Skip to main content
Application Security Standards
Case file OWASP-API-10 // Clearance: Public // Subject: API attack methods // 2023 edition

OWASP API Security Top 10 – free field guide

The exploits your API team should know by name.

Field brief // API1 - Broken Object Level AuthorizationAn attacker changes one number in a request and reads records that are not theirs. No password. No alarm. In January 2023, a single exposed API was abused this exact way to take data on 37,000,000 customers of one US carrier — and it ran undetected for 41 days. It is the number one API risk on record. This file documents all ten.

Exhibit A // January 2023

Attackers pointed the flaw in this file at a real API and let it run. For 41 days, nobody noticed. By the time it was caught, they had the personal records of

37,000,000
T-Mobile customers

That is more people than live in Texas.

Names, billing addresses, emails, phone numbers, dates of birth, account numbers. No system was hacked. No password was cracked. An API simply answered questions it should never have answered, one record at a time, 37 million times.

37,000,000 accounts41 days undetected1 exposed API

Source: T-Mobile Form 8-K filing, U.S. SEC, January 2023.

Contents of the file

Ten exploits. Ten fixes.

Each entry covers what it is, the request that exploits it, and the control that closes it.

API1Broken Object Level Authorization

Users reaching records that belong to someone else by changing an ID. The T-Mobile pattern.

API2Broken Authentication

Weak tokens, missing MFA, and sessions that let attackers impersonate users.

API3Broken Object Property Level Authorization

Exposing or letting users edit fields they were never meant to touch.

API4Unrestricted Resource Consumption

No limits on requests, uploads, or queries, leading to outages and cloud bills.

API5Broken Function Level Authorization

Standard users reaching admin-only endpoints and actions.

API6Unrestricted Access to Sensitive Business Flows

Bots abusing legitimate workflows at scale: scalping, fraud, hoarding.

API7Server-Side Request Forgery

Tricking your server into calling internal systems and cloud metadata.

API8Security Misconfiguration

Default credentials, debug modes, and permissive settings shipped to production.

API9Improper Inventory Management

Shadow and deprecated APIs that nobody is tracking or patching.

API10Unsafe Consumption of APIs

Trusting third-party APIs without validating what comes back.

File provenance

Written to be used, not filed away.

Built on the current standard

Maps directly to the OWASP API Security Top 10, 2023 edition.

Vendor-neutral

Nothing to buy. Works with the stack you already run.

Practitioner-first

Real endpoints and fixes, not abstract theory.

For the whole team

The engineers who ship the endpoints and the leads who answer for them.

37 million reasons to read it.

Ten exploits. Ten fixes. One free PDF.