AgentSkillsCN

owasp-api-security-top-10

OWASP CI/CD安全十大风险——聚焦于流水线安全的预防、检测与修复。适用于CI/CD系统的加固与审查:包括流程管控、身份与访问管理、依赖链安全、恶意管道执行防范、基于角色的权限访问控制、凭证安全管理、系统配置优化、第三方服务防护、制品完整性保障,以及日志记录与可视化监控。

SKILL.md
--- frontmatter
name: owasp-api-security-top-10
description: "OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs."

OWASP API Security Top 10

This skill encodes the OWASP API Security Top 10 for secure API design, code review, and vulnerability prevention. References are loaded per risk (progressive disclosure).

Based on OWASP API Security Top 10:2023.

When to Read Which Reference

RiskRead
API1 Broken Object Level Authorizationreferences/api1-broken-object-level-authorization.md
API2 Broken Authenticationreferences/api2-broken-authentication.md
API3 Broken Object Property Level Authorizationreferences/api3-broken-object-property-authorization.md
API4 Unrestricted Resource Consumptionreferences/api4-unrestricted-resource-consumption.md
API5 Broken Function Level Authorizationreferences/api5-broken-function-level-authorization.md
API6 Unrestricted Access to Sensitive Business Flowsreferences/api6-sensitive-business-flows.md
API7 Server Side Request Forgery (SSRF)references/api7-ssrf.md
API8 Security Misconfigurationreferences/api8-security-misconfiguration.md
API9 Improper Inventory Managementreferences/api9-improper-inventory-management.md
API10 Unsafe Consumption of APIsreferences/api10-unsafe-consumption-of-apis.md

Quick Patterns

  • Enforce object-level and function-level authorization on every API request; never trust client-supplied IDs without server-side checks.
  • Validate and sanitize all inputs; treat third-party API responses as untrusted.
  • Apply rate limiting, quotas, and cost controls to prevent abuse and DoS.
  • Maintain an API inventory; retire or protect deprecated and debug endpoints.

Quick Reference / Examples

TaskApproach
Object-level auth (IDOR)Verify user owns/can access the resource by ID server-side. See API1.
Function-level authCheck user role before admin/sensitive operations. See API5.
Rate limitingApply per-user/IP limits, quotas, and timeouts. See API4.
SSRF preventionValidate/allowlist URLs; block internal ranges. See API7.
Third-party APIsValidate responses, use TLS, set timeouts. See API10.

Safe - object-level authorization check:

python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int, current_user: User):
    order = Order.query.get(order_id)
    if order.user_id != current_user.id:
        raise HTTPException(403, "Access denied")
    return order

Unsafe - missing authorization (IDOR vulnerability):

python
@app.get("/api/orders/{order_id}")
def get_order(order_id: int):
    return Order.query.get(order_id)  # Any user can access any order!

Rate limiting example (FastAPI):

python
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)

@app.get("/api/search")
@limiter.limit("10/minute")
def search(query: str):
    return perform_search(query)

Workflow

  1. Object-level authorization (IDOR) → Read references/api1-broken-object-level-authorization.md.
  2. Authentication and tokens → Read references/api2-broken-authentication.md.
  3. Rate limiting / DoS → Read references/api4-unrestricted-resource-consumption.md.
  4. Admin vs user endpoints → Read references/api5-broken-function-level-authorization.md.
  5. User-supplied URLs in API → Read references/api7-ssrf.md.
  6. Third-party API consumption → Read references/api10-unsafe-consumption-of-apis.md.

Load reference files only when relevant to the task.