OWASP_API_TOP10API8:2023voice-validated
OWASP_API_TOP10 API08: API8:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customisable. Software and DevOps engineers can miss these configurations or do not follow security best practices, opening the door for different types of attacks.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Exploiting public-facing applications is a primary attack vector for API8:2023. Misconfigured APIs directly expose vulnerabilities, allowing initial access. | 90% |
| T1133 | 2. External remote services, if misconfigured, provide initial access to systems supporting APIs, as highlighted by API8:2023's focus on complex configurations. | 80% |
| T1059.003 | 3. Misconfigurations in API endpoints can enable command injection, leading to execution of commands via Windows Command Shell, a direct risk under API8:2023. | 70% |
| T1068 | 4. Exploitation for privilege escalation frequently results from misconfigured API access controls or underlying system settings, as described in API8:2023. | 90% |
| T1055 | 5. Process injection can occur if API-supporting systems are misconfigured, allowing attackers to inject malicious code and escalate privileges, per API8:2023. | 70% |
| T1070.004 | 6. Misconfigured logging or file permissions, a concern in API8:2023, can allow attackers to delete logs, thereby removing indicators of compromise. | 70% |
| T1003.001 | 7. Misconfigurations in OS or application settings, as per API8:2023, can expose memory containing credentials, enabling OS credential dumping from LSASS. | 80% |
| T1552.001 | 8. Unsecured credentials in files, often due to developer oversight or misconfiguration, are a direct consequence of poor security practices mentioned in API8:2023. | 90% |
| T1087.001 | 9. Misconfigured API access or system settings can expose information about local accounts, facilitating account discovery, a risk under API8:2023. | 80% |
| T1046 | 10. Attackers exploit misconfigured APIs to perform network service scanning, mapping internal networks for further attacks, as implied by API8:2023. | 70% |
| T1021.001 | 11. Misconfigured remote services like RDP, if exposed via API-supporting systems, enable lateral movement within the network, a risk under API8:2023. | 70% |
| T1119 | 12. Automated collection of data is possible when API access controls are misconfigured, allowing unauthorized bulk data retrieval, as per API8:2023. | 80% |
| T1071.001 | 13. Misconfigured APIs can be repurposed as Command and Control channels using standard web protocols, a critical risk highlighted by API8:2023. | 80% |
| T1041 | 14. Exfiltration over C2 channels, often established through misconfigured APIs, allows attackers to steal sensitive data, a key concern in API8:2023. | 80% |
| T1499 | 15. Misconfigurations in API rate limits or resource handling can lead to endpoint denial of service, impacting availability, as addressed by API8:2023. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. Software configuration management directly addresses API8:2023 by ensuring secure configurations for APIs and their supporting systems, preventing common vulnerabilities. | 90% |
| M1028 | 2. Operating system configuration hardening is crucial for API8:2023, securing the underlying infrastructure against misconfiguration-based attacks. | 80% |
| M1017 | 3. User training for engineers on secure coding and configuration practices directly mitigates API8:2023 risks by reducing human error in complex setups. | 80% |
| M1047 | 4. Regular audits of API and system configurations identify and rectify misconfigurations, proactively addressing API8:2023 before exploitation. | 90% |
| M1035 | 5. Network segmentation limits the impact of exploited misconfigurations (API8:2023) by isolating compromised API components and reducing lateral movement. | 80% |
| M1031 | 6. Endpoint Detection and Response systems detect anomalous activities resulting from exploited API8:2023 misconfigurations, enabling rapid incident response. | 70% |
| M1032 | 7. Multi-factor authentication, even if partially bypassed by misconfiguration, significantly raises the bar for initial access attempts against API8:2023 vulnerabilities. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-284 | 1. Improper access control is a direct result of misconfigured API permissions, allowing unauthorized actions, as highlighted in API8:2023. | 90% |
| CWE-862 | 2. Missing authorization for critical API functions stems from configuration oversights, enabling unauthorized access, a core issue in API8:2023. | 90% |
| CWE-863 | 3. Incorrect authorization, where logic is flawed due to misconfiguration, allows unintended access, directly contributing to API8:2023 vulnerabilities. | 80% |
| CWE-522 | 4. Insufficiently protected credentials, often stored insecurely due to misconfiguration, are a common weakness leading to API8:2023 attacks. | 80% |
| CWE-548 | 5. Exposure of information through directory listing is a classic misconfiguration in web servers supporting APIs, revealing sensitive data, per API8:2023. | 70% |
| CWE-732 | 6. Incorrect permission assignment for critical resources directly enables unauthorized access or modification, a key misconfiguration addressed by API8:2023. | 80% |
| CWE-306 | 7. Missing authentication for critical API functions is a severe misconfiguration, allowing unauthenticated access to sensitive operations, as per API8:2023. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0184 compute · voice-rubric self-validated