APIs have become the backbone of modern applications. Microservices, mobile apps, SaaS integrations — everything runs through REST or GraphQL endpoints. This expanded attack surface prompted OWASP to publish a dedicated list for API-specific risks.
The 10 OWASP API Security Risks
1. Broken Object Level Authorization (BOLA)
The most prevalent risk. An API exposes objects identified by an ID but doesn't verify that the authenticated user has rights to that specific object.
Example: GET /api/users/1234/invoices returns another user's invoices when you change the ID.
Remediation: Always verify that the requested object belongs to the authenticated user. Avoid sequential IDs — use UUIDs instead.
2. Broken Authentication
Poorly implemented authentication mechanisms: JWT tokens without expiration, weak secrets, no rate limiting on login endpoints.
Remediation: Short-lived JWT tokens (15-60 min), httpOnly refresh tokens, rate limiting on /auth/*, MFA for sensitive accounts.
3. Broken Object Property Level Authorization
The API exposes properties users shouldn't see (mass assignment) or allows modifying protected fields.
Example: PATCH /api/users/me accepts {"role": "admin"} without validation.
Remediation: Explicitly whitelist accepted properties. Use strict DTOs with Zod or similar validation.
4. Unrestricted Resource Consumption
No limits on request size, number of returned records, or expensive operations. Leads to DoS or exploding cloud costs.
Remediation: Mandatory pagination, payload size limits, rate limiting per user and IP, request timeouts.
5. Broken Function Level Authorization
Administrative endpoints accessible to regular users. Security through obscurity (hiding admin routes) is not sufficient.
Remediation: Role-based access control (RBAC) on every endpoint. Test admin routes with a standard user token.
6. Unrestricted Access to Sensitive Business Flows
Critical business flows (purchases, votes, registrations) exposed without protection against abusive automation.
Remediation: CAPTCHA on sensitive flows, behavioral anomaly detection, business rate limiting (e.g., max 3 purchases/minute).
7. Server Side Request Forgery (SSRF)
The API accepts user-provided URLs and makes requests to those URLs from the server. Allows reaching internal services not publicly exposed.
Remediation: Validate and filter all accepted URLs. Use an allowlist of domains. Block private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x).
8. Security Misconfiguration
Overly permissive CORS (Access-Control-Allow-Origin: *), missing security headers, error messages exposing stack traces, debug endpoints active in production.
Remediation: Regular review of CORS, CSP, HSTS configuration. Disable debug endpoints in production. WarDek automatically detects these misconfigurations.
9. Improper Inventory Management
Deprecated API versions (v1, v2) exposed with known vulnerabilities, or staging environments publicly accessible.
Remediation: Inventory of all API versions. Formal deprecation with sunset dates. Network isolation of non-production environments.
10. Unsafe Consumption of APIs
Your application consumes third-party APIs without validating their responses, trusting them blindly. A compromised upstream API compromises your application.
Remediation: Validate all third-party API responses with strict schemas. Least privilege principle on access tokens. Anomaly monitoring.
Risk Matrix by Application Type
Not all APIs face the same threats. The following table helps you prioritize your security efforts:
| API Type | Priority Risks | Why | |----------|---------------|-----| | Public API (SaaS) | BOLA (#1), Resource Consumption (#4), Inventory (#9) | Maximum exposure, uncontrolled users | | Mobile API | Authentication (#2), BOLA (#1), SSRF (#7) | Tokens stored client-side, untrusted network | | Internal API (microservices) | Function Auth (#5), Misconfiguration (#8), SSRF (#7) | Implicit trust between services is dangerous | | Partner API (B2B) | Unsafe Consumption (#10), Property Auth (#3) | Dependency on partner security posture |
Cross-Cutting Best Practices
Beyond risk-specific remediations, several practices reduce your overall attack surface:
Centralized authorization. Use a dedicated authorization framework (CASL, Casbin, OPA) rather than ad hoc checks in each endpoint. One missing check equals one BOLA vulnerability.
Logging and monitoring. Log all denied access attempts, authentication failures, and abnormal request patterns. Without monitoring, an ongoing attack is invisible until the damage is done.
API versioning and deprecation. Maintain a registry of all your API versions. Each deprecated version left running is a potential entry point with known vulnerabilities that attackers can exploit.
Automated security testing. Integrate security tests into your CI/CD pipeline. Tools like OWASP ZAP, Nuclei, or Burp Suite Community can automatically detect injections, permissive CORS, and missing headers before code reaches production.
How to Detect These Vulnerabilities
A security scanner like WarDek automatically detects several of these risks: permissive CORS (OWASP #8), missing security headers, stack trace exposure, and sensitive endpoints. For comprehensive coverage, combine automated scanning with manual penetration testing.
Run a free scan on your domain to identify your critical exposures today.
Frequently Asked Questions
Is the OWASP API Top 10 different from the regular OWASP Top 10? Yes. The standard OWASP Top 10 focuses on web application vulnerabilities (XSS, injection, misconfiguration). The API Security Top 10 targets risks specific to API architectures: authorization flaws, resource consumption, and inventory management issues that do not apply to traditional server-rendered applications.
How often should I run API security tests? At minimum, integrate automated API security scanning into your CI/CD pipeline so every deployment is tested. Manual penetration testing should occur quarterly for production APIs handling sensitive data, and annually for lower-risk internal APIs.
Does GraphQL have the same risks as REST APIs? GraphQL introduces additional attack vectors: deeply nested queries can cause denial of service, introspection queries can leak your entire schema, and batched mutations can bypass rate limiting. All 10 OWASP API risks apply, with extra attention needed on resource consumption and authorization.