2023 OWASP API Top Ten

The Open Web Application Security Project (OWASP) is a nonprofit organization that promotes web application security best practices. The foundation provides freely available methodologies, documentation, and tools to help developers maintain the security of their data.

Why API Security Matters: The Threat Landscape

API security demands immediate attention. Recent research highlights concerning trends:

80% of attack attempts leverage OWASP API Top 10 methods (Salt Security, 2024)
95% of organizations experienced API security problems, with 23% suffering breaches (Salt Security, 2024)
54% of attacks relate to security misconfigurations, 27% target BOLA (Salt Labs Q1 2025)
Only 7.5% of organizations consider their API security programs advanced (Salt Security, 2024)

In 2019, OWASP added the API Security Top 10 list. The list was upgraded in 2023, adding new security issues while combining older ones. Organizations adopting shift-left security practices can address vulnerabilities earlier. Teams use tools like Burp Suite and ZAP to test for these issues. The 2023 OWASP API Top Ten shifts emphasis toward business-logic flaws that require more than just burp suite vs owasp zap can deliver.

Current API Security Top 10

#1: Broken Object Level Authorization

Broken request validation allows attackers to perform unauthorized actions by reusing access tokens. Read our guide on Broken Object Level Authorization.

Prevention: Implement object-level authorization checks for every function accessing data sources. Use random GUIDs instead of sequential IDs. Write automated tests for authorization mechanisms. Enforce ownership records and tenant isolation.

#2: Broken Authentication

Broken authentication allows attackers to impersonate legitimate users. Learn to fix broken API authentication.

Common Weaknesses: Weak password policies, missing rate limiting on login endpoints, credentials exposed in URLs, predictable tokens, API keys as sole authentication, and missing MFA on sensitive endpoints.

Prevention: Implement MFA for sensitive operations. Use short-lived tokens with automatic expiration. Implement progressive account lockout. Rotate credentials regularly.

#3: Broken Object Property Level Authorization

Improper authorization validation at the object property level combines two 2019 vulnerabilities.

Excessive Data Exposure occurs when APIs return entire data objects instead of filtering to the requested fields. See our article on Excessive Data Exposure.

Mass Assignment allows user input to alter sensitive properties that should be protected. Attackers can elevate privileges by adding unexpected properties to requests.

Prevention: Implement explicit allowlists for readable/modifiable properties. Create specific response DTOs instead of returning entire database objects. Disable automatic parameter binding.

#4: Unrestricted Resource Consumption

Exploitation requires simple API requests. Multiple concurrent requests can overwhelm systems using cloud computing resources.

Prevention: Implement rate limiting based on IP, user ID, and API key. Set maximum payload sizes and pagination limits. Implement execution timeouts. Monitor unusual consumption patterns.

#5: Broken Function Level Authorization

Broken validation allows attackers to execute unauthorized functions.

Prevention: Implement RBAC with clear function-to-role mappings. Deny all access by default. Validate authorization on every request. Separate administrative endpoints with additional authentication.

#6: Unrestricted Access to Sensitive Business Flows

Attackers exploit legitimate business workflows at scale without proper rate limiting. Understanding business logic vulnerabilities is essential.

Prevention: Identify business flows that attackers could abuse. Implement device fingerprinting and human detection mechanisms. Add friction to sensitive operations.

#7: Server Side Request Forgery

Users control remote resources retrieved by an application. Attackers supply URLs to expose private data or scan internal networks.

Prevention: Validate and sanitize all client-supplied URLs. Implement allowlists for permitted destinations. Disable unnecessary URL schemes.

#8: Security Misconfiguration

Missing security hardening or improperly configured permissions across the API stack.

Common Examples: Default credentials on API gateways, verbose error messages exposing stack traces, unnecessary HTTP methods enabled, missing TLS configuration, overly permissive CORS policies.

Prevention: Implement repeatable hardening processes. Automate security configuration verification. Review cloud storage permissions. Conduct regular configuration audits.

#9: Improper Inventory Management

Outdated documentation and exposed debug or deprecated endpoints create vulnerabilities. See Improper Asset Management.

