The Open Web Application Security Project (OWASP) puts together a list of the biggest security risks for application programming interfaces (APIs).
After reading this article you will be able to:
Related Content
What is API security?
What is the OWASP Top 10?
What is an API?
What is an API call?
Web application security
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
The Open Web Application Security Project (OWASP) is a non-profit organization whose goal is to promote web application security. OWASP offers many free resources for building a more secure web application.
One of the organization’s most widely referenced resources is the OWASP Top 10, which lists the 10 biggest security concerns for web applications. OWASP also maintains a separate, similar list for application programming interfaces (APIs), which are crucial for powering most web and mobile experiences.
APIs can fuel competitive advantages for businesses by providing business intelligence, facilitating cloud deployments, and enabling integration of AI capabilities. But at the same time, APIs can introduce new risks by allowing outside parties to access applications, share data, and run potentially sensitive workflows.
This OWASP API Security Top 10, most recently published in 2023, highlights key issues that organizations should address to better protect their APIs, applications, and data. The list includes:
To learn more about these 10 security risks, see OWASP's official page.
There is some crossover between the OWASP Top 10 list (full list here) and the OWASP API Security Top 10 list. For example, broken access control is the first issue on the OWASP Top 10 list, and there are various forms of broken authentication and authorization among the first five security issues on the API list. In addition, security misconfiguration and server-side request forgery appear on both lists.
However, APIs do present several distinct risks compared to web applications. Developers should take both lists into account.
Cloudflare API Shield helps keep APIs secure and working as they should through API discovery capabilities, centralized API management and monitoring, and innovative, layered defenses. API Shield is part of Cloudflare’s application security portfolio, which offers additional capabilities for stopping bots, DDoS attacks, and application attacks while monitoring for supply chain attacks.
Learn how Cloudflare capabilities address the specific risks detailed in the OWASP API Security Top 10. And explore more of Cloudflare’s API security solutions.
OWASP is a non-profit organization that promotes web application security by providing free resources, such as security best practices and risk lists, to help organizations secure their applications.
The OWASP API Security Top 10 is a list of the most critical security risks facing APIs. It helps organizations understand and address common vulnerabilities in API design and implementation.
"Broken authorization" can refer to a number of OWASP risks for APIs: broken object-level authorization, broken object property-level authorization, and broken function-level authorization. All three of these vulnerabilities can allow attackers to expose or manipulate sensitive data.
Key API risks include unrestricted resource consumption, server-side request forgery (SSRF), and poor API inventory management, all of which can lead to data exposure or service disruption.
Authentication vulnerabilities occur when APIs do not properly verify users, enabling attackers to impersonate legitimate users and gain unauthorized access to sensitive data.
Third-party API risks can arise when an API interacts with external services. Attackers may target those external services rather than targeting the API directly, especially when the API tends to trust data from those third-party services.
Cloudflare API Shield is a solution that helps organizations secure their APIs by providing API discovery, centralized management, monitoring, and layered security defenses.
Both of these lists categorize common security risks. The OWASP API Security Top 10 is specific to APIs, while the OWASP Top 10 applies to web applications in general. APIs are almost always crucial pieces of a web application's infrastructure, so both lists should be taken into account by security-minded web app developers. There is some overlap in terms of the types of security risks APIs and web apps face, such as issues with broken access control and server-side request forgery, but the implementation of solutions for these risks will be slightly different for APIs and web apps.
Business flow exploitation occurs when attackers abuse legitimate API workflows — like making excessive purchases or reservations — to disrupt business operations.