Skip to main content
Application Security Standards
OWASP API Security Top 10 - Free field guide

Can you spot the flaw before an attacker does?

Here is a real API endpoint. It authenticates the user, it returns a 404 when it should - and it still leaks every customer's data. Click the line you think is the bug.

That first flaw is not hypothetical.

The missing ownership check you just looked for is Broken Object Level Authorization, the number one API risk. In 2023, attackers abused a single API this exact way to take the personal data of 37 million T-Mobile customers. No system was hacked. It ran undetected for 41 days.

Source: T-Mobile Form 8-K filing, U.S. SEC, January 2023.

The full list

All ten, the bug and the fix.

Every risk in the guide is laid out like the challenge: what it is, the request that exploits it, and the control that closes it.

API1

Broken Object Level Authorization

Users reaching records that belong to someone else by changing an ID.

API2

Broken Authentication

Weak tokens, missing MFA, and sessions that let attackers impersonate users.

API3

Broken Object Property Level Authorization

Exposing or letting users edit fields they were never meant to touch.

API4

Unrestricted Resource Consumption

No limits on requests, uploads, or queries, leading to outages and cloud bills.

API5

Broken Function Level Authorization

Standard users reaching admin-only endpoints and actions.

API6

Unrestricted Access to Sensitive Business Flows

Bots abusing legitimate workflows at scale: scalping, fraud, hoarding.

API7

Server-Side Request Forgery

Tricking your server into calling internal systems and cloud metadata.

API8

Security Misconfiguration

Default credentials, debug modes, and permissive settings shipped to production.

API9

Improper Inventory Management

Shadow and deprecated APIs that nobody is tracking or patching.

API10

Unsafe Consumption of APIs

Trusting third-party APIs without validating what comes back.

Catch them in review, not in the breach report.

Ten risks. Ten fixes. One free PDF, built on the OWASP API Security Top 10.