https://owasp.org/API-Security/editions/2023/en/0x11-t10/ [ ] [ ] Skip to content logo OWASP API Security Top 10 OWASP Top 10 API Security Risks - 2023 * English [ ] Initializing search OWASP/API-Security * Home * 2023 * 2019 logo OWASP API Security Top 10 OWASP/API-Security * [ ] Home Home + How-to Contribute * [*] 2023 2023 + + Notice + Table of Contents + About OWASP + Foreword + Introduction + Release Notes + API Security Risks + [ ] OWASP Top 10 API Security Risks - 2023 + API1:2023 Broken Object Level Authorization + API2:2023 Broken Authentication + API3:2023 Broken Object Property Level Authorization + API4:2023 Unrestricted Resource Consumption + API5:2023 Broken Function Level Authorization + API6:2023 Unrestricted Access to Sensitive Business Flows + API7:2023 Server Side Request Forgery + API8:2023 Security Misconfiguration + API9:2023 Improper Inventory Management + API10:2023 Unsafe Consumption of APIs + What's Next For Developers + What's Next For DevSecOps + Methodology and Data + Acknowledgments * [ ] 2019 2019 + + Notice + Table of Contents + About OWASP + Foreword + Introduction + Release Notes + API Security Risks + OWASP Top 10 API Security Risks - 2019 + API1:2019 Broken Object Level Authorization + API2:2019 Broken User Authentication + API3:2019 Excessive Data Exposure + API4:2019 Lack of Resources & Rate Limiting + API5:2019 Broken Function Level Authorization + API6:2019 - Mass Assignment + API7:2019 Security Misconfiguration + API8:2019 Injection + API9:2019 Improper Assets Management + API10:2019 Insufficient Logging & Monitoring + What's Next For Developers + What's Next For DevSecOps + Methodology and Data + Acknowledgments OWASP Top 10 API Security Risks - 2023 Risk Description APIs tend to expose endpoints that handle object API1:2023 - identifiers, creating a wide attack surface of Broken Object Object Level Access Control issues. Object level Level authorization checks should be considered in every Authorization function that accesses a data source using an ID from the user. Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise API2:2023 - authentication tokens or to exploit implementation Broken flaws to assume other user's identities temporarily Authentication or permanently. Compromising a system's ability to identify the client/user, compromises API security overall. This category combines API3:2019 Excessive Data API3:2023 - Exposure and API6:2019 - Mass Assignment, focusing Broken Object on the root cause: the lack of or improper Property Level authorization validation at the object property Authorization level. This leads to information exposure or manipulation by unauthorized parties. Satisfying API requests requires resources such as API4:2023 - network bandwidth, CPU, memory, and storage. Other Unrestricted resources such as emails/SMS/phone calls or Resource biometrics validation are made available by service Consumption providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. Complex access control policies with different API5:2023 - hierarchies, groups, and roles, and an unclear Broken Function separation between administrative and regular Level functions, tend to lead to authorization flaws. By Authorization exploiting these issues, attackers can gain access to other users' resources and/or administrative functions. API6:2023 - APIs vulnerable to this risk expose a business flow Unrestricted - such as buying a ticket, or posting a comment - Access to without compensating for how the functionality Sensitive could harm the business if used excessively in an Business Flows automated manner. This doesn't necessarily come from implementation bugs. Server-Side Request Forgery (SSRF) flaws can occur API7:2023 - when an API is fetching a remote resource without Server Side validating the user-supplied URI. This enables an Request Forgery attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. APIs and the systems supporting them typically contain complex configurations, meant to make the API8:2023 - APIs more customizable. Software and DevOps Security engineers can miss these configurations, or don't Misconfiguration follow security best practices when it comes to configuration, opening the door for different types of attacks. APIs tend to expose more endpoints than traditional API9:2023 - web applications, making proper and updated Improper documentation highly important. A proper inventory Inventory of hosts and deployed API versions also are Management important to mitigate issues such as deprecated API versions and exposed debug endpoints. Developers tend to trust data received from API10:2023 - third-party APIs more than user input, and so tend Unsafe to adopt weaker security standards. In order to Consumption of compromise APIs, attackers go after integrated APIs third-party services instead of trying to compromise the target API directly. Previous API Security Risks Next API1:2023 Broken Object Level Authorization (c) Copyright 2023 - OWASP API Security Project team Made with Material for MkDocs