Skip to main content

OWASP API Security Top 10



API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). The version used in this section is OWASP API Security Top 10 2019.


API1. Broken Object Level Authorization
030. Avoid object reutilization
033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
176. Restrict system objects
265. Restrict access to critical processes
API2. Broken User Authentication
228. Authenticate using standard protocols
229. Request access credentials
264. Request authentication
API3. Excessive Data Exposure
032. Avoid session ID leakages
181. Transmit data using secure protocols
261. Avoid exposing sensitive information
300. Mask sensitive data
375. Remove sensitive data from client-side applications
API4. Lack of Resources & Rate Limiting
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
API5. Broken Function Level Authorization
096. Set user's required privileges
176. Restrict system objects
264. Request authentication
320. Avoid client-side control enforcement
API6. Mass Assignment
062. Define standard configurations
176. Restrict system objects
266. Disable insecure functionalities
API7. Security Misconfiguration
043. Define an explicit content type
062. Define standard configurations
131. Deny multiple password changing attempts
134. Store passwords with salt
266. Disable insecure functionalities
API8. Injection
160. Encode system outputs
169. Use parameterized queries
173. Discard unsafe inputs
API9. Improper Assets Management
050. Control calls to interpreted code
262. Verify third-party components
266. Disable insecure functionalities
API10. Insufficient Logging & Monitoring
046. Manage the integrity of critical files
075. Record exceptional events in logs
083. Avoid logging sensitive data
085. Allow session history queries
322. Avoid excessive logging
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.