API Security: OWASP API Top 10 Guide (2025)
85% of modern apps run on API calls. OWASP API Top 10 (current edition 2023) is the risk inventory for this specific surface. Here's each item from both test and defense angles.
API1: Broken Object Level Authorization (BOLA/IDOR)
The most common critical API flaw. `GET /api/orders/123` should return the caller's own order, yet `/api/orders/456` often exposes someone else's. Every object needs an ownership check.
Test: call the same endpoint with two different tokens and look for access to the other user's data. Defense: add `user_id = current_user.id` to every DB query. ORM-level middleware plus endpoint guards.
API2: Broken Authentication
Weak JWT validation, session hijacking, poor password reset, missing rate limits. Libraries that accept `alg: none` or apps that leak symmetric keys are particularly dangerous.
Defense: up-to-date JWT library (jsonwebtoken 9+), algorithm allowlist (RS256 or ES256 only), short-lived tokens (15 min), refresh rotation, rate limiting (5/min) on every auth endpoint.
API3: Broken Object Property Level Authorization
Users update their profile via `PATCH /api/users/me`. If they send `{role: 'admin'}` in the body and the app trusts it, privilege escalation happens — mass assignment.
Defense: allowlist updatable fields, ignore the rest. `strong_params` in Rails, `$fillable` in Laravel, manual filters in Express.
API4: Unrestricted Resource Consumption
Endpoints without rate limits are DDoS targets; expensive queries can bring the server down. Example: `GET /api/search?q=*` pulling the entire database.
Defense: per-endpoint rate limit (Redis), mandatory pagination (max 100/page), timeouts for complex queries, CAPTCHA where appropriate. Cloudflare WAF adds another layer.
API5: Broken Function Level Authorization
`DELETE /api/users/123` must be admin-only but an authorization middleware was skipped. A regular user reaches admin functions.
Defense: RBAC middleware on every admin endpoint, endpoint-level policy checks, authorization tests in your test suite. Default-deny: no authorization rule means return 403.
API6-10: The Rest, Briefly
API6 — Unrestricted access to sensitive business flows: buying a product multiple times via checkout, re-using coupons. Defense: idempotency + rate limit. API7 — SSRF: fetching user-supplied URLs. Defense: URL allowlist, internal IP blocks.
API8 — Security misconfiguration: default credentials, debug on, permissive CORS. Defense: hardening checklist + scans. API9 — Improper inventory: old API versions still running, deprecated endpoints outside the protection layer. API10 — Unsafe consumption of APIs: trusting third-party data without validation.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.