OWASP API Security Top 10
What is OWASP API Security Top 10?
OWASP API Security Top 10An OWASP awareness document that ranks the most critical security risks affecting web APIs, complementing the general OWASP Top 10 for web applications.
The OWASP API Security Top 10 is a community-driven list of the most critical risks specific to web APIs (REST, GraphQL, gRPC, and similar). The 2023 edition focuses on issues such as Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Unrestricted Access to Sensitive Business Flows, Server Side Request Forgery, Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs. It is widely used by API security gateways, pentest scoping, developer training, and regulators because many of these issues are not well covered by traditional web application Top 10 categories.
● Examples
- 01
An attacker exploiting API1:2023 BOLA by changing /orders/123 to /orders/124 to read another customer's order.
- 02
A security review that maps API gateway findings to OWASP API Top 10 IDs for executive reporting.
● Frequently asked questions
What is OWASP API Security Top 10?
An OWASP awareness document that ranks the most critical security risks affecting web APIs, complementing the general OWASP Top 10 for web applications. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP API Security Top 10 mean?
An OWASP awareness document that ranks the most critical security risks affecting web APIs, complementing the general OWASP Top 10 for web applications.
How does OWASP API Security Top 10 work?
The OWASP API Security Top 10 is a community-driven list of the most critical risks specific to web APIs (REST, GraphQL, gRPC, and similar). The 2023 edition focuses on issues such as Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Unrestricted Access to Sensitive Business Flows, Server Side Request Forgery, Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs. It is widely used by API security gateways, pentest scoping, developer training, and regulators because many of these issues are not well covered by traditional web application Top 10 categories.
How do you defend against OWASP API Security Top 10?
Defences for OWASP API Security Top 10 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP API Security Top 10?
Common alternative names include: OWASP API Top 10, API Top 10.
● Related terms
- compliance№ 781
OWASP Top 10
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- vulnerabilities№ 125
Broken Access Control
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
- appsec№ 052
API Security
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
● See also
- № 779OWASP Mobile Top 10