CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

OWASP API Security Top 10

security Intermediate

Also Known As

OWASP API Top 10 API security OWASP BOLA broken object level authorization

TL;DR

The OWASP API Security Top 10 lists the most critical API vulnerabilities — a separate list from the web application Top 10, covering risks specific to REST, GraphQL, and other API surfaces such as broken object-level authorisation and unrestricted resource consumption.

Explanation

APIs expose different attack surfaces than traditional web applications. OWASP maintains a dedicated API Security Top 10 (2023 edition): API1 — Broken Object Level Authorization (BOLA/IDOR, accessing other users' data by changing an ID); API2 — Broken Authentication; API3 — Broken Object Property Level Authorization (mass assignment, over-posting); API4 — Unrestricted Resource Consumption (missing rate limits); API5 — Broken Function Level Authorization (admin endpoints accessible to regular users); API6 — Unrestricted Access to Sensitive Business Flows (purchasing bots, account enumeration); API7 — Server Side Request Forgery; API8 — Security Misconfiguration; API9 — Improper Inventory Management (shadow APIs, old versions); API10 — Unsafe Consumption of APIs (blindly trusting third-party API responses).

Common Misconception

Implementing authentication is sufficient API security. Authentication proves who you are; authorization proves what you can access. BOLA (the top API vulnerability) is an authorization failure that occurs after successful authentication.

Why It Matters

APIs are the primary attack surface for modern PHP applications — they power mobile apps, SPAs, and third-party integrations. The API Top 10 differs meaningfully from the web app Top 10: BOLA (returning /orders/123 when the user only owns /orders/456) is the most exploited API vulnerability and is not in the general Top 10.

Common Mistakes

  • Relying on obscurity — using UUIDs instead of sequential IDs does not prevent BOLA; an attacker with one valid UUID can try others from the same entropy space.
  • Not testing authorization at every endpoint — it is easy to add an endpoint and forget the ownership check; use automated tests that verify cross-user access is denied.
  • Exposing internal model fields in API responses — returning all columns including internal flags, admin notes, or cost prices is API3 (Broken Object Property Level Authorization).
  • Not versioning deprecated API endpoints — old versions accumulate security debt and become shadow APIs (API9); always sunset old versions explicitly.

Code Examples

✗ Vulnerable 
<?php
// ❌ BOLA — no ownership check
// GET /api/orders/{id}
public function show(int $orderId): JsonResponse
{
    $order = Order::find($orderId); // Attacker changes ID to another user's order
    return response()->json($order); // Returns any order — no auth check
}
✓ Fixed 
<?php
// ✅ Object-level authorization check
public function show(int $orderId): JsonResponse
{
    $order = Order::where('id', $orderId)
        ->where('user_id', auth()->id()) // Only return if owned by current user
        ->firstOrFail();
    return response()->json($order);
}

// ✅ Mass assignment protection (API3)
public function update(Request $request, int $orderId): JsonResponse
{
    $order = Order::where('id', $orderId)
        ->where('user_id', auth()->id())
        ->firstOrFail();
    // Only allow safe fields — never $order->fill($request->all())
    $order->update($request->only(['shipping_address', 'notes']));
    return response()->json($order);
}
Added 23 Mar 2026
Views 23

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 2 pings W 0 pings T
Agents 0
No pings yet today
Amazonbot 1
Amazonbot 8 Perplexity 4 Google 3 ChatGPT 1 Ahrefs 1
Also referenced
Insecure Direct Object Reference (IDOR) 30 Broken Access Control 29 Mass Assignment 25 OWASP Top 10 23 Role-Based Access Control (RBAC) 23 API Rate Limiting 19
How they use it
crawler 16 crawler_json 1
Related categories
security 4k api_design 495
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
For every API endpoint that returns an object by ID, verify the authenticated user owns or has permission to access that specific object — not just that they are logged in.
📦 Applies To
web
✓ schema.org compliant