OWASP API Security Top 10

The Open Web Application Security Project (OWASP) maintains a standard awareness document for the most critical security risks to web applications. Recognizing the unique threats APIs face, they released a dedicated API Security Top 10.

Understanding these vulnerabilities is crucial for any API developer. Below is a summary of the key risks (based on the 2023 release).

1. Broken Object Level Authorization (BOLA)

The Problem: Often called IDOR (Insecure Direct Object Reference). It happens when an API exposes a reference to an object (like id in the URL) and doesn't check if the verified user actually has permission to access that specific ID.

Example: User A (id: 100) changes the URL from /orders/100 to /orders/101 and can see User B's order.

Fix: Always check: if (order.owner_id != currentUser.id) return 403;

2. Broken Authentication

The Problem: Mechanisms to verify user identity are weak.

Examples: Allowing weak passwords, not having rate limiting on login (brute force), sending tokens in URLs, or valid tokens remaining active after logout.

Fix: Use standard OIDC flows, enforce strong passwords, implement MFA (Multi-Factor Authentication).

3. Broken Object Property Level Authorization

The Problem: An API endpoint exposes more data fields than the client needs (Excessive Data Exposure) or allows the client to update fields they shouldn't (Mass Assignment).

Example: An endpoint returns the full User object including password_hash and is_admin, even if the UI only needs username. Or, a PUT /profile allows a user to send {"is_admin": true} and the code unknowingly saves it.

Fix: Return only necessary fields (Response DTOs). detailed whitelisting of input fields.

4. Unrestricted Resource Consumption

The Problem: The API doesn't limit the resources a client can use, leading to Denial of Service (DoS).

Examples: Missing rate limits, allowing huge page sizes in pagination, or complex graphQL queries that lock the DB.

Fix: Implement Rate Limiting (e.g., 60 req/min), limit payload sizes, and set timeout limits.

5. Broken Function Level Authorization

The Problem: Relying on the client app to hide administrative functions instead of enforcing checks on the server.

Example: An endpoint DELETE /api/users exists. The UI hides the button for normal users, but a hacker finds the URL and calls it directly.

Fix: Check roles/permissions in the code for every controller method. @PreAuthorize("hasRole('ADMIN')").

6. Unrestricted Access to Sensitive Business Flows

The Problem: Abusing legitimate business workflows in a way that harms the business (automation/bots).

Example: Scalping bots buying all tickets in 1 second.

Fix: Bot detection, CAPTCHA for sensitive flows.

7. Server Side Request Forgery (SSRF)

The Problem: The API fetches a remote resource based on a user-supplied URL without validation.

Example: POST /image-upload accepts a URL. Attacker sends http://localhost:8080/admin. The server fetches it (bypassing the firewall) and returns the content.

Fix: Whitelist allowed domains. Do not allow calls to internal networks or localhost.

8. Security Misconfiguration

The Problem: Defaults are not secure.

Examples: Verbose error messages (stack traces) leaking info, unnecessary HTTP verbs enabled, missing security headers (CORS, CSP), or unpatched dependencies.

Fix: Hardening procedures, automated scanning, disable debug mode in production.

9. Improper Inventory Management

The Problem: "Zombie" APIs. You can't secure what you don't know exists.

Examples: Old API versions (v1) still running without patches while v3 is live. Staging environments exposed to the public.

Fix: Maintain an accurate inventory (OAS), decommission old versions.

10. Unsafe Consumption of APIs

The Problem: Trusting data received from 3rd party APIs blindly.

Example: Your API calls a weather service. That service gets hacked and sends malicious SQL injection payloads back to you, which you save to your DB.

Fix: Validate/Sanitize all input, even from "trusted" external APIs.

Key Takeaways

BOLA (IDOR) is the #1 API vulnerability. Always check ownership.

Authentication and Authorization flaws are the root cause of most breaches.

Trust Nothing: Not user input, not internal services, not 3rd party APIs.

Next Step: All these protections are useless if the data is stolen in transit. Let's ensure the pipe is secure with Encryption and HTTPS.

OWASP API Security Top 10

1. Broken Object Level Authorization (BOLA)#

2. Broken Authentication#

3. Broken Object Property Level Authorization#

4. Unrestricted Resource Consumption#

5. Broken Function Level Authorization#

6. Unrestricted Access to Sensitive Business Flows#

7. Server Side Request Forgery (SSRF)#

8. Security Misconfiguration#

9. Improper Inventory Management#

10. Unsafe Consumption of APIs#

Key Takeaways#