OWASP API Security Top 10

OWASP API Security Top 10

logo

Summary

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2023.

Definitions

Definition Requirements
API1. Broken Object Level Authorization 030. Avoid object reutilization
033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
176. Restrict system objects
265. Restrict access to critical processes
API2. Broken Authentication 228. Authenticate using standard protocols
229. Request access credentials
264. Request authentication
API3. Broken Object Property Level Authorization 032. Avoid session ID leakages
062. Define standard configurations
176. Restrict system objects
181. Transmit data using secure protocols
261. Avoid exposing sensitive information
266. Disable insecure functionalities
300. Mask sensitive data
375. Remove sensitive data from client-side applications
API4. Lack of Resources & Rate Limiting 072. Set maximum response time
164. Use optimized structures
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
345. Establish protections against overflows
API5. Broken Function Level Authorization 096. Set user's required privileges
176. Restrict system objects
264. Request authentication
320. Avoid client-side control enforcement
API6. Unrestricted Access to Sensitive Business Flows 062. Define standard configurations
265. Restrict access to critical processes
API7. Server Side Request Forgery 173. Discard unsafe inputs
324. Control redirects
348. Use consistent encoding
API8. Security Misconfiguration 043. Define an explicit content type
062. Define standard configurations
131. Deny multiple password changing attempts
134. Store passwords with salt
160. Encode system outputs
266. Disable insecure functionalities
API9. Improper Inventory Management 050. Control calls to interpreted code
262. Verify third-party components
266. Disable insecure functionalities
API10. Unsafe Consumption of APIs 173. Discard unsafe inputs
181. Transmit data using secure protocols
262. Verify third-party components
324. Control redirects
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.