OWASP API Security Top 10 and Beyond!

This 90 minute course provides a deep-dive into the 2023 edition of the OWASP API Security Top 10 - and covers key concepts that didn’t make it into the Top 10.

Enroll Now

Course Topics

Introduction to the OWASP API Security Top 10

Learn about the OWASP organization, the history behind the API Security Top 10, and what’s changed between 2019 and 2023.

API1:2023 - Broken Object Level Authorization

BOLA is still the leading vulnerability that plagues APIs. When data objects do not have sufficient access controls in place, resources can be accessed by unauthorized users.

API2:2023 - Broken Authentication

Broken Authentication contains all vulnerabilities associated with authentication. This section includes weak passwords, JSON Web Token (JWT) misconfigurations, and insecure lockout mechanisms.

API3:2023 - Broken Object Property Level Authorization

BOPLA is the combination of Excessive Data Exposure and Mass Assignment. An application should have sufficient access controls to prevent a user from altering sensitive data object properties.

API4:2023 - Unrestricted Resource Consumption

APIs have technical and financial costs per request. If an API does not have sufficient controls in place then there will be a negative impact on the API provider.

API5:2023 - Broken Function Level Authorization

This vulnerability is present if there are insufficient access controls in place between different user groups to perform sensitive actions.

API6:2023 - Unrestricted Access to Sensitive Business Flows

Unrestricted Access to Sensitive Business Flows represents the risk of an attacker being able to identify and exploit API-driven workflows.

API7:2023 - Server Side Request Forgery

Server Side Request Forgery is a vulnerability that takes place when a user is able to control the remote resources retrieved by an application.

API8:2023 - Security Misconfiguration

Security Misconfiguration represents a catch-all for many vulnerabilities related to the systems that host APIs.

API9:2023 - Improper Inventory Management

Improper Inventory Management represents the risks involved with exposing non-production and unsupported API versions.

API10:2023 - Unsafe Consumption of APIs

Unsafe Consumption of APIs is the only item on the top ten list that focuses less on the risks of being an API provider and more on the API consumer.

Beyond the Top 10

This module examines key threats outside the Top 10, including, injections, file upload vulnerabilities, business logic vulnerabilities, and logging and monitoring.

Photo of Corey Ball

Corey Ball

Chief Hacking Officer, APIsec University

You can design an API you think is ultra-secure, but if you don't test it, then a cybercriminal somewhere is going to do it for you."


Meet the Instructor
Corey Ball

Corey Ball has emerged as one of the leading experts in API security and is the author of Hacking APIs. Corey is a cybersecurity consulting manager at Moss Adams, where he leads its penetration testing services. He has over ten years of experience working in IT and cybersecurity across several industries, including aerospace, agribusiness, energy, financial tech, government services, and healthcare.

Enroll Now

Earn your APIsec University Certificate

  • Complete the entire course and pass all the quizzes to earn the OWASP API Security Top 10 badge.

  • Demonstrate your API security expertise and take the Certified API Security Analyst exams.