This was the first API Security specific Top 10 vulnerabilities list provided by the OWASP project. Read more about why a separate list was needed and how API vulnerabilities differ from web application vulnerabilities. Even though some of these vulnerabilities have fallen off the 2023 OWASP list, it does not mean that any of the below vulnerabilities should be ignored.
- API 01:2019 — Broken object level authorization
- API 02:2019 — Broken authentication
- API 03:2019 — Excessive data exposure
- API 04:2019 — Lack of resources and rate limiting
- API 05:2019 — Broken function level authorization
- API 06:2019 — Mass assignment
- API 07:2019 — Security misconfiguration
- API 08:2019 — Injection
- API 09:2019 — Improper assets management
- API 10:2019 — Insufficient logging and monitoring
OWASP API security resources
Here are some additional resources and information on the OWASP API Security Top 10:
- If you need a quick and easy checklist to print out and hang on the wall, look no further than our OWASP API Security Top 10 2019 cheat sheet.
- Recordings of our OWASP API Security Top 10 webinars are available on the 42Crunch YouTube channel.
- View the 2023 OWASP API Security Top 10 vulnerabilities list
- Check out the 2019 listing on the OWASP project website