The OWASP API Security Project maintains the authoritative list of the ten most common API risks. The current edition dates from 2023 and supersedes the first edition from 2019. Newly added are API6 (Unrestricted Access to Sensitive Business Flows) and API10 (Unsafe Consumption of APIs).
Three of the ten entries are pure authorization errors: API1 (BOLA), API3 (BOPLA), and API5 (BFLA). Each checks a different level: Does this object belong to you? Are you allowed to change this field? Are you allowed to call this function?
Broken Object Level Authorization
Access to other users' objects via manipulated IDs (BOLA). The most common and most consequential API risk.
Broken Authentication
Weaknesses in login, tokens, or sessions that allow assuming another identity.
Broken Object Property Level Authorization
Access to or modification of individual object properties beyond one's own rights (BOPLA).
Unrestricted Resource Consumption
Missing limits lead to overload or high costs, for example through expensive queries without throttling.
Broken Function Level Authorization
Calling functions that aren't permitted for one's own role, such as admin actions as a regular user (BFLA).
Unrestricted Access to Sensitive Business Flows
Automated abuse of sensitive workflows, such as mass bookings or purchases.
Server Side Request Forgery
The API is tricked into making requests to internal systems (SSRF).
Security Misconfiguration
Insecure default settings, open debug endpoints, or missing hardening.
Improper Inventory Management
Outdated, undocumented, or forgotten endpoints, shadow and orphan APIs.
Unsafe Consumption of APIs
Blind trust in data from third-party APIs, without independent verification.
Sources
- OWASP API Security Top 10 (overview, 2023) OWASP API Security Project, 2023
- Release Notes: changes compared to 2019 OWASP API Security Project, 2023