Get the latest API security research and see how you compare

Learn more

OWASP API Security Top 10 Explained

Michael IsbitskiMichael Isbitski
Feb 4, 2021

As API-related security incidents and breaches increased in recent years, the Open Web Application Security Project (OWASP) released the first-ever API Security Top 10 at the end of 2019 to raise awareness about the most common API security problems plaguing organizations.

In this blog series, I dig into each of the OWASP API Security Top 10 vulnerabilities in detail. I will also provide examples and insight to help you understand how to protect your organization from the threats targeting APIs and API-based applications.

API1:2019 Broken Object Level Authorization

Broken object level authorization is the most common API threat, represented in about 40% of all API attacks.

API2:2019 Broken User Authentication

Broken user authentication enables attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications.

API3:2019 Excessive Data Exposure

When generic APIs provide more data than is needed, an attacker can exploit an app by using redundant data to further extract sensitive data.

API4:2019 Lack of Resources & Rate Limiting

APIs that improperly implement rate limiting or neglect to implement it at all are highly susceptible to brute-force attacks.

Learn why apps are built on APIs, the security risk APIs present, and best practices for securing APIs.

API5:2019 Broken Function Level Authorization

When authorization is not properly implemented, unauthorized users can execute API functions such as adding, updating, or deleting a customer record or a user role.

API6:2019 Mass Assignment

APIs that directly consume input requests and assign/write them to the business logic data stores are vulnerable to mass assignment, allowing an attacker to change critical data properties and exploit privilege escalation.

API7:2019 Security Misconfiguration

Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.

API8:2019 Injection

This attack is the one hold-over from the original OWASP Top 10 list – the other 90% are new and focused just on APIs. Attackers exploit injection vulnerabilities by sending malicious data to an API that is in turn processed by an interpreter or parsed by the application server and passed to some integrated service.

API9:2019 Improper Assets Management

An outdated or incomplete inventory results in unknown gaps in the API attack surface and makes it difficult to identify older versions of APIs that should be decommissioned.

API10:2019 Insufficient Logging & Monitoring

Insufficient logging and monitoring, combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.  

Understanding the sophistication of each of these attacks in more detail will prove valuable in developing the tools and processes you need to keep your organization’s API-based data and services safe. We hope you find the entire series helpful.

Go back to blog

Download this guide for advice on evaluating key capabilities in API Security

Get the guide