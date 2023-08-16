OWASP API Top 10 coverage by Akamai

Let’s review OWASP’s current 2023 list so you can be better informed on your journey to secure your APIs.

API1:2023 — Broken Object Level Authorization: BOLA vulnerabilities can occur when a client’s authorization is not properly validated to access specific object IDs.

API2:2023 — Broken Authentication: BA refers to broad vulnerabilities in the authentication process, exposing the system to attackers that can exploit these weaknesses to compromise API object protection.



API3:2023 — Broken Object Property Level Authorization: BOPLA is a security flaw where an API endpoint unnecessarily exposes more data properties than required for its function, neglecting the principle of least privilege.

API4:2023 — Unrestricted Resource Consumption: This is a type of vulnerability, sometimes called API resource exhaustion, where APIs do not limit the number of requests or the volume of data they serve within a given time.

API5:2023 — Broken Function Level Authorization: BFLA can occur when access control models for API endpoints are implemented incorrectly.

API6:2023 — Unrestricted Access to Sensitive Business Flows: This risk arises when an API exposes critical operations like business logic without sufficient access control.

API7:2023 — Server Side Request Forgery: SSRF allows an attacker to induce the server-side application to make HTTPS requests to an arbitrary domain of the attacker’s choosing.

API8:2023 — Security Misconfiguration: This refers to the improper setup of security controls, which can leave a system vulnerable to attacks.

API9:2023 — Improper Inventory Management: This is a challenge for every organization managing APIs. API security solutions can protect known APIs, but unknown APIs — including deprecated, legacy, and/or outdated APIs — may be left unpatched and vulnerable to attack.

API10:2023 — Unsafe Consumption of APIs: This refers to the risks associated with the use of third-party APIs without putting proper security measures in place.



Defending against vulnerabilities of any kind identified by an OWASP Top 10 requires a trusted partnership between organizations. Akamai also defends against the OWASP Top 10 list of the most common vulnerabilities seen in web applications.