CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

OWASP API Security Top 10

Security Intermediate
debt(d7/e7/b5/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The term's detection_hints.tools is empty. BOLA and authorization failures are logic-level flaws — no static analyzer can reliably detect that a given endpoint fails to verify object ownership. These issues surface only through careful code review (checking every endpoint for ownership assertions) or dedicated authorization-focused penetration/integration testing. They are silent in production until an attacker or tester exercises them cross-user.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix says 'For every API endpoint that returns an object by ID, verify the authenticated user owns or has permission.' The common_mistakes note that it is easy to add an endpoint and forget the ownership check, and that all columns / all endpoints must be audited. Retrofitting authorization checks across every endpoint in a codebase, plus adding automated cross-user tests, plus sunsetting old API versions, is a cross-cutting effort touching many files and potentially the architectural authorization layer.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). The applies_to context is 'web', covering all API-serving PHP applications. Every new endpoint added in the future must include an ownership/authorization check — this is an ongoing discipline tax on every developer adding API features. It doesn't fully define the system's shape (b7) but it meaningfully shapes every API endpoint's design, making it a persistent productivity tax.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The canonical misconception is explicit: developers who know the OWASP Web App Top 10 assume authentication coverage equals security coverage, not realizing BOLA is an authorization failure that occurs *after* successful authentication. This contradicts the mental model carried over from general OWASP knowledge and from authentication-focused security training, making it a serious conceptual trap for competent developers.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

OWASP API Top 10 API security OWASP BOLA broken object level authorization

TL;DR

The OWASP API Security Top 10 lists the most critical API vulnerabilities — a separate list from the web application Top 10, covering risks specific to REST, GraphQL, and other API surfaces such as broken object-level authorisation and unrestricted resource consumption.

Explanation

APIs expose different attack surfaces than traditional web applications. OWASP maintains a dedicated API Security Top 10 (2023 edition): API1 — Broken Object Level Authorization (BOLA/IDOR, accessing other users' data by changing an ID); API2 — Broken Authentication; API3 — Broken Object Property Level Authorization (mass assignment, over-posting); API4 — Unrestricted Resource Consumption (missing rate limits); API5 — Broken Function Level Authorization (admin endpoints accessible to regular users); API6 — Unrestricted Access to Sensitive Business Flows (purchasing bots, account enumeration); API7 — Server Side Request Forgery; API8 — Security Misconfiguration; API9 — Improper Inventory Management (shadow APIs, old versions); API10 — Unsafe Consumption of APIs (blindly trusting third-party API responses).

Common Misconception

Implementing authentication is sufficient API security. Authentication proves who you are; authorization proves what you can access. BOLA (the top API vulnerability) is an authorization failure that occurs after successful authentication.

Why It Matters

APIs are the primary attack surface for modern PHP applications — they power mobile apps, SPAs, and third-party integrations. The API Top 10 differs meaningfully from the web app Top 10: BOLA (returning /orders/123 when the user only owns /orders/456) is the most exploited API vulnerability and is not in the general Top 10.

Common Mistakes

  • Relying on obscurity — using UUIDs instead of sequential IDs does not prevent BOLA; an attacker with one valid UUID can try others from the same entropy space.
  • Not testing authorization at every endpoint — it is easy to add an endpoint and forget the ownership check; use automated tests that verify cross-user access is denied.
  • Exposing internal model fields in API responses — returning all columns including internal flags, admin notes, or cost prices is API3 (Broken Object Property Level Authorization).
  • Not versioning deprecated API endpoints — old versions accumulate security debt and become shadow APIs (API9); always sunset old versions explicitly.

Code Examples

✗ Vulnerable 
<?php
// ❌ BOLA — no ownership check
// GET /api/orders/{id}
public function show(int $orderId): JsonResponse
{
