Orientation
OWASP API Security Top 10 is its own list, separate from the main OWASP Top 10. The current canonical version is OWASP API Security Top 10:2023, which restructured several 2019 categories. The categories below are paraphrased; refer to OWASP's published list for normative descriptions.
This guide goes category by category with three things for each: what the category means in practice, how a tester verifies it, and what remediation looks like in code or configuration.
API1:2023 — Broken Object Level Authorization (BOLA)
What it means. An API endpoint accepts an object identifier (user ID, order ID, document ID) and returns data without checking that the calling identity is authorized to read that specific object. Formerly called IDOR.
How testers verify. Two test accounts in different tenants. Account A creates an object and notes its ID. Account B attempts to read, modify, or delete the object using its ID. If the response is anything other than 403/404 with no data leakage, the endpoint is broken.
Remediation. Authorization check at the data-access layer, not at the controller. Every query that returns user-scoped data should be filtered by the caller's identity, ideally enforced by row-level security or an ORM scope rather than ad-hoc per-endpoint checks.
API2:2023 — Broken Authentication
What it means. Authentication mechanisms are implemented incorrectly — token issuance, validation, or revocation flaws. Includes JWT alg confusion, refresh-token replay, weak password reset flows, and credential stuffing without rate limiting.
How testers verify. Test JWT with none algorithm. Test refresh-token replay across devices. Test password-reset token reuse. Test rate-limit on login. Test session fixation and post-logout token validity.
Remediation. Use a well-known auth library; do not roll your own. Validate the alg parameter explicitly. Rotate refresh tokens on use. Single-use, time-bound reset tokens. Throttle login attempts per identity and per source.
API3:2023 — Broken Object Property Level Authorization
What it means. Even when object-level authorization is correct, individual properties on the returned object may leak data. A user reads their own profile and the response includes admin-only fields. Mass assignment is the inverse: a user updates their profile and the request modifies fields they should not control.
How testers verify. Diff the response shape across roles. Submit requests with extra fields not exposed in the UI and observe whether the backend processes them.
Remediation. Explicit allow-lists for input and output fields per role. Avoid serializing the full database object directly to the response. Use DTOs or response shapers.
API4:2023 — Unrestricted Resource Consumption
What it means. The API has no per-caller, per-endpoint, or per-resource limits, allowing abuse: cost amplification, brute-force, account enumeration, denial of service.
How testers verify. Burst high request rates against authentication, search, export, and any endpoint that does meaningful work. Look for rate-limit headers; if there are none, the limit probably is not there.
Remediation. Per-IP and per-identity rate limiting at the gateway. Quotas on expensive operations (export, search, batch). Pagination with hard maximums.
API5:2023 — Broken Function Level Authorization (BFLA)
What it means. Object-level authorization can be correct while function-level authorization is missing. A non-admin user can call an admin-only endpoint and the endpoint executes.
How testers verify. Walk every documented role through every endpoint. Pay special attention to admin endpoints, debug endpoints, and any endpoint the SPA does not call from a user role but that the backend exposes.
Remediation. Centralized role check at the controller level, ideally driven by a declarative authorization policy. Default-deny for any endpoint without explicit authorization.
API6:2023 — Unrestricted Access to Sensitive Business Flows
What it means. Business workflows accessible at automated scale lead to abuse: ticket-buying bots, mass account creation, coupon farming, account-takeover at scale.
How testers verify. Build a script that completes the workflow end-to-end and run it concurrently. Check whether anti-automation, behavioral signals, or per-identity throttles kick in.
Remediation. Anti-automation (CAPTCHA-equivalent, device-binding, behavioral signals) on workflows that have abuse value. Rate-limiting per identity and per device fingerprint.
API7:2023 — Server Side Request Forgery (SSRF)
What it means. The API accepts a URL or hostname and makes a server-side request to it. Attackers craft URLs pointing to internal services, cloud-metadata services, or sensitive endpoints behind the perimeter.
How testers verify. Find every input that becomes a server-side fetch. Try internal IP ranges, cloud metadata IPs (169.254.169.254 et al.), localhost variants, DNS-rebinding payloads, and URL-shortener wrapping.
Remediation. Allow-list of permitted destinations. Strip credentials from outbound requests. Disable HTTP redirects or cap them. Use a separate egress proxy with policy enforcement for outbound calls.
API8:2023 — Security Misconfiguration
What it means. Default credentials, verbose errors, debug endpoints in production, missing security headers, permissive CORS, outdated dependencies, exposed cloud-storage buckets used by the API.
How testers verify. Crawl the API surface for debug routes, check error responses for stack traces, validate CORS origins, scan TLS configuration, identify storage backends and check their public exposure.
Remediation. Production configuration baseline; difference checks against staging. Disable debug routes in production builds. Generic error responses; full detail to logs only.
API9:2023 — Improper Inventory Management
What it means. Old API versions still reachable. Staging endpoints exposed. Documented endpoints differ from actual endpoints. Beta versions with weaker auth still online.
How testers verify. Compare OpenAPI spec to actual endpoints. Probe versioned paths (/v1/, /v2/, /internal/). Check for staging hostnames discoverable via DNS or certificates.
Remediation. Maintain an inventory of API endpoints and versions. Sunset old versions on a documented schedule. Guard staging hostnames with auth at the network or gateway layer.
API10:2023 — Unsafe Consumption of APIs
What it means. Your API consumes data from third-party APIs and trusts the responses. A compromised third party returns malicious payloads that propagate through your service.
How testers verify. Identify outbound API calls; look for places where third-party responses are reflected to users, processed without validation, or trigger side effects.
Remediation. Validate third-party responses with the same rigor as user input. Never blindly relay third-party data to users. Apply rate limits to outbound consumption to limit blast radius if a third party turns hostile.
If you read only the test-verification sections, the OWASP API Top 10 is roughly: walk every endpoint across every role, walk every endpoint across at least two tenants, and look for inputs that become server-side requests or trust third-party data. Most categories are variants of those three.
Related articles
Preparing for your first pentest? Download the SMB Pentest Readiness Checklist →