OWASP API Security Top 10 2023 Release Candidate Published 

PUBLISHED ON February 21, 2023
LAST UPDATED Feb 21, 2023

As explained by the online community, Open Web Application Security Project (OWASP), APIs are a critical part of modern applications. They allow different software programs to communicate with each other and provide services to customers, partners, and internal teams. API Security focuses on strategies to mitigate vulnerabilities, misconfiguration, and security risks of Application Programming Interfaces (APIs). Without secure APIs, organizations and their consumers are at risk of falling victim to an online attack.  

2019 vs 2023 OWASP API Top 10 

OWASP (Open Web Application Security Project) is an open-source community that focuses on improving the security of software. One of their most well-known projects, OWASP API Top 10, was designed to help developers understand and address the most common security risks associated with APIs. The list includes the following 10 risks: 

  1. Broken Object Level Authorization 
  2. Broken User Authentication 
  3. Excessive Data Exposure 
  4. Lack of Resources & Rate Limiting 
  5. Broken Function Level Authorization 
  6. Mass Assignment 
  7. Security Misconfiguration 
  8. Injection 
  9. Improper Assets Management 
  10. Insufficient Logging & Monitoring 

The OWASP API Security Top 10 2023 RC, on the other hand, is an updated version of the OWASP API Top 10 2019. The new version has been created to reflect the changing threat landscape and address new attack vectors that have emerged since the last version was released. The OWASP API Security Top 10 2023 RC includes the following 10 risks: 

  1. Broken Object Level Authorization 
  2. Broken Authentication  
  3. Broken Object Property Level Authorization 
  4. Unrestricted Resource Consumption 
  5. Broken Function Level Authorization 
  6. Server Side Request Forgery 
  7. Security Misconfiguration 
  8. Lack of Protection from Automated Threats 
  9. Improper Inventory Management 
  10. Unsafe Consumption of APIs 

As we can see, there are some similarities between the two lists. For example, both include security risks related to authentication, authorization, and security misconfiguration. However, there are 6 notable changes between the API threats listed in the 2019 vs. 2023 OWASP API Top 10. Which is exactly what we’ll dig into next.   

Breaking Down the Differences  

To begin listing the biggest differences, the OWASP API Security Top 10 2023 RC includes new security risks that were not present in the previous version like: 

API3:2023 Broken Object Property Level Authorization brings together attackers gaining unauthorized access to sensitive information by way of API3:2019 Excessive Data Exposure or API6:2019 Mass Assignment. Both strategies are focused on manipulating API endpoints to gain access to unauthorized and typically sensitive data.  

API4:2019 Lack of Resources & Rate Limiting reclassified to API4:2023 Unrestricted Resource Consumption, focused on restricting vs. rate limiting bandwidth, CPU, memory, or the amount storage an API can consume at a given time. The reason for this change is simple, some APIs need stricter policies depending on what data they share. APIs are being exhausted by third-party services continuously attempting to share large amounts of data or even files between the systems, requiring stricter policies to ensure system performance isn’t affected or computational resources don’t skyrocket.

API6:2019 Mass Assignment being reclassified to API6:2023 Server Side Request Forgery, both focus on manipulating APIs. The biggest difference is Server Side Request Forgery is used to enumerate internal services by testing various URIs in the API whereas Mass Assignment enumerates APIs to expose data vs infrastructure.  

API8:2023 Lack of Protection from Automated Threats is a major change since API8:2019 focused on Injection. This is in response to attackers creating automated botnets that are smarter about how they exploit APIs, targeting business-impacting functionality as well as implementation errors. A few examples could be excessively buying all the latest Nike sneakers or using valid user credentials to steal referral points, the goal being to excessively automate a typical behavior that can harm the business.  

API9:2023 Improper Asset Management is now API9:2023 Improper Inventory Management to purposefully emphasize the need to document expected API usage to eliminate dataflow blind spots and track all public, private, partner, and integrated API services in the environment. Attackers are taking advantage of vulnerabilities in third-party APIs and organizations using those API services are falling victim to data breaches. 

API10:2023 Unsafe Consumption of APIs is a shift from API10:2019 that focused on Insufficient Logging & Monitoring. Instead of the ability to monitor suspicious activity with logging of actions, Unsafe Consumption of APIs emphasizes the need for more risk-awareness when choosing to integrate with third-party APIs. API Attacks are mimicking real user activity more and more. Instead, attackers are leveraging vulnerabilities in third-party APIs to access sensitive data.  

These changes highlight how attackers are evolving their strategies to exploit private, public, and third-party API services that drive our modern applications and online services. The changes above also call out how organizations need to mature their API Security programs to be more risk aware when selecting third-party services, document all aspects of APIs that are implemented, and build up the protection mechanisms to ensure APIs are being utilizing securely.  

Changing Threats are like Playing Whack-a-Mole 

Overall, hats off to the OWASP community for organizing the latest API OWASP Top 10 and releasing the list for community feedback. Below are OWASP’s 2023 recommendations on how to defend APIs against the latest threats and prevent more data breaches from happening in 2023.  

API3:2023 – OWASP recommendations call for avoiding generic methods when designing APIs and binding a client’s input into code variables. Implement a schema-based response validation mechanism, return the bare-minimum for data, and validate users access to object level data.  

API4:2023 – OWASP recommendations call for limiting resources, enforcing max size of data or files on incoming API parameters or payloads. Implement a client limit for third-party API usage within a specific timeframe with alerts. Rate limit or throttle API calls especially with authentication APIs or define stricter policies for APIs that consume larger amounts of computational resources.  

API6:2023 – OWASP recommendations call for isolating resource fetching mechanisms in your network, validate client-supplied input data, disable HTTP redirections, use well-tested and maintained URL parsers. Do not send raw responses to clients.  

API8:2023 – OWASP recommendations call for protection mechanisms that use device fingerprinting and detection of human vs non-human patterns.  

API9:2023 – OWASP recommendations call for adopting automated API documentation into the CI/CD using open standards and ensuring it stays up to date. Documentation should include all public, internal, and partner API hosts, integrated services, and authentication details for API requests & responses.  

API10:2023 – OWASP recommendations call for API posture assessments, ensure all API interactions happen over TLS, validate data sanitization from integrated APIs before use, and do not blindly follow integrate API redirects. 

The OWASP API Security Top 10 2023 RC is the most comprehensive and up-to-date list of the most critical security risks to APIs. It reflects the changing threat landscape and includes new risks that have emerged in recent years. If you are an API expert, the OWASP writers are accepting feedback now on OWASP API Security Top 10 Github repository by providing your suggestions in the comments.  

About the Author

Sydney Coffaro

Experienced subject-matter expert focused on cybersecurity automation, incident response, APIs, and application security with a demonstrated history of working in fast-paced early stage startups. Sydney is a certified product manager, Scrum Master, and has led technical sales initiatives for go to customer teams that resulted in the acquisition of hundreds of customers.