Advisories

Weaknesses

Fixes

Requirements

Compliance

OWASP API Security Top 10

Summary

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2023.

Definitions

Definition	Requirements
OWASPAPI-API1. Broken Object Level Authorization	176. Restrict system objects 265. Restrict access to critical processes 030. Avoid object reutilization 033. Restrict administrative access 035. Manage privilege modifications 095. Define users with privileges
OWASPAPI-API2. Broken Authentication	228. Authenticate using standard protocols 229. Request access credentials 264. Request authentication
OWASPAPI-API3. Broken Object Property Level Authorization	176. Restrict system objects 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 266. Disable insecure functionalities 300. Mask sensitive data 375. Remove sensitive data from client-side applications 032. Avoid session ID leakages 062. Define standard configurations
OWASPAPI-API4. Lack of Resources & Rate Limiting	164. Use optimized structures 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 345. Establish protections against overflows 072. Set maximum response time
OWASPAPI-API5. Broken Function Level Authorization	176. Restrict system objects 264. Request authentication 320. Avoid client-side control enforcement 096. Set user's required privileges
OWASPAPI-API6. Unrestricted Access to Sensitive Business Flows	265. Restrict access to critical processes 062. Define standard configurations
OWASPAPI-API7. Server Side Request Forgery	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding
OWASPAPI-API8. Security Misconfiguration	131. Deny multiple password changing attempts 134. Store passwords with salt 160. Encode system outputs 266. Disable insecure functionalities 043. Define an explicit content type 062. Define standard configurations
OWASPAPI-API9. Improper Inventory Management	262. Verify third-party components 266. Disable insecure functionalities 050. Control calls to interpreted code
OWASPAPI-API10. Unsafe Consumption of APIs	173. Discard unsafe inputs 181. Transmit data using secure protocols 262. Verify third-party components 324. Control redirects

Last updated

2024/01/25