What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) puts together a list of the biggest security risks for application programming interfaces (APIs).

Learning Objectives

After reading this article you will be able to:

  • Summarize the OWASP API Security Top 10
  • Compare this list with the OWASP Top 10

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) is a non-profit organization whose goal is to promote web application security. OWASP offers many free resources for building a more secure web application.

One of the organization’s most widely referenced resources is the OWASP Top 10, which lists the 10 biggest security concerns for web applications. OWASP also maintains a separate, similar list for application programming interfaces (APIs), which are crucial for powering most web and mobile experiences.

APIs can fuel competitive advantages for businesses by providing business intelligence, facilitating cloud deployments, and enabling integration of AI capabilities. But at the same time, APIs can introduce new risks by allowing outside parties to access applications, share data, and run potentially sensitive workflows.

This OWASP API Security Top 10, most recently published in 2023, highlights key issues that organizations should address to better protect their APIs, applications, and data. The list includes:

  1. Broken object-level authorization: Attackers might try to exploit API endpoints vulnerable to broken object-level authorization. They could manipulate object identifiers within a request to gain unauthorized access to sensitive data.
  2. Broken authentication: If authentication is implemented incorrectly, attackers could impersonate API users and gain access to confidential data.
  3. Broken object property-level authorization: A lack of authorization or improper authorization validation at the object property level could leave information exposed or vulnerable to manipulation by unauthorized people.
  4. Unrestricted resource consumption: Many APIs do not limit client interactions or resource consumption. Attackers might generate a high volume of API requests, which can increase operational costs and lead to a denial of service.
  5. Broken function-level authorization: Attackers might send legitimate API calls to an endpoint that they should not be able to access. They might gain access to the resources or administrative functions of other users.
  6. Unrestricted access to sensitive business flows: APIs might expose a business flow (such as posting a comment on a website, purchasing a product, or making a reservation), enabling attackers to execute that flow excessively.
  7. Server-side request forgery: An API might fetch a remote resource without validating the user-supplied URL. For example, a user might provide a URL to upload an image to a social media platform. That URL might then initiate a port scan within an internal network.
  8. Improper inventory management: APIs can expose more endpoints than traditional web applications. If organizations do not inventory hosts and deployed API versions, they might leave deprecated API versions and endpoints vulnerable.
  9. Unsafe consumption of APIs: Attackers might target third-party services that interact with APIs rather than targeting an API directly. They realize that developers often trust data from third-party APIs more than user input.
  10. To learn more about these 10 security risks, see OWASP's official page.

    There is some crossover between the OWASP Top 10 list (full list here) and the OWASP API Security Top 10 list. For example, broken access control is the first issue on the OWASP Top 10 list, and there are various forms of broken authentication and authorization among the first five security issues on the API list. In addition, security misconfiguration and server-side request forgery appear on both lists.

    However, APIs do present several distinct risks compared to web applications. Developers should take both lists into account.

    How does Cloudflare help address API security risks?

    Cloudflare API Gateway helps keep APIs secure and working as they should through API discovery capabilities, centralized API management and monitoring, and innovative, layered defenses. API Gateway is part of Cloudflare’s application security portfolio, which offers additional capabilities for stopping bots, DDoS attacks, and application attacks while monitoring for supply chain attacks.

    Learn how Cloudflare capabilities address the specific risks detailed in the OWASP API Security Top 10. And explore more of Cloudflare’s API security solutions.