OWASP API Security Top 10
APIs are a key part of modern application architecture. That’s why it’s crucial to highlight common API security risks and how to mitigate them. The Open Web Application Security Project (OWASP) has identified and address the most critical security risks with APIs. The OWASP API Security Top 10 is designed to educate everyone involved in API development.
By going through these lessons, you'll learn about the risks associated with APIs, their potential consequences, and the best practices to mitigate them. Whether you're a developer or a security professional, understanding these concepts is crucial for securely and responsibly deploying APIs in the real world.
Save your learning progress.
- Track your learning progress
- Keep up to date with the latest vulnerabilities
- Scan your application code to stay secure
Broken object level authorization
APIs often expose endpoints that handle object identifiers, making them a common target for access control issues. If authorization checks aren’t properly enforced at the object level, attackers can manipulate IDs to access or modify data they shouldn’t have.
Broken authentication
Weak or incorrectly implemented authentication mechanisms allow attackers to hijack user sessions, steal authentication tokens, or assume other users' identities. Once authentication is compromised, the entire API’s security is at risk.
Broken object property level authorization
This vulnerability occurs when APIs fail to enforce authorization at the property level within objects, leading to excessive data exposure or unauthorized data manipulation. Attackers can exploit this to access or modify sensitive fields that should be restricted.
Unrestricted resource consumption
APIs consume resources like CPU, memory, bandwidth, and third-party services (e.g., SMS or email). If there are no limits in place, attackers can abuse API endpoints to cause Denial of Service (DoS) or drive up operational costs.
Broken function level authorization
When APIs have unclear or overly complex access control rules, attackers may exploit authorization gaps to access restricted functions. This can lead to privilege escalation, allowing unauthorized access to sensitive actions or administrative controls.
Unrestricted access to sensitive business flows
Some APIs expose business-critical actions—like making purchases or submitting posts—without safeguards against excessive automated use. Attackers can exploit these flows to cause financial loss, spam, or other business disruptions.
Server side request forgery
SSRF occurs when an API fetches remote resources based on user input without proper validation. Attackers can exploit this to make the server send requests to unintended locations, even bypassing firewalls or internal network restrictions.
Security misconfiguration
APIs often have complex settings, and misconfigurations—like exposed debug endpoints, overly permissive CORS policies, or missing security headers—can leave them vulnerable. Poor configuration management can open the door to various attacks.
Improper inventory management
APIs expose numerous endpoints, making proper documentation and version control critical. Failing to track active API versions, exposed hosts, and deprecated endpoints can lead to security gaps, including the unintended exposure of outdated or vulnerable APIs.
Unsafe consumption of APIs
Developers often trust third-party APIs more than user input, leading to weaker security checks. Attackers take advantage of this by compromising third-party services to manipulate API responses, leading to security breaches in the consuming application.