Top 10 (2023)
The 10 most critical API-specific security risks.
Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface for object-level access control issues.
Broken Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws.
Broken Object Property Level Authorization
Combining excessive data exposure and mass assignment — exposing or allowing modification of object properties without proper authorization.
Unrestricted Resource Consumption
Satisfying API requests requires resources. APIs without rate limiting are exposed to DoS and increased operational costs.
Broken Function Level Authorization
Complex access-control policies with different hierarchies and groups lead to authorization flaws on administrative endpoints.
Unrestricted Access to Sensitive Business Flows
APIs vulnerable to abuse of sensitive business flows (purchasing, posting, reservations) when automated.
Server-Side Request Forgery
SSRF flaws can occur when an API fetches a remote resource without validating the user-supplied URI.
Security Misconfiguration
APIs and supporting systems often contain complex configurations subject to mistakes — exposed cloud storage, misconfigured headers, etc.
Improper Inventory Management
APIs expose more endpoints than traditional web apps, making documentation and asset inventory critical. Old/unused endpoints expand attack surface.
Unsafe Consumption of APIs
Developers tend to trust data received from third-party APIs more than user input, leading to weaker security standards.