Why a dedicated API Top 10
APIs have become the primary attack vector for modern applications. Unlike traditional web apps where the UI controls interactions, APIs directly expose business logic. OWASP published a dedicated API Top 10 in 2019, updated in 2023. Here are the ten categories and what they mean in practice.
API1: Broken Object Level Authorization (BOLA)
The API equivalent of IDOR. User A accesses user B's resources by changing the identifier in the request. GET /api/orders/1234 should verify that the caller actually owns order 1234. It's the number one API flaw because developers systematically forget this check.
API2: Broken Authentication
Tokens without expiration, no rate limiting on login endpoints, API keys in URLs, JWT tokens without signature validation. Any poorly implemented authentication mechanism falls into this category.
API3: Broken Object Property Level Authorization
The API returns more fields than necessary (email, role, internal_notes) or accepts modification of sensitive fields via mass assignment. If PATCH /api/users/me accepts {"role": "admin"}, that's a flaw in this category.
API4: Unrestricted Resource Consumption
No pagination, no rate limiting, no payload size limits. An attacker can extract the entire database via automated paginated requests or cause a denial of service by sending massive payloads.
API5: Broken Function Level Authorization
A standard user accesses admin endpoints. DELETE /api/admin/users/42 is accessible without role verification. Swagger documentation often exposes these endpoints to everyone.
API6: Unrestricted Access to Sensitive Business Flows
The API doesn't protect critical business flows against automation. Automated bulk purchasing, account creation loops, brute-forcing promotional codes. This isn't a technical bug but a missing business control.
API7: Server-Side Request Forgery
Same principle as web SSRF but via API endpoints. Import functions, webhooks, and third-party integrations are the primary vectors.
API8: Security Misconfiguration
Overly permissive CORS headers (Access-Control-Allow-Origin: * on authenticated endpoints), verbose error messages exposing stack traces, unnecessary HTTP methods enabled, API documentation accessible in production.
API9: Improper Inventory Management
Undocumented APIs, old versions still accessible, staging environments exposed to the internet. If /api/v1/ is secured but /api/v0/ is still live without authentication, that's this category.
API10: Unsafe Consumption of APIs
Your API blindly trusts data received from third-party APIs. If a vendor is compromised or returns malicious data, your application processes it without validation. This is a supply chain vector on the API side.
The CleanIssue approach
Our external review tests each of these ten categories on your exposed endpoints. BOLA and Broken Authentication alone account for over 50% of our critical findings. Request a audit call to identify your API flaws.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Web vulnerabilities: complete OWASP Top 10 guide for 2026
A breakdown of the 10 most critical web vulnerability categories from OWASP 2021, their relevance in 2026, and what to check in your applications.
OWASP Top 10 for LLMs: The Complete 2026 Guide
The OWASP ranking of the 10 most critical risks for LLM-based applications. Each category explained with real examples and countermeasures.
API and webhook vulnerabilities: the 2026 guide to the mistakes that really expose data
Reference guide to the API and webhook mistakes that create real exposure: BOLA, mass assignment, sensitive business flows, HMAC signatures, overly verbose docs, and over-trusting callbacks.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.