Safeguard
AppSec

The OWASP Top 10 API Security Risks, Explained

The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.

Safeguard Research Team
Research
6 min read

The OWASP Top 10 API Security Risks (most recently updated in 2023) is a separate list from the classic OWASP Top 10 for web applications, built specifically around how APIs fail in practice — and the difference in ordering tells you something important: broken object-level authorization sits at the top, ahead of injection and misconfiguration, because API-specific access-control failures have proven to be the most common root cause of real-world API breaches.

What is broken object level authorization, and why is it API1?

Broken Object Level Authorization (BOLA) happens when an API endpoint accepts an object identifier from the client — an order ID, a user ID, an account number — and returns or modifies that object without verifying the requesting user actually has permission to access it. It's ranked API1 because it's both extremely common and extremely simple to exploit: an endpoint like GET /api/orders/12345 that returns order 12345 for any authenticated user, not just the one who placed it, is BOLA in its most basic form, and this exact pattern has been behind numerous disclosed breaches across fintech, healthcare, and social apps precisely because it requires no special tooling to find — just incrementing an ID and observing whether the response changes.

How do broken authentication and object property authorization differ from BOLA?

Broken Authentication (API2) covers weaknesses in how an API verifies identity itself — weak token generation, missing rate limiting on login endpoints, tokens that never expire, or credential stuffing left unmitigated — rather than what an authenticated user is allowed to touch. Broken Object Property Level Authorization (API3, which merged and replaced what used to be listed separately as excessive data exposure and mass assignment) covers a subtler failure: even when object-level access is correctly enforced, an API response might expose fields the requesting user shouldn't see (a user object returning an internal is_admin flag or another user's email), or an update endpoint might accept fields the client shouldn't be able to set (a profile update request that includes an account_balance field the API blindly applies). These distinctions matter for remediation because fixing BOLA (checking object ownership) doesn't automatically fix property-level exposure (checking field-level permissions on both read and write paths).

What do unrestricted resource consumption and function-level authorization cover?

Unrestricted Resource Consumption (API4) covers APIs that don't limit how much a client can request — no pagination limits, no file-size caps on uploads, no rate limiting on expensive operations — which turns a single client into a viable denial-of-service vector or a way to run up infrastructure costs without ever tripping a security alert, since the requests themselves look legitimate. Broken Function Level Authorization (API5) is BOLA's sibling at the endpoint level rather than the object level: an admin-only endpoint (DELETE /api/users/{id} or /api/admin/reports) that's reachable by a regular authenticated user because the API only checked that a valid token was present, not what role that token belongs to. Both are common in APIs that grew organically, where new endpoints get added faster than a consistent authorization model gets applied across all of them.

What do the remaining risks — SSRF, misconfiguration, and unsafe consumption — cover?

Server-Side Request Forgery (API7) covers APIs that fetch a resource based on a client-supplied URL or identifier without validating the destination, letting an attacker redirect the server into making requests to internal infrastructure it shouldn't be able to reach — cloud metadata endpoints being the most commonly targeted internal target in real incidents. Security Misconfiguration (API8) is the catch-all for missing security headers, verbose error messages that leak stack traces, permissive CORS policies, and default credentials left in place — unglamorous, but still one of the most frequently found issues in real API assessments. Improper Inventory Management (API9) covers the growing problem of "shadow" and "zombie" APIs — old versions left running after a new one ships, staging or debug endpoints accidentally exposed to production — that nobody's actively securing because nobody's tracking that they still exist. Unsafe Consumption of APIs (API10) flips the lens outward: it covers the risk of your own API blindly trusting data coming back from third-party APIs it integrates with, without the same validation you'd apply to direct user input. Worth noting the classic OWASP Top 10 for web applications still separately covers cross-site scripting (XSS) under its Injection and client-side risk categories — that list and the API-specific one are complementary, not competing, since APIs and traditional web frontends fail in overlapping but distinct ways.

How Safeguard Helps

Safeguard's dynamic and static scanning map findings against the OWASP API Security Top 10 categories directly, so a BOLA-shaped endpoint or a missing rate limit shows up labeled by the risk category it actually represents, not just as a generic finding. That mapping makes it straightforward to prioritize API1 and API5 authorization gaps ahead of lower-severity misconfiguration findings when triaging a scan. See the SAST/DAST product page for how API-aware scanning fits into a broader AppSec program.

FAQ

Is the OWASP API Security Top 10 the same list as the regular OWASP Top 10?

No — they're separate, purpose-built lists. The standard OWASP Top 10 covers web application vulnerabilities broadly (including XSS and injection); the API-specific list is scoped to how APIs uniquely fail, with authorization issues weighted much more heavily.

What's the most common OWASP API risk found in real assessments?

Broken Object Level Authorization (API1) is consistently reported as the most frequently found and most frequently exploited API risk across bug bounty and penetration testing data, largely because it's simple to both introduce and discover.

Do API gateways solve these risks automatically?

No — API gateways can enforce rate limiting and centralize authentication, which helps with API2 and API4, but object-level and function-level authorization decisions almost always require application-specific logic a gateway can't infer on its own.

How does SSRF specifically apply to APIs versus traditional web apps?

APIs frequently accept URLs or resource identifiers as legitimate input (webhooks, image-fetch endpoints, URL preview features), giving SSRF a more natural entry point than in traditional web apps, where user-supplied URLs reaching a server-side fetch are comparatively rarer.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.