development | Security Engineers, API Developers |
| SSS-02-15-03-01-06 | Minimize returned data according to business requirements | Limit the data returned in API responses to the absolute minimum necessary to meet the business and functional requirements of the endpoint, reducing the risk of excessive data exposure. | Development | API Developers, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |