Fluid Attacks Database

OWASP API Security Top 10

Last updated: 2024/01/25

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2023.

Control-Requirement Mapping

Definition	Requirements
API1. Broken Object Level Authorization	176. Restrict system objects 265. Restrict access to critical processes 030. Avoid object reutilization 033. Restrict administrative access 035. Manage privilege modifications 095. Define users with privileges
API2. Broken Authentication	228. Authenticate using standard protocols 229. Request access credentials 264. Request authentication
API3. Broken Object Property Level Authorization	176. Restrict system objects 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 266. Disable insecure functionalities 300. Mask sensitive data 375. Remove sensitive data from client-side applications 032. Avoid session ID leakages 062. Define standard configurations
API4. Lack of Resources & Rate Limiting	164. Use optimized structures 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 345. Establish protections against overflows 072. Set maximum response time
API5. Broken Function Level Authorization	176. Restrict system objects 264. Request authentication 320. Avoid client-side control enforcement 096. Set user's required privileges
API6. Unrestricted Access to Sensitive Business Flows	265. Restrict access to critical processes 062. Define standard configurations
API7. Server Side Request Forgery	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding
API8. Security Misconfiguration	131. Deny multiple password changing attempts 134. Store passwords with salt 160. Encode system outputs 266. Disable insecure functionalities 043. Define an explicit content type 062. Define standard configurations
API9. Improper Inventory Management	262. Verify third-party components 266. Disable insecure functionalities 050. Control calls to interpreted code
API10. Unsafe Consumption of APIs	173. Discard unsafe inputs 181. Transmit data using secure protocols 262. Verify third-party components 324. Control redirects

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.