OWASP API Security Top 10 Vulnerabilities: 2023

The Open Web Application Security Project (OWASP) released its updated list of Top 10 API Security Vulnerabilities in 2023.

Changes between 2023 and 2019 API Security Top 10 listings

There are a number of changes to the previous 2019 OWASP API Security Top 10 listing which are outlined in this section. You can see the full 2023 list in order of severity further below.

New Entries in 2023

There are three new entries to the list:

• API 06:2023 – Unrestricted Access to Sensitive Business Flows
• API 07:2023 – Server Side Request Forgery
• API 10:2023 – Unsafe Consumption of APIs – this also includes injection from API 08:2019

Modified Entries from 2019

• API 02:2023 – Broken Authentication, previously API 02:2019: Broken User Authentication
• API 03:2023 – Broken Object Property Level Authorisation. A merger of two previous vulnerabilities API 03:2019 Excessive Data Exposure and API 06: 2019 Mass Assignment
• API 04:2023 – Unrestricted Resource Consumption, previously API 04:2019: Lack of Resources & Rate limiting
• API 09:2023 – Improper Inventory Management, previously API 04:2019: Improper Asset Management

Remaining on the list

• API 01:2023 & 2019 – Broken Object Level Authorization
• API 05:2023 & 2019 – Broken Function Level Authorization
• API 08:2023 – Security Misconfiguration, drops a place from 7 to 8

2019 Entries dropping off the list

• API 10:2019 – Insufficient Logging and Monitoring

OWASP API Security Top 10 Vulnerabilities (in order of severity)

• API 01:2023 — Broken object level authorization
• API 02:2023 — Broken authentication
• API 03:2023 — Broken Object Property Level Authorisation
• API 04:2023 — Unrestricted resources consumption
• API 05:2023 — Broken function level authorization
• API 06:2023 — Unrestricted access to sensitive business flows
• API 07:2023 — Server side request forgery
• API 08:2023 — Security misconfiguration
• API 09:2023 — Improper inventory management
• API 10:2023 — Unsafe consumption of APIs

2023 OWASP API Security Top 10 additional resources

Here are some additional resources and information on the 2023 OWASP API Security Top 10 listing:

• If you need a quick and easy checklist to print out and hang on the wall, look no further than our 2023 OWASP API Security Top 10 cheat sheet.
• A recording of our explainer webinar on the new 2023 OWASP API Security Top 10 list is available to view on demand on the 42Crunch website. We also have a YouTube playlist specific to the OWASP API Security Top 10 vulnerabilities.
• The 2023 listing can be checked on the official OWASP API Security Top 10 project website.
• If you want to participate in the project, you can contribute your changes to the GitHub repository of the project.