chore(2023): Add missing sections

Author: PauloASilva

2023/en/src/0x00-header.md

@@ -0,0 +1,17 @@
+![OWASP LOGO](images/owasp-logo.png)
+
+## OWASP API Security Top 10 2019
+
+The Ten Most Critical API Security Risks
+
+May 29th, 2019
+
+![WASP Logo URL TBA](images/front-wasp.png)
+
+| | | |
+| - | - | - |
+| https://owasp.org | This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][1] | ![Creative Commons License Logo](images/front-cc.png) |
+
+[1]: http://creativecommons.org/licenses/by-sa/4.0/
+
+

2023/en/src/0x00-notice.md

@@ -0,0 +1,15 @@
+Notice
+======
+
+This is the text version of OWASP API Security Top 10, used as source for any
+official versions of this document such the web site.
+
+Contributions to the project such as comments, corrections, or translations
+should be done here. For details on [How To Contribute][1], please refer to
+[CONTRIBUTING.md][1].
+
+* Erez Yallon
+* Inon Shkedy
+* Paulo Silva
+
+[1]: ../../CONTRIBUTING.md

2023/en/src/0x00-toc.md

@@ -0,0 +1,24 @@
+Table of Contents
+=================
+
+* [Table of Contents](0x00-toc.md)
+* [About OWASP](0x01-about-owasp.md)
+* [Foreword](0x02-foreward.md)
+* [Introduction](0x03-introduction.md)
+* [Release Notes](0x04-release-notes.md)
+* [API Security Risks](0x10-api-security-risks.md)
+* [OWASP Top 10 API Security Risks – 2023](0x11-t10.md)
+* [API1:2023 Broken Object Level Authorization](0xa1-broken-object-level-authorization.md)
+* [API2:2023 Broken Authentication](0xa2-broken-authentication.md)
+* [API3:2023 Broken Object Property Level Authorization](0xa3-broken-object-property-level-authorization.md)
+* [API4:2023 Unrestricted Resource Consumption](0xa4-unrestricted-resource-consumption.md)
+* [API5:2023 Broken Function Level Authorization](0xa5-broken-function-level-authorization.md)
+* [API6:2023 Server Side Request Forgery](0xa6-server-side-request-forgery.md)
+* [API7:2023 Security Misconfiguration](0xa7-security-misconfiguration.md)
+* [API8:2023 Lack of Protection from Automated Threats](0xa8-lack-of-protection-from-automated-threats.md)
+* [API9:2023 Improper Inventory Management](0xa9-improper-inventory-management.md)
+* [API10:2023 Unsafe Consumption of APIs](0xaa-unsafe-consumption-of-apis.md)
+* [What's Next For Developers](0xb0-next-devs.md)
+* [What's Next For DevSecOps](0xb1-next-devsecops.md)
+* [Methodology and Data](0xd0-about-data.md)
+* [Acknowledgments](0xd1-acknowledgments.md)

