Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Research

OWASP API Security Top 10 (2023): a practical guide with testing notes

A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.

Pentrova Research Pentrova Research
11 min read
On this page

The OWASP API Security Top 10 is the reference list for the risks that matter most on API surfaces. APIs fail differently from traditional web apps — the bugs cluster around authorization and object access, not just injection — and the 2023 edition reflects that. This guide walks all ten risks, what each one looks like in practice, and how to test for it with reproducible evidence rather than a severity guess.

Why APIs need their own Top 10#

A web-app scanner crawls pages and fuzzes inputs. An API has no pages to crawl — it has endpoints, objects, and roles. The dominant failures are authorization failures: a caller reaching an object or function they should not. That is why the API Top 10 leads with object-level and function-level authorization rather than injection, and why single-session scanners miss most of it.

The ten risks#

API1:2023 — Broken Object Level Authorization ()#

The number-one risk. The server authenticates the caller but never checks they own the specific object they reference (GET /invoices/9182). Test it with multi-role replay: capture a reference response under one role, replay under another, diff for leaks.

API2:2023 — Broken Authentication#

Weak token validation, missing expiry, guessable credentials, or flawed OAuth flows. Test token replay, missing PKCE, and state handling.

API3:2023 — Broken Object Property Level Authorization#

The endpoint scopes the object correctly but leaks or accepts fields it should not — mass assignment and excessive data exposure merged into one risk. Diff response bodies field-by-field across roles.

API4:2023 — Unrestricted Resource Consumption#

Missing rate, size, or quota limits that enable denial of service or runaway cost. Probe pagination limits, payload sizes, and request bursts — overlapping the race-condition surface.

API5:2023 — Broken Function Level Authorization (BFLA)#

A lower-privileged role can invoke a privileged function (admin endpoints, state transitions). Replay privileged operations under under-privileged sessions.

API6:2023 — Unrestricted Access to Sensitive Business Flows#

Automatable business flows (purchase, signup, booking) with no anti-automation, enabling abuse at scale. This is application-specific logic only the app can define.

API7:2023 — Server Side Request Forgery#

User-supplied URLs the server fetches, reaching internal services or cloud metadata. Supply internal canary URLs and watch the out-of-band channel.

API8:2023 — Security Misconfiguration#

Missing security headers, permissive CORS, verbose errors, unpatched components. Check headers and CORS with the free header scanner and CORS checker.

API9:2023 — Improper Inventory Management#

Forgotten v1 endpoints, undocumented hosts, debug routes. An accurate spec is the defence — and a missing security scheme makes the inventory problem worse.

API10:2023 — Unsafe Consumption of APIs#

Trusting third-party API responses without validation, inheriting their vulnerabilities. Validate and sanitise upstream data as if it were user input.

How to test the API Top 10 with evidence#

Three of the top five risks (API1, API3, API5) are authorization failures that are relational — they only appear across roles. That shapes how you test:

  1. Establish every role, including a cross-tenant stranger.
  2. Capture reference responses per endpoint under a privileged role.
  3. Replay across roles and diff for object leaks (API1), field leaks (API3), and function access (API5).

Pentrova’s API Pentesting runs exactly this loop across six auth modes and five spec parsers, and every finding ships as deterministic proof — the captured exchange plus a reproducible command — rather than a CVSS estimate.

Key takeaways#

  • The API Top 10 is authorization-led: , BFLA, and property-level authz dominate.
  • Authorization risks are relational and require cross-role replay, not single-session scanning.
  • Misconfiguration and inventory risks are catchable with free tooling and an accurate OpenAPI spec.
  • Evidence-based testing reproduces each risk against the live target instead of scoring it.

FAQ#

What is the most common API vulnerability? Broken Object Level Authorization (, API1:2023). It tops the OWASP API Top 10 because authenticated callers routinely reach objects they do not own, and single-session scanners cannot detect it.

How is the API Top 10 different from the regular OWASP Top 10? The web app Top 10 covers broad application risks; the API Top 10 focuses on the failures specific to API surfaces — predominantly object- and function-level authorization — which behave very differently from page-based web bugs.

Can these risks be tested automatically? Yes. The authorization risks need multi-role replay; misconfiguration and need active probing with out-of-band confirmation. Pentrova automates all of it and reports only reproduced findings.

See the Authorization Matrix walkthrough for testing in detail, or start a free API engagement.

Updated

Written by

Pentrova Research Pentrova Research

Pentrova Research writes about deterministic offensive-security proof, LLM-driven pentest chains, and how to ship exploit-grade evidence into engineering pipelines.

Keep reading

Site search

↑↓ navigateEnter openEsc close