Mapping of API Security Top 10 to Juice Shop challenges

Bjoern Kimminich

unread,

Jan 23, 2020, 8:07:39 AM1/23/20

to API Security Project

Hi all,

I just added mappings for OWASP Juice Shop challenge categories to the OWASP API Security Top 10 2019: https://github.com/bkimminich/pwning-juice-shop/commit/7abe69df30eca385bcb8fd3953cbab640f733245
You can find the latest version here: https://pwning.owasp-juice.shop/part1/categories.html but here's a snapshot with the additions highlighted for convenience:

CategoryOWASPCWE
Broken Access ControlA5:2017, API1:2019, API5:2019CWE-22, CWE-285, CWE-639
Broken Anti-AutomationOWASP-AT-004), API4:2019, OWASP-AT-010CWE-362
Broken AuthenticationA2:2017, API2:2019CWE-287, CWE-352
Cross Site Scripting (XSS)A7:2017CWE-79
Cryptographic IssuesA3:2017CWE-326, CWE-327, CWE-328, CWE-950
Improper Input ValidationASVS V5, API6:2019CWE-20
InjectionA1:2017, API8:2019CWE-74
Insecure DeserializationA8:2017CWE-502
Miscellaneous--
Security MisconfigurationA6:2017, A10:2017, API7:2019, API9:2019, API10:2019CWE-209
Security through Obscurity-CWE-656
Sensitive Data ExposureA3:2017, API3:2019, OTG-CONFIG-004CWE-200, CWE-530, CWE-548
Unvalidated RedirectsA10:2013CWE-601
Vulnerable ComponentsA9:2017CWE-829
XML External Entities (XXE)A4:2017CWE-611

Your API Top 10 are each covered by at least one of the existing 90 hacking challenges in the Juice Shop. I'm happy to collaborate on adding more examples to the Juice Shop if you are interested or have another aspect that is not covered well enough. I don't want to argue against writing your own crAPI vulnapp if you think that's needed, but you might find most of what you want already in Juice Shop and save a ton of time... ;-)

Cheers,
Björn

Category	OWASP	CWE
Broken Access Control	A5:2017, API1:2019, API5:2019	CWE-22, CWE-285, CWE-639
Broken Anti-Automation	OWASP-AT-004), API4:2019, OWASP-AT-010	CWE-362
Broken Authentication	A2:2017, API2:2019	CWE-287, CWE-352
Cross Site Scripting (XSS)	A7:2017	CWE-79
Cryptographic Issues	A3:2017	CWE-326, CWE-327, CWE-328, CWE-950
Improper Input Validation	ASVS V5, API6:2019	CWE-20
Injection	A1:2017, API8:2019	CWE-74
Insecure Deserialization	A8:2017	CWE-502
Miscellaneous	-	-
Security Misconfiguration	A6:2017, A10:2017, API7:2019, API9:2019, API10:2019	CWE-209
Security through Obscurity	-	CWE-656
Sensitive Data Exposure	A3:2017, API3:2019, OTG-CONFIG-004	CWE-200, CWE-530, CWE-548
Unvalidated Redirects	A10:2013	CWE-601
Vulnerable Components	A9:2017	CWE-829
XML External Entities (XXE)	A4:2017	CWE-611

erez....@owasp.org

unread,

Jan 26, 2020, 8:38:40 AM1/26/20

to Bjoern Kimminich, API Security Project

Thanks Björn, this is great, and will help spread the word.

We are currently thinking about crAPI, and if it deserves its standalone project, or should we just piggyback another existing project.

Each approach has its good reasons. We will decide soon and open a “call for volunteers” for those who would like to join us.

Best,

Erez Yalon

OWASP API Security Project Co-Leader

OWASP Go-SCP Project Co-Leader

(Coming Soon) OWASP Software Composition Security Project Leader

Email: erez....@owasp.org

Mobile: +972505977720

Image result for owasp banner

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/b4a9260b-4cc5-42f8-80bf-7c3a8cba5627%40owasp.org.

image003.jpg

Nathan Aw

unread,

Jan 26, 2020, 11:20:28 PM1/26/20

to Erez Yalon, Bjoern Kimminich, API Security Project

Hi Erez, all,

I certainly like to volunteer to crAPI. Just my two cents worth -- crAPI should be a standalone project.

Nathan Aw

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/000001d5d44d%24dffbf760%249ff3e620%24%40owasp.org.

erez....@owasp.org

unread,

Feb 2, 2020, 10:29:17 AM2/2/20

to Nathan Aw, API Security Project

Hi Nathan,

Thank you, and others who expressed their willingness to contribute to the project.

As soon as we gather our thoughts around crAPI, probably in about a month (after RSAC 2020), we will publish here a “call for contributors”.

Stay tuned…

Best,

Erez Yalon

OWASP API Security Project Co-Leader

OWASP Go-SCP Project Co-Leader

(Coming Soon) OWASP Software Composition Security Project Leader

Email: erez....@owasp.org

Mobile: +972505977720

Image result for owasp banner

image002.jpg

Divya Chawla

unread,

Feb 20, 2020, 1:47:06 AM2/20/20

to API Security Project

I think the Standalone project would be more worth, and it be helpful to map latest attack. Ready to colloborate in the project.

Message has been deleted

hehacks (hehacks)

unread,

Sep 6, 2023, 4:15:41 AM9/6/23

to API Security Project, Arun Saravanan, nathan...@gmail.com, Erez Yalon

Hi Erez,

One kind request, can you provide me access to delete my previous email, I thought its private, but my phone number and email ID got listed publicly from this google groups.

Please help me on this asap.

Thank you,

Regards,

Arun.S

On Thursday, February 20, 2020 at 12:58:38 PM UTC+5:30 Arun Saravanan wrote:

Hi Erez,

I would like to contribute to the OWASP API TOP 10 vulnerabilities mapping and crAPI project development.
Feel free to ping me anytime to discuss further.

Thanks,

Regards,

Arun.S [OSCP,eWPT,ECSA,CEH]
Senior Security Consultant,
Null / OWASP Bangalore Volunteer.

Email: arun.sa...@owasp.org
Mobile: +91-9600664505

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/b4a9260b-4cc5-42f8-80bf-7c3a8cba5627%40owasp.org.
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

Reply all

Reply to author

Forward