2023/en/src/0x01-about-owasp.md

@@ -0,0 +1,60 @@
+About OWASP
+===========
+
+The Open Worldwide Application Security Project (OWASP) is an open community
+dedicated to enabling organizations to develop, purchase, and maintain
+applications and APIs that can be trusted.
+
+At OWASP, you'll find free and open:
+
+* Application security tools and standards.
+* Complete books on application security testing, secure code development, and
+  secure code review.
+* Presentations and [videos][1].
+* [Cheat sheets][2] on many common topics.
+* Standard security controls and libraries.
+* [Local chapters worldwide][3].
+* Cutting edge research.
+* Extensive [conferences worldwide][4].
+* [Mailing lists][5] ([archive][6]).
+
+Learn more at: [https://www.owasp.org][7].
+
+All OWASP tools, documents, videos, presentations, and chapters are free and
+open to anyone interested in improving application security.
+
+We advocate approaching application security as a people, process, and
+technology problem, because the most effective approaches to application
+security require improvements in these areas.
+
+OWASP is a new kind of organization. Our freedom from commercial pressures
+allows us to provide unbiased, practical, and cost-effective information about
+application security.
+
+OWASP is not affiliated with any technology company, although we support the
+informed use of commercial security technology. OWASP produces many types of
+materials in a collaborative, transparent, and open way.
+
+The OWASP Foundation is the non-profit entity that ensures the project's
+long-term success. Almost everyone associated with OWASP is a volunteer,
+including the OWASP board, chapter leaders, project leaders, and project
+members. We support innovative security research with grants and infrastructure.
+
+Come join us!
+
+## Copyright and License
+
+![license](images/license.png)
+
+Copyright © 2003-2023 The OWASP Foundation. This document is released under the
+[Creative Commons Attribution Share-Alike 4.0 license][8]. For any reuse or
+distribution, you must make it clear to others the license terms of this work.
+
+[1]: https://www.youtube.com/user/OWASPGLOBAL
+[2]: https://cheatsheetseries.owasp.org/
+[3]: https://owasp.org/chapters/
+[4]: https://owasp.org/events/
+[5]: https://groups.google.com/a/owasp.org/forum/#!overview
+[6]: https://lists.owasp.org/mailman/listinfo
+[7]: https://www.owasp.org
+[8]: http://creativecommons.org/licenses/by-sa/4.0/

2023/en/src/0x02-foreword.md

@@ -0,0 +1,44 @@
+Foreword
+========
+
+A foundational element of innovation in today's app-driven world is the
+Application Programming Interface (API). From banks, retail, and transportation
+to IoT, autonomous vehicles, and smart cities, APIs are a critical part of
+modern mobile, SaaS, and web applications and can be found in customer-facing,
+partner-facing, and internal applications.
+
+By nature, APIs expose application logic and sensitive data such as Personally
+Identifiable Information (PII) and because of this, APIs have increasingly
+become a target for attackers. Without secure APIs, rapid innovation would be
+impossible.
+
+Although a broader web application security risks Top 10 still makes sense, due
+to their particular nature, an API-specific security risks list is required.
+API security focuses on strategies and solutions to understand and mitigate the
+unique vulnerabilities and security risks associated with APIs.
+
+If you're familiar with the [OWASP Top 10 Project][1], then you'll notice the
+similarities between both documents: they are intended for readability and
+adoption. If you're new to the OWASP Top 10 series, you may be better off
+reading the [API Security Risks][2] and [Methodology and Data][3] sections
+before jumping into the Top 10 list.
+
+You can contribute to OWASP API Security Top 10 with your questions, comments,
+and ideas at our GitHub project repository:
+
+* https://owasp.org/www-project-api-security/
+* https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md
+
+You can find the OWASP API Security Top 10 here:
+
+* https://owasp.org/www-project-api-security/
+* https://github.com/OWASP/API-Security
+
+We wish to thank all the contributors who made this project possible with their
+effort and contributions. They are all listed in the [Acknowledgments
+section][4]. Thank you!
+
+[1]: https://owasp.org/www-project-top-ten/
+[2]: ./0x10-api-security-risks.md
+[3]: ./0xd0-about-data.md
+[4]: ./0xd1-acknowledgments.md

2023/en/src/0x03-introduction.md

@@ -0,0 +1,62 @@
+Introduction
+============
+
+## Welcome to the OWASP API Security Top 10 - 2023!
+
+Welcome to the second edition of the OWASP API Security Top 10!
+
+This awareness document was first published back in 2019. Since then, the API
+Security industry has flourished and become more mature. We strongly believe
+this work has positively contributed to it, due to it being quickly adopted as
+an industry reference.
+
+APIs play a very important role in modern application architecture. But since
+innovation has a different pace than creating security awareness, we believe
+it's important to focus on creating awareness for common API security
+weaknesses.
+
+The primary goal of the OWASP API Security Top 10 is to educate those involved
+in API development and maintenance, for example, developers, designers,
+architects, managers, or organizations. You can know more about the API Security
+Project visiting [the project page][1].
+
+If you're not familiar with the OWASP top 10 series, we recommend checking at
+least the following top 10 projects:
+
+* [OWASP Cloud-Native Application Security Top 10][2]
+* [OWASP Desktop App Security Top 10][3]
+* [OWASP Docker Top 10][4]
+* [OWASP Low-Code/No-Code Top 10][5]
+* [OWASP Machine Learning Security Top Ten][6]
+* [OWASP Mobile Top 10][7]
+* [OWASP TOP 10][8]
+* [OWASP Top 10 CI/CD Security Risks][9]
+* [OWASP Top 10 Client-Side Security Risks][10]
+* [OWASP Top 10 Privacy Risks][11]
+* [OWASP Serverless Top 10][12]
+
+None of the projects replaces another: if you're working on a mobile application
+powered by a back-end API, you're better off reading both the corresponding top
+10's. The same is valid if you're working on a web or desktop application
+powered by APIs.
+
+In the [Methodology and Data][13] section, you can read more about how this
+edition was created. For now, we encourage everyone to contribute with
+questions, comments, and ideas at our [GitHub repository][14] or
+[Mailing list][15].
+
+[1]: https://owasp.org/www-project-api-security/
+[2]: https://owasp.org/www-project-cloud-native-application-security-top-10/
+[3]: https://owasp.org/www-project-desktop-app-security-top-10/
+[4]: https://owasp.org/www-project-docker-top-10/
+[5]: https://owasp.org/www-project-top-10-low-code-no-code-security-risks/
+[6]: https://owasp.org/www-project-machine-learning-security-top-10/
+[7]: https://owasp.org/www-project-mobile-top-10/
+[8]: https://owasp.org/www-project-top-ten/
+[9]: https://owasp.org/www-project-top-10-ci-cd-security-risks/
+[10]: https://owasp.org/www-project-top-10-client-side-security-risks/
+[11]: https://owasp.org/www-project-top-10-privacy-risks/
+[12]: https://owasp.org/www-project-serverless-top-10/
+[13]: ./0xd0-about-data.md
+[14]: https://github.com/OWASP/API-Security
+[15]: https://groups.google.com/a/owasp.org/forum/#!forum/api-security-project

2023/en/src/0x04-release-notes.md

@@ -0,0 +1,48 @@
+Release Notes
+=============
+
+This is the second edition of the OWASP API Security Top 10 edition, exactly
+four years after its first release. A lot has changed in the API (security)
+scene. API traffic increased at a fast pace, some API protocols gained a lot
+more traction, many new API security vendors/solutions have popped up, and, of
+course, attackers have developed new skills and techniques to compromise
+APIs. It was about time to get the list of the ten most critical API security
+risks updated.
+
+With a more mature API security industry, for the first time, there was [a
+public call for data][1]. Unfortunately, no data was contributed, but based on
+the project's team experience, careful API security specialist review, and
+community feedback on the release candidate, we built this new list. In the
+[Methodology and Data section][2], you'll find more details about how this
+version was built. For more details about the security risks please refer to the
+[API Security Risks section][3].
+
+The OWASP API Security Top 10 2023 is a forward-looking awareness document for
+a fast pace industry. It does not replace other TOP 10's. In this edition:
+
+* We've combined Excessive Data Exposure and Mass Assignment focusing on the
+  common root cause: object property level authorization validation failures.
+* We've put more emphasis on resource consumption, over focusing on the pace
+  they are exhausted.
+* We've created a new category "Lack of Protection from Automated Threats" to
+  address new threats, including most of those that can be mitigated using rate
+  limiting.
+* We added "Unsafe Consumption of APIs" to address something we've started
+  seeing: attackers have started looking for a target's integrated services to
+  compromise those, instead of hitting the APIs of their target directly. This
+  is the right time to start creating awareness about this increasing risk.
+
+APIs play an increasingly important role in modern microservices architecture,
+Single Page Applications (SPAs), mobile apps, IoT, etc. The OWASP API Security
+Top 10 is a required effort to create awareness about modern API security
+issues.
+
+This update was only possible due to the great effort of several volunteers,
+listed in the [Acknowledgments][4] section.
+
+Thank you!
+
+[1]: https://owasp.org/www-project-api-security/announcements/cfd/2022/
+[2]: ./0xd0-about-data.md
+[3]: ./0x10-api-security-risks.md
+[4]: ./0xd1-acknowledgments.md

2023/en/src/0x10-api-security-risks.md

@@ -0,0 +1,48 @@
+API Security Risks
+==================
+
+The [OWASP Risk Rating Methodology][1] was used to do the risk analysis.
+
+The table below summarizes the terminology associated with the risk score.
+
+| Threat Agents | Exploitability | Weakness Prevalence | Weakness Detectability | Technical Impact | Business Impacts |
+| :-: | :-: | :-: | :-: | :-: | :-: |
+| API Specific | Easy: **3** | Widespread **3** | Easy **3** | Severe **3** | Business Specific |
+| API Specific | Average: **2** | Common **2** | Average **2** | Moderate **2** | Business Specific |
+| API Specific | Difficult: **1** | Difficult **1** | Difficult **1** | Minor **1** | Business Specific |
+
+**Note**: This approach does not take the likelihood of the threat agent into
+account. Nor does it account for any of the various technical details associated
+with your particular application. Any of these factors could significantly
+affect the overall likelihood of an attacker finding and exploiting a particular
+vulnerability. This rating does not take into account the actual impact on your
+business. Your organization will have to decide how much security risk from
+applications and APIs the organization is willing to accept given your culture,
+industry, and regulatory environment. The purpose of the OWASP API Security Top
+10 is not to do this risk analysis for you. Since this edition is not
+data-driven, prevalence results from a consensus among the team members.
+
+## References
+
+### OWASP
+
+* [OWASP Risk Rating Methodology][1]
+* [Article on Threat/Risk Modeling][2]
+
+### External
+
+* [ISO 31000: Risk Management Std][3]
+* [ISO 27001: ISMS][4]
+* [NIST Cyber Framework (US)][5]
+* [ASD Strategic Mitigations (AU)][6]
+* [NIST CVSS 3.0][7]
+* [Microsoft Threat Modeling Tool][8]
+
+[1]: https://owasp.org/www-project-risk-assessment-framework/
+[2]: https://owasp.org/www-community/Threat_Modeling
+[3]: https://www.iso.org/iso-31000-risk-management.html
+[4]: https://www.iso.org/isoiec-27001-information-security.html
+[5]: https://www.nist.gov/cyberframework
+[6]: https://www.asd.gov.au/infosec/mitigationstrategies.htm
+[7]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
+[8]: https://www.microsoft.com/en-us/download/details.aspx?id=49168

2023/en/src/0x11-t10.md

@@ -0,0 +1,19 @@
+OWASP Top 10 API Security Risks – 2023
+======================================
+
+| Risk | Description |
+| ---- | ----------- |
+| API1:2023 - Broken Object Level Authorization | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. |
+| API2:2023 - Broken Authentication | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall. |
+| API3:2023 - Broken Object Property Level Authorization | This category combines [API3:2019 Excessive Data Exposure][1] and [API6:2019 - Mass Assignment][2], focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. |
+| API4:2023 - Unrestricted Resource Consumption | Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. |
+| API5:2023 - Broken Function Level Authorization | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. |
+| API6:2023 - Server Side Request Forgery | Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. |
+| API7:2023 - Security Misconfiguration | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks.  |
+| API8:2023 - Lack of Protection from Automated Threats | APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs. |
+| API9:2023 - Improper Inventory Management | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. |
+| API10:2023 - Unsafe Consumption of APIs | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. |
+
+[1]: https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa3-excessive-data-exposure.md
+[2]: https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md
+[3]: https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md