OWASP API Security Top 10 - free field guide

The exploits your API team should know by name.

    Field brief // API1 - Broken Object Level Authorization
    An attacker changes one number in a request and reads records that are
    not theirs. No password. No alarm. In January 2023, a single exposed API
    was abused this exact way to take data on 37,000,000 customers of one
    US carrier - and it ran undetected for 41 days. It is the
    number one API risk on record. This file documents all ten.
  

Contents of the file

Ten exploits. Ten fixes.

Each entry covers what it is, the request that exploits it, and the control that closes it.

API1 Broken Object Level Authorization

Users reaching records that belong to someone else by changing an ID. The T-Mobile pattern.

API2 Broken Authentication

Weak tokens, missing MFA, and sessions that let attackers impersonate users.

API3 Broken Object Property Level Authorization

Exposing or letting users edit fields they were never meant to touch.

API4 Unrestricted Resource Consumption

No limits on requests, uploads, or queries, leading to outages and cloud bills.

API5 Broken Function Level Authorization

Standard users reaching admin-only endpoints and actions.

API6 Unrestricted Access to Sensitive Business Flows

Bots abusing legitimate workflows at scale: scalping, fraud, hoarding.

API7 Server-Side Request Forgery

Tricking your server into calling internal systems and cloud metadata.

API8 Security Misconfiguration

Default credentials, debug modes, and permissive settings shipped to production.

API9 Improper Inventory Management

Shadow and deprecated APIs that nobody is tracking or patching.

API10 Unsafe Consumption of APIs

Trusting third-party APIs without validating what comes back.

37 million reasons to read it.

Ten exploits. Ten fixes. One free PDF.

Get the field guide