Get Started

OWASP API 2019

F5 ASM
OWASP
IPI
API1:2019 Broken Object Level Authorization

Broken Object Level Authorization, listed as API1:2019 in the OWASP API Security Top 10, occurs when an API fails to properly verify that a user is authorized to access or manipulate a specific object. This allows attackers to exploit endpoints by guessing or tampering with object identifiers like user IDs or resource IDs in the request. If proper access checks are missing, an attacker could view or modify another user’s data. This vulnerability is common in APIs that expose object references directly. Preventing it requires strict, user-specific access control checks on every data-accessing API call.

API2:2019 Broken User Authentication

LBroken User Authentication, listed as API2:2019 in the OWASP API Security Top 10, occurs when authentication mechanisms are poorly implemented, allowing attackers to compromise user accounts or impersonate other users. Common causes include weak or missing authentication, poor password management, lack of token validation, or predictable credential recovery processes. These flaws can lead to unauthorized access to sensitive data and system functions. APIs are especially vulnerable due to stateless communication and reliance on tokens, so strong authentication controls, secure token handling, and multi-factor authentication are essential to prevent this type of attack.

API3:2019 Excessive Data Exposure

Excessive Data Exposure, listed as API3:2019 in the OWASP API Security Top 10, occurs when APIs expose more data than necessary, relying on clients to filter or discard what they don't need. This often happens when APIs return full database objects or sensitive fields like passwords, tokens, or internal IDs, even if the client only displays a small portion. Attackers can easily inspect API responses and extract this data, leading to privacy breaches or further attacks. To prevent this, APIs should limit responses to only the required fields and apply strict data filtering and output validation on the server side.

API4:2019 Lack Resources Rate Limiting

Lack of Resources and Rate Limiting, listed as API4:2019 in the OWASP API Security Top 10, refers to the absence of restrictions on how often and how intensely users can interact with an API. Without proper limits, attackers can abuse endpoints by launching brute force attacks, consuming excessive server resources, or overloading the system with massive requests, potentially leading to denial of service. APIs that do not enforce rate limits or usage quotas are especially vulnerable. To mitigate this risk, APIs should implement rate limiting, throttling, and resource quotas to protect against abuse and ensure fair usage.

API5:2019 Broken Function Level Authorization

Broken Function Level Authorization, listed as API5:2019 in the OWASP API Security Top 10, occurs when an API does not properly restrict access to sensitive functions based on user roles or permissions. This allows attackers to access administrative or privileged operations by simply guessing or modifying endpoints, such as changing a URL from /user/update to /admin/delete. Even if authentication is in place, missing or weak authorization checks can lead to unauthorized access and actions. To prevent this, every function in the API must enforce strict role-based access control and verify permissions before executing any operation.

API6:2019 Mass Assignment

Mass Assignment, listed as API6:2019 in the OWASP API Security Top 10, occurs when APIs automatically bind client-supplied input to internal data models without properly filtering or restricting which fields can be modified. This allows attackers to guess or discover sensitive fields—like roles, permissions, or account status—and include them in API requests to manipulate protected data. It typically arises when developers expose entire objects for updates without defining which properties are safe to change. To prevent mass assignment, use allowlists to specify modifiable fields and avoid binding client input directly to complex internal objects.

API7:2019 Security Misconfiguration

Security Misconfiguration, listed as API7:2019 in the OWASP API Security Top 10, refers to improper or incomplete security settings across the API stack, including cloud services, application servers, and HTTP headers. Common issues include overly permissive CORS policies, exposed error messages, default credentials, and unnecessary HTTP methods enabled. These missteps provide attackers with opportunities to probe, exploit, or gain unauthorized access to systems. APIs are particularly at risk due to their distributed nature and reliance on external services. To prevent this, enforce secure defaults, remove unused features, harden configurations, and regularly review and test API deployments.

API8:2019 Injection

Injection, listed as API8:2019 in the OWASP API Security Top 10, occurs when untrusted or malicious data is sent to an API and executed as part of a command or query, allowing attackers to access or manipulate backend systems. This includes SQL, NoSQL, command, and LDAP injection, often caused by APIs passing input directly into interpreters without proper validation or sanitization. Successful injection attacks can lead to data leaks, unauthorized access, or complete system compromise. To prevent injection, APIs should use parameterized queries, validate all input, and avoid directly embedding user-supplied data in backend commands or queries.

API9:2019 Improper Assets Management

Insufficient Logging and Monitoring, listed as API10:2019 in the OWASP API Security Top 10, refers to the failure to record, detect, and respond to malicious API activity. Without proper logging, security events like brute force attacks, data theft, or misuse of endpoints can go unnoticed. When monitoring is absent or alerts aren’t triggered, attackers gain more time to exploit vulnerabilities without detection. This also weakens incident response and forensic investigation. To mitigate this risk, APIs should log key events such as failed logins and access violations, integrate with monitoring systems, and ensure alerts lead to timely responses.

API10:2019 Insufficient Logging Monitoring

Insufficient Logging and Monitoring, listed as API10:2019 in the OWASP API Security Top 10, refers to the lack of proper mechanisms to detect, record, and respond to malicious activity targeting APIs. Without adequate logging, attacks such as brute force attempts, abuse of API functionality, or data exfiltration can go unnoticed. Monitoring failures mean alerts aren’t triggered, or aren’t acted on quickly, allowing attackers to operate without detection. This also hinders incident response and forensic investigations. To address this risk, APIs should log security-relevant events and be integrated with monitoring systems that enable real-time detection and response.