A growing reference on APIs and their security: from the fundamentals through the most common risks to digital sovereignty and what regulations like DORA and NIS2 actually require.
The starting point: what an API is and why its security matters more than anything else.
The most common vulnerabilities, above all the authorization flaws that no signature scanner can see.
The ten most common API risks (2023), with the three authorization flaws front and center.
Read → AttackJWT attacks exploit the fact that a server accepts manipulated JSON Web Tokens because signature verification is flawed or not performed at all.
Read → AttackGraphQL gives clients great flexibility when querying data, but that very flexibility creates its own security risks that go beyond the classic OWASP API Top 10.
Read → AttackInjection attacks occur when an API inserts untrusted input (URL parameters, JSON fields, headers) unchecked into a query or command, so the input gets interpreted as executable code instead of plain data.
Read → AttackCredential stuffing is the automated testing of stolen username/password pairs (from other services' data breaches) against the login or
Read → AttackCORS (Cross-Origin Resource Sharing) is a browser mechanism that relaxes the strict same-origin policy in a controlled way, so a web application is allowed to read resources from another origin.
Read → AttackIncoming webhooks are HTTP POST requests that an external provider (e.g.
Read → AttackAPI secrets and key leakage refers to the unintentional exposure of API keys, tokens and credentials, for example hardcoded in client or mobile code, checked into public code repositories, written to logs or transmitted as query parameters in URLs.
Read → API1Broken Object Level Authorization (BOLA) ranks as API1:2023, first place in the OWASP API Security Top 10 2023.
Read → API2Broken Authentication (API2:2023) refers to weaknesses in an API's authentication mechanisms, meaning the process of verifying whether a user really is who they claim to be.
Read → API3Broken Object Property Level Authorization (API3:2023) occurs when an API checks whether a user may access an object, but doesn't check whether they may access or modify the object's individual properties.
Read → API4Unrestricted Resource Consumption (API4:2023) refers to the risk that an API sets no, or insufficient, limits on resource consumption, for example CPU, memory, bandwidth, storage or paid third-party services (e.
Read → API5Broken Function Level Authorization (BFLA) arises when an API doesn't sufficiently check whether the logged-in user is allowed to execute a given function (action/endpoint) at all.
Read → API6Unrestricted Access to Sensitive Business Flows (API6:2023) occurs when an API endpoint exposes a business-critical flow (e.
Read → API7Server Side Request Forgery (SSRF) occurs when an API fetches a remote resource using a URL supplied by the user, without adequately validating that URL.
Read → API8Security Misconfiguration (API8:2023) refers to vulnerabilities that arise from missing or incorrect configuration at any layer of the API stack, from the network to the application.
Read → API9Improper Inventory Management (API9:2023) arises when organizations lose track of their own APIs and of data flows to third parties.
Read → API10Unsafe Consumption of APIs (API10:2023) describes a risk that arises when an API consumes data from external or third-party APIs and trusts them blindly.
Read →From authentication, validation and rate limiting, through discovery and pentesting, to enforcement at the gateway.
Security comes from three steps: know your inventory, test continuously and enforce at the gateway.
Read → ProtectionThe central entry point that routes, authenticates and throttles, but doesn't catch authorization flaws.
Read → ProtectionOAuth 2.0 is a framework for delegated authorization: an application gets limited access to an API on a user's behalf, without knowing their password.
Read → ProtectionTLS encrypts the transport and verifies the server's identity, but doesn't decide who may access which data.
Read → ProtectionInput validation following the positive security model checks every incoming request against an explicitly defined schema (OpenAPI or JSON Schema) and accepts only what is explicitly allowed.
Read → ProtectionRate limiting, quotas and throttling limit how many requests a client may make to an API within a given time window.
Read → ProtectionSecrets management is the defensive counterpart to key leakage: API keys, tokens and certificates are managed centrally, granted under least privilege, rotated automatically and never hardcoded in code, in Git or in logs.
Read → ProtectionZero Trust shifts defense from the network perimeter to every single request: no implicit trust from network location, identity and authorization are re-checked for every request.
Read → OperationsWithout logging and monitoring, attacks on APIs stay invisible until the damage is done.
Read → OperationsSecurity as a quality gate instead of an annual appointment: how SAST, DAST, SCA, spec diffing, authorization contract tests and secret scanning belong in the CI/CD pipeline, what NIST SP 800-204D requires and why OWASP considers the annual pentest insufficient.
Read → TestingAn API pentest examines an interface systematically along a methodology: recon and endpoint discovery, analysis of authentication and authorization, targeted testing of authorization and logic flaws, and fuzzing.
Read → TestingAPI discovery and inventory answer the question of which interfaces an organization actually operates, in which version and with which owner.
Read → TestingCVSS provides a standardized severity score from 0 to 10 for technical vulnerabilities.
Read → AIAnyone shipping an LLM feature is operating an API with two risk layers: the classic API risks and the model-specific dangers in the OWASP Top 10 for LLM Applications.
Read →What digital sovereignty delivers, why it matters especially for security, and how it connects to DORA, NIS2 and GDPR.
What sovereignty is and what it concretely delivers.
Read → SovereigntyWhy sovereignty is decisive especially for security.
Read → ComplianceProvable security instead of checkboxes, explained for APIs.
Read → ComplianceBSI IT-Grundschutz, BSI C5 and ISO/IEC 27001 are the German and European framework that lets you not just implement API security, but prove it to auditors.
Read →Terms that keep coming up, briefly explained.
See how Venedy uncovers these risks on your own interface, provably.
Note: This content is provided for education and authorised security testing — not as a guide to unauthorised access. Apply any techniques only to systems you own or are explicitly permitted to test. We give no warranty as to accuracy or completeness. See the Disclaimer.