OWASP API Security Top 10 and Beyond!Enroll Now
Introduction to the OWASP API Security Top 10
Learn about the OWASP organization, the history behind the API Security Top 10, and what’s changed between 2019 and 2023.
API1:2023 - Broken Object Level Authorization
BOLA is still the leading vulnerability that plagues APIs. When data objects do not have sufficient access controls in place, resources can be accessed by unauthorized users.
API2:2023 - Broken Authentication
Broken Authentication contains all vulnerabilities associated with authentication. This section includes weak passwords, JSON Web Token (JWT) misconfigurations, and insecure lockout mechanisms.
API3:2023 - Broken Object Property Level Authorization
BOPLA is the combination of Excessive Data Exposure and Mass Assignment. An application should have sufficient access controls to prevent a user from altering sensitive data object properties.
API4:2023 - Unrestricted Resource Consumption
APIs have technical and financial costs per request. If an API does not have sufficient controls in place then there will be a negative impact on the API provider.
API5:2023 - Broken Function Level Authorization
This vulnerability is present if there are insufficient access controls in place between different user groups to perform sensitive actions.
API6:2023 - Unrestricted Access to Sensitive Business Flows
Unrestricted Access to Sensitive Business Flows represents the risk of an attacker being able to identify and exploit API-driven workflows.
API7:2023 - Server Side Request Forgery
Server Side Request Forgery is a vulnerability that takes place when a user is able to control the remote resources retrieved by an application.
API8:2023 - Security Misconfiguration
Security Misconfiguration represents a catch-all for many vulnerabilities related to the systems that host APIs.
API9:2023 - Improper Inventory Management
Improper Inventory Management represents the risks involved with exposing non-production and unsupported API versions.
API10:2023 - Unsafe Consumption of APIs
Unsafe Consumption of APIs is the only item on the top ten list that focuses less on the risks of being an API provider and more on the API consumer.
Beyond the Top 10
This module examines key threats outside the Top 10, including, injections, file upload vulnerabilities, business logic vulnerabilities, and logging and monitoring.