OWASP API Security Top 10

Every API you ship is an attack surface.

A practical 17-page breakdown of the OWASP API Security Top 10 - what each risk is, how attackers exploit it, and the controls that stop them. Written for the engineers who build APIs and the teams who have to answer for them.

api1_bola.http

GET /api/accounts/12345    200 OK   your accountGET /api/accounts/12346    200 OK   someone else's  <- BOLA
        API1: Broken Object Level Authorization.
        Change one digit, read another customer's record. The number one risk on the list - and one of the easiest to miss in code review.
      

What is inside

Ten risks. One reference your team can act on.

Each section covers what the risk is, a real example, why it happens, the potential impact, and the controls that prevent it - plus a checklist to audit your own APIs.

API1

Broken Object Level Authorization

Users reaching records that belong to someone else by changing an ID.

API2

Broken Authentication

Weak tokens, missing MFA, and sessions that let attackers impersonate users.

API3

Broken Object Property Level Authorization

Exposing or letting users edit fields they were never meant to touch.

API4

Unrestricted Resource Consumption

No limits on requests, uploads, or queries - leading to outages and cloud bills.

API5

Broken Function Level Authorization

Standard users reaching admin-only endpoints and actions.

API6

Unrestricted Access to Sensitive Business Flows

Bots abusing legitimate workflows at scale - scalping, fraud, hoarding.

API7

Server-Side Request Forgery

Tricking your server into calling internal systems and cloud metadata.

API8

Security Misconfiguration

Default credentials, debug modes, and permissive settings shipped to production.

API9

Improper Inventory Management

Shadow and deprecated APIs that nobody is tracking or patching.

API10

Unsafe Consumption of APIs

Trusting third-party APIs without validating what comes back.