owasp-api-security-top-10
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOWASP API Security Top 10
OWASP API安全Top 10
This skill encodes the OWASP API Security Top 10 for secure API design, code review, and vulnerability prevention. References are loaded per risk (progressive disclosure).
Based on OWASP API Security Top 10:2023.
本技能整合了OWASP API安全Top 10内容,用于安全API设计、代码评审和漏洞预防。参考资料按风险类别加载(渐进式披露)。
基于OWASP API安全Top 10:2023版本。
When to Read Which Reference
何时查阅对应参考资料
| Risk | Read |
|---|---|
| API1 Broken Object Level Authorization | references/api1-broken-object-level-authorization.md |
| API2 Broken Authentication | references/api2-broken-authentication.md |
| API3 Broken Object Property Level Authorization | references/api3-broken-object-property-authorization.md |
| API4 Unrestricted Resource Consumption | references/api4-unrestricted-resource-consumption.md |
| API5 Broken Function Level Authorization | references/api5-broken-function-level-authorization.md |
| API6 Unrestricted Access to Sensitive Business Flows | references/api6-sensitive-business-flows.md |
| API7 Server Side Request Forgery (SSRF) | references/api7-ssrf.md |
| API8 Security Misconfiguration | references/api8-security-misconfiguration.md |
| API9 Improper Inventory Management | references/api9-improper-inventory-management.md |
| API10 Unsafe Consumption of APIs | references/api10-unsafe-consumption-of-apis.md |
| 风险项 | 查阅内容 |
|---|---|
| API1 存在缺陷的对象级授权 | references/api1-broken-object-level-authorization.md |
| API2 存在缺陷的身份认证 | references/api2-broken-authentication.md |
| API3 存在缺陷的对象属性级授权 | references/api3-broken-object-property-authorization.md |
| API4 无限制的资源消耗 | references/api4-unrestricted-resource-consumption.md |
| API5 存在缺陷的函数级授权 | references/api5-broken-function-level-authorization.md |
| API6 无限制访问敏感业务流 | references/api6-sensitive-business-flows.md |
| API7 服务器端请求伪造(SSRF) | references/api7-ssrf.md |
| API8 安全配置错误 | references/api8-security-misconfiguration.md |
| API9 不当的清单管理 | references/api9-improper-inventory-management.md |
| API10 不安全的API调用 | references/api10-unsafe-consumption-of-apis.md |
Quick Patterns
快速实践模式
- Enforce object-level and function-level authorization on every API request; never trust client-supplied IDs without server-side checks.
- Validate and sanitize all inputs; treat third-party API responses as untrusted.
- Apply rate limiting, quotas, and cost controls to prevent abuse and DoS.
- Maintain an API inventory; retire or protect deprecated and debug endpoints.
- 对每个API请求都强制执行对象级和函数级授权;未经服务器端验证,绝不信任客户端提供的ID。
- 验证并清理所有输入;将第三方API的响应视为不可信内容。
- 应用速率限制、配额和成本控制,防止滥用和DoS攻击。
- 维护API清单;停用或保护已弃用和调试用的端点。
Quick Reference / Examples
快速参考/示例
| Task | Approach |
|---|---|
| Object-level auth (IDOR) | Verify user owns/can access the resource by ID server-side. See API1. |
| Function-level auth | Check user role before admin/sensitive operations. See API5. |
| Rate limiting | Apply per-user/IP limits, quotas, and timeouts. See API4. |
| SSRF prevention | Validate/allowlist URLs; block internal ranges. See API7. |
| Third-party APIs | Validate responses, use TLS, set timeouts. See API10. |
Safe - object-level authorization check:
python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int, current_user: User):
order = Order.query.get(order_id)
if order.user_id != current_user.id:
raise HTTPException(403, "Access denied")
return orderUnsafe - missing authorization (IDOR vulnerability):
python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int):
return Order.query.get(order_id) # Any user can access any order!Rate limiting example (FastAPI):
python
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)
@app.get("/api/search")
@limiter.limit("10/minute")
def search(query: str):
return perform_search(query)| 任务 | 实现方法 |
|---|---|
| 对象级授权(IDOR) | 在服务器端验证用户是否拥有/可访问该ID对应的资源。详见API1。 |
| 函数级授权 | 在执行管理员/敏感操作前检查用户角色。详见API5。 |
| 速率限制 | 应用基于用户/IP的限制、配额和超时设置。详见API4。 |
| SSRF防护 | 验证/加入白名单URL;阻止内部IP段。详见API7。 |
| 第三方API调用 | 验证响应内容、使用TLS、设置超时。详见API10。 |
安全示例 - 对象级授权检查:
python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int, current_user: User):
order = Order.query.get(order_id)
if order.user_id != current_user.id:
raise HTTPException(403, "Access denied")
return order不安全示例 - 缺失授权(IDOR漏洞):
python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int):
return Order.query.get(order_id) # Any user can access any order!速率限制示例(FastAPI):
python
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)
@app.get("/api/search")
@limiter.limit("10/minute")
def search(query: str):
return perform_search(query)Workflow
工作流程
- Object-level authorization (IDOR) → Read references/api1-broken-object-level-authorization.md.
- Authentication and tokens → Read references/api2-broken-authentication.md.
- Rate limiting / DoS → Read references/api4-unrestricted-resource-consumption.md.
- Admin vs user endpoints → Read references/api5-broken-function-level-authorization.md.
- User-supplied URLs in API → Read references/api7-ssrf.md.
- Third-party API consumption → Read references/api10-unsafe-consumption-of-apis.md.
Load reference files only when relevant to the task.
- 对象级授权(IDOR) → 查阅references/api1-broken-object-level-authorization.md。
- 身份认证与令牌 → 查阅references/api2-broken-authentication.md。
- 速率限制/DoS防护 → 查阅references/api4-unrestricted-resource-consumption.md。
- 管理员与用户端点区分 → 查阅references/api5-broken-function-level-authorization.md。
- API中用户提供的URL处理 → 查阅references/api7-ssrf.md。
- 第三方API调用 → 查阅references/api10-unsafe-consumption-of-apis.md。
仅在与任务相关时加载参考文件。