OWASP API Top Ten 2023 Report
The Open Web Application Security Project (OWASP) API Top 10 2023 is a list of top security concerns specific to web Application Programming Interface (API) security.
- APIs are a critical part of modern mobile, Software as a Service (SaaS), and web applications and expose application logic and sensitive data, so APIs have become a target for attackers.
- While general web application security best practices also apply to APIs, the OWASP API Security project has prepared a list of top 10 security concerns specific to web API security.
- Thanks to the OWASP Top Ten API Report, you can identify the common weaknesses in your web application that malicious attackers can exploit.
For more information about the OWASP API Top Ten, refer to the OWASP API Security Top 10. A sample report can be found here.
IMPORTANT: |
For further information, see Overview of reports, Report templates, and Built-in reports.
How to generate an OWASP API Top Ten 2023 Report in Invicti Enterprise
- In Invicti Enterprise, select Scans > Recent Scans from the left-side menu.
- Next to the relevant scan, select Report.
- On the Scan Summary page, click Export.
- From the Report drop-down, select OWASP API Top Ten 2023.
- From the Format drop-down, select PDF or HTML.
- Use the checkboxes to configure your report:
- Exclude Addressed Issues: Filters out issues that have already been acted upon. (By default, all Information-level findings are automatically marked as Accepted Risk. To modify this setting, go to Do not mark Information issues as accepted risks in General settings.)
Exclude History of Issues: If enabled, the report will not include issue history. If disabled, the last 10 history logs will be included.
Export Confirmed: Includes only confirmed issues in the export.
Export Unconfirmed: Includes only unconfirmed issues in the export.
- Select Export to save the report at your selected location.
How to generate an OWASP API Top Ten 2023 Report in Invicti Standard
- In Invicti Standard, select the File tab from the top ribbon. This displays the Local scans.
- Double-click the relevant scan to display its results.
- From the Reporting tab, select the OWASP API Top 10 2023 Report.
- From the Save Report As dialog, select a save location, then Save.
- In the Export Report dialog, configure the report:
- Policy: Select the default report policy or customized report policy (refer to Custom report policies)
- Format: Select HTML and/or PDF
- Vulnerability options: Select one or more of the following options:
- Export Confirmed: Includes only confirmed vulnerabilities in the report.
- Export Unconfirmed: Includes unconfirmed vulnerabilities in the report.
- Export All Variations: By default, Invicti groups passive or information-level issues found on multiple pages instead of displaying each instance. Enabling this option will include all variations.
- Header and Footer: Enter relevant information that will appear in the header and footer section of the report.
- Open Generated Report checkbox: When selected, the report opens upon saving.
- Select Save.
OWASP API Top Ten 2023 Report sections
There are four sections in the OWASP API Top Ten Report:
Scan metadata
This section provides details on the following items:
- Scan Target
- Scan Time
- Scan Duration
- Description
- Total Requests
- Average Speed
- Risk Level
Vulnerabilities
This provides a numerical and graphical overview of:
- Numbers: The number of issues detected at various Vulnerability severity levels
- Identified Vulnerabilities: The total number of detected vulnerabilities
- Confirmed Vulnerabilities: The total number of vulnerabilities that Invicti verified by taking extra steps such as extracting some data from the target
Vulnerability Names and Details
This section describes all identified issues and vulnerabilities, along with their Impact and Proof of Exploit. It also explains what Actions to Take and a Remedy for each one, including External References for more information.
This table lists and explains the headings in the Vulnerability Names and Details section.
Headings | Description |
Name | This is the name of the identified issue. |
Tag | This is the label to group, organize, and filter issues in the target web application. |
Proof of exploit | This is a piece of evidence supplied to prove that the vulnerability exists, showing information that is extracted from the target using the vulnerability. For more information, refer to Benefits of Proof-Based Scanning™ Technology. |
Vulnerability details | This displays further details about the vulnerability. |
Certainty value | This indicates how much Invicti is sure about the identified issue. |
Impact | This shows the effect of the issue or vulnerability on the Target URL. |
Required Skills for Successful Exploitation | This gives details on how malicious hackers could exploit this issue. |
Actions to Take | These are the immediate steps you can take to decrease the impact or prevent exploitation. |
Remedy | This offers further steps to resolve the identified issue. |
External references | This provides links to other websites where you can find more information. |
Classification | OWASP API Top Ten 2023: This provides further information about this vulnerability according to the 2023 Edition of the Open Web Application API Security Project (OWASP) Top 10 list. |
Remedy references | This provides further information on the solution for identified issues. |
Proof of Concept Notes | These notes demonstrate in principle how a system may be compromised. |
Request | This is the whole HTTP request that Invicti sent in order to detect the issue. |
Response | This is the reply from the system against the payload. |
Show/Hide Scan Details
This section provides some profile and policy settings that Invicti uses to adjust its scanning to reach more coverage. For example, it lists all enabled security checks.
It provides information on your preference in selecting this scan so that developers have more details on how this scan was run.
For more information, refer to the Setting Security Check options.