Prevention: Maintain an accurate API inventory. Implement API versioning with deprecation timelines. Scan environments for exposed endpoints.

#10: Unsafe Consumption of APIs

Focuses on API consumer risks. Data from third-party APIs should be treated with similar security standards as user input.

Prevention: Validate data from third-party APIs. Implement timeouts and circuit breakers. Maintain security assessments of API providers.

What Changed from 2019?

Combined Excessive Data Exposure and Mass Assignment: Both vulnerabilities relate to improper handling of object properties, now unified under Broken Object Property Level Authorization.
Added Unrestricted Access to Sensitive Business Flows: Addresses automated abuse of legitimate business workflows.
Example: Attackers write code to automatically purchase limited-stock products on release day, distributed across different IP addresses. The API allows them to buy most stock before legitimate users.
Added Server Side Request Forgery: Addresses risks when APIs fetch remote resources based on user input.
Added Unsafe Consumption of APIs: Addresses risks when consuming third-party API data without proper validation.

2019 vs 2023 Comparison Table

2019 Position	2023 Position
API1: Broken Object Level Authorization	API1: Broken Object Level Authorization
API2: Broken User Authentication	API2: Broken Authentication
API3: Excessive Data Exposure	API3: Broken Object Property Level Authorization
API4: Lack of Resources and Rate Limiting	API4: Unrestricted Resource Consumption
API5: Broken Function Level Authorization	API5: Broken Function Level Authorization
API6: Mass Assignment	API6: Unrestricted Access to Sensitive Business Flows (NEW)
API7: Security Misconfiguration	API7: Server Side Request Forgery (NEW)
API8: Injection	API8: Security Misconfiguration
API9: Improper Asset Management	API9: Improper Inventory Management
API10: Insufficient Logging and Monitoring	API10: Unsafe Consumption of APIs (NEW)

Detecting and Monitoring OWASP Top 10 Vulnerabilities

Runtime Monitoring: Traditional WAFs and SAST/DAST scanners were not designed for API-specific threats. Runtime monitoring provides continuous visibility, identifying anomalies that signature-based tools miss.
Baseline Behavior: Establish baselines for typical request patterns, data access volumes, and authentication flows to identify deviations indicating potential attacks.
Anomaly Detection: BOLA attacks show users accessing unfamiliar objects. Excessive data exposure reveals itself through larger-than-typical responses. Automated detection flags these anomalies.
Log Analysis: Comprehensive API logging with SIEM integration enables correlation of API events with broader security incidents.
Continuous Testing: Annual penetration tests cannot keep pace with modern development cycles. Automated API security testing in CI/CD pipelines catches vulnerabilities before production. Review our API security best practices. APIsec provides continuous coverage across all OWASP API Top 10 categories.

Final Thoughts

The 2023 OWASP API Top 10 reflects how API threats have evolved, with business logic flaws and third-party integration risks now taking center stage. Traditional security tools cannot detect these vulnerabilities because they require understanding the unique context of each API. Organizations that implement continuous, automated testing across all ten categories will catch real exploits before attackers do.

Ready to test your APIs for OWASP Top 10 vulnerabilities? Start a free trial with APIsec.

FAQs

1. What is the difference between OWASP Top 10 and OWASP API Top 10?

The OWASP Top 10 covers web application vulnerabilities. The API Top 10 addresses API-specific risks like broken object-level authorization.

2. How often is the OWASP API Top 10 updated?

The list was released in 2019 and updated in 2023. Reassess security posture whenever updates are released.

3. Why was BOLA ranked #1 again in 2023?

BOLA requires understanding user-object relationships unique to each application. Traditional tools cannot reliably detect these flaws.

4. What happened to Injection vulnerabilities?

The injection was removed because modern frameworks provide better built-in protections.

5. How can I test my APIs for these vulnerabilities?

Use automated API security platforms in CI/CD pipelines.

‍6. What is the biggest mistake organizations make?

Relying solely on WAFs not designed for APIs. Business logic flaws require API-specific context.

‍

More Resources

‍