OWASP Top Ten API Vulnerabilities

The current version of the OWASP Top 10 API vulnerabilities is the 2023 release candidate. It lists the following vulnerabilities:

  1. Broken Object Level Authorization: failing to validate that a user can only access the objects that they should have permissions to access
  2. Broken Authentication: failures in enforcing authentication or password reset mechanisms
  3. Broken Object Property Level Authorization: allowing access of user to properties of objects that they are not supposed to access
  4. Unrestricted Resource Consumption: failing to set limits for the API calls, such as number of calls per minute, memory usage etc.
  5. Broken Function Level Authorization: failing to block access to functions on endpoints, such as for example POST instead of GET
  6. Server Side Request Forgery
  7. Security Misconfiguration: improperly configured permissions, such as for example exposing S3 buckets to the public
  8. Lack of Protection from Automated Threats: for example scripting the call to automated processes that place pre-orders for a specific hardware device, thus creating havoc for the business
  9. Improper Inventory Management: failing to prevent access through older versions of the API or other ways to access resources
  10. Unsafe Consumption of APIs: failing to secure data received from external APIs, thus opening up to exploits from those APIs. Data coming form 3rd party APIs should be seen as input data and treated with the same level of care.
Scroll to Top