OWASP API Security
5 min read Quiz at the end
OWASP API Security Top 10: BOLA, broken auth, property auth, resource consumption, SSRF.
OWASP API Security Top 10
| # | Vulnerability | Attack Example | Fix |
|---|
| API1 | Broken Object Level Auth | GET /api/orders/999 (other user's order) | Verify ownership on every object access |
| API2 | Broken Auth | Weak JWT, no expiry | Short-lived tokens, MFA, rate limit auth |
| API3 | Broken Object Property Auth | PATCH sends admin:true and it works | Whitelist allowed fields per role |
| API4 | Unrestricted Resource Consumption | No pagination, no rate limit | Pagination, rate limits, query limits |
| API5 | Broken Function Level Auth | DELETE /api/admin/users (non-admin) | Separate admin endpoints, verify role |
| API6 | Unrestricted Access to Sensitive Business Flows | Bot scrapes all prices | CAPTCHA, behaviour analysis |
| API7 | SSRF | URL param fetches internal metadata | Whitelist allowed domains/IPs |
| API8 | Security Misconfiguration | Debug mode on, verbose errors | Harden configs, generic error messages |
| API9 | Improper Inventory Management | Old v1 API still active, unpatched | API versioning, sunset old versions |
| API10 | Unsafe Consumption of APIs | Trusts third-party API output blindly | Validate and sanitise all third-party data |