Skip to main content
Application Security Standards

OWASP API Security Top 10 - free field guide

The exploits your API team should know by name.

Field brief // API1 - Broken Object Level Authorization An attacker changes one number in a request and reads records that are not theirs. No password. No alarm. In January 2023, a single exposed API was abused this exact way to take data on 37,000,000 customers of one US carrier - and it ran undetected for 41 days. It is the number one API risk on record. This file documents all ten.

Contents of the file

Ten exploits. Ten fixes.

Each entry covers what it is, the request that exploits it, and the control that closes it.

API1 Broken Object Level Authorization

Users reaching records that belong to someone else by changing an ID. The T-Mobile pattern.

API2 Broken Authentication

Weak tokens, missing MFA, and sessions that let attackers impersonate users.

API3 Broken Object Property Level Authorization

Exposing or letting users edit fields they were never meant to touch.

API4 Unrestricted Resource Consumption

No limits on requests, uploads, or queries, leading to outages and cloud bills.

API5 Broken Function Level Authorization

Standard users reaching admin-only endpoints and actions.

API6 Unrestricted Access to Sensitive Business Flows

Bots abusing legitimate workflows at scale: scalping, fraud, hoarding.

API7 Server-Side Request Forgery

Tricking your server into calling internal systems and cloud metadata.

API8 Security Misconfiguration

Default credentials, debug modes, and permissive settings shipped to production.

API9 Improper Inventory Management

Shadow and deprecated APIs that nobody is tracking or patching.

API10 Unsafe Consumption of APIs

Trusting third-party APIs without validating what comes back.

File provenance

Written to be used, not filed away.

Built on the current standard

Maps directly to the OWASP API Security Top 10, 2023 edition.

Vendor-neutral

Nothing to buy. Works with the stack you already run.

Practitioner-first

Real endpoints and fixes, not abstract theory.

For the whole team

The engineers who ship the endpoints and the leads who answer for them.

37 million reasons to read it.

Ten exploits. Ten fixes. One free PDF.

Get the field guide