LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the OWASP API Security Top 10 (2023)?

A separate Top 10 just for APIs, because API risks differ from classic web-app risks — most API breaches are authorization flaws (who can access which object/field/function), not injection or XSS.

Why a separate list exists: a browser-rendered web app and a JSON API have different attack surfaces. APIs expose object IDs and fields directly to clients and often skip the UI-layer checks developers rely on, so the dominant failures are authorization ones — e.g. changing /orders/123 to /orders/124 and getting someone else's order (Broken Object Level Authorization, API1, the #1 API risk). Note the overlap with the main list: SSRF, Security Misconfiguration, and Authentication appear on both.

# Risk
API1 Broken Object Level Authorization
API2 Broken Authentication
API3 Broken Object Property Level Authorization
API4 Unrestricted Resource Consumption
API5 Broken Function Level Authorization
API6 Unrestricted Access to Sensitive Business Flows
API7 Server Side Request Forgery
API8 Security Misconfiguration
API9 Improper Inventory Management
API10 Unsafe Consumption of APIs

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 14, 2026