What is the OWASP API Security Top 10 (2023)?
A separate Top 10 just for APIs, because API risks differ from classic web-app risks — most API breaches are authorization flaws (who can access which object/field/function), not injection or XSS.
Why a separate list exists: a browser-rendered web app and a JSON API have different attack surfaces. APIs expose object IDs and fields directly to clients and often skip the UI-layer checks developers rely on, so the dominant failures are authorization ones — e.g. changing /orders/123 to /orders/124 and getting someone else's order (Broken Object Level Authorization, API1, the #1 API risk). Note the overlap with the main list: SSRF, Security Misconfiguration, and Authentication appear on both.
| # | Risk |
|---|---|
| API1 | Broken Object Level Authorization |
| API2 | Broken Authentication |
| API3 | Broken Object Property Level Authorization |
| API4 | Unrestricted Resource Consumption |
| API5 | Broken Function Level Authorization |
| API6 | Unrestricted Access to Sensitive Business Flows |
| API7 | Server Side Request Forgery |
| API8 | Security Misconfiguration |
| API9 | Improper Inventory Management |
| API10 | Unsafe Consumption of APIs |
Go deeper:
OWASP API Security Top 10 — 2023 — the canonical API1–API10 list.
OWASP API1:2023 — Broken Object Level Authorization — the #1 API risk.