OWASP API Security Top 10 — Belgavi.AI Lab

The OWASP API Security Top 10 is the de-facto checklist for API security audits. Updated in 2023, it differs from the regular OWASP Top 10 — APIs face distinct attack patterns. Knowing these is the baseline for any production API.

Advertisement

API1: Broken Object-Level Authorization (BOLA)

Attacker changes /users/123/orders to /users/124/orders and sees someone else's data. Fix: authorization check on EVERY request comparing authenticated user vs requested resource owner. Centralize in middleware; never trust route params.

API2: Broken Authentication

Weak token validation, predictable session IDs, no rate limiting on login. Fix: use battle-tested libraries (Auth0, Clerk, Cognito), rate-limit auth endpoints aggressively, mandate strong passwords + MFA.

Advertisement

API3: Broken Object-Property-Level Authorization

API returns a user object with sensitive fields (password_hash, internal_role). Fix: explicit allow-list of fields per endpoint. Never return the entire DB row.

API4: Unrestricted Resource Consumption

Attacker sends 1000 expensive requests, exhausts your DB or LLM budget. Fix: rate limit per user AND per IP. Set max-result-size on list endpoints. Charge for expensive operations.

API5-API10 in brief

API5: function-level auth missing (admin endpoint accessible to user). API6: server-side request forgery via user-controlled URL params. API7: bad inventory management — undocumented v1 API still live and unmaintained. API8-10: misconfigurations, injection, unsafe consumption of 3rd-party APIs. Audit each before deploying.

BOLA + Broken Auth dominate real-world breaches. Centralize authz, rate-limit auth, explicit field allow-lists. The rest is hygiene.