The OWASP API Security Project maintains the authoritative list of the ten most common API risks. The current edition dates from 2023 and supersedes the first edition from 2019. Newly added are API6 (Unrestricted Access to Sensitive Business Flows) and API10 (Unsafe Consumption of APIs).

In focus

Three of the ten entries are pure authorization errors: API1 (BOLA), API3 (BOPLA), and API5 (BFLA). Each checks a different level: Does this object belong to you? Are you allowed to change this field? Are you allowed to call this function?

API1

Broken Object Level Authorization

Access to other users' objects via manipulated IDs (BOLA). The most common and most consequential API risk.

API2

Broken Authentication

Weaknesses in login, tokens, or sessions that allow assuming another identity.

API3

Broken Object Property Level Authorization

Access to or modification of individual object properties beyond one's own rights (BOPLA).

API4

Unrestricted Resource Consumption

Missing limits lead to overload or high costs, for example through expensive queries without throttling.

API5

Broken Function Level Authorization

Calling functions that aren't permitted for one's own role, such as admin actions as a regular user (BFLA).

API6

Unrestricted Access to Sensitive Business Flows

Automated abuse of sensitive workflows, such as mass bookings or purchases.

API7

Server Side Request Forgery

The API is tricked into making requests to internal systems (SSRF).

API8

Security Misconfiguration

Insecure default settings, open debug endpoints, or missing hardening.

API9

Improper Inventory Management

Outdated, undocumented, or forgotten endpoints, shadow and orphan APIs.

API10

Unsafe Consumption of APIs

Blind trust in data from third-party APIs, without independent verification.

Sources

Keep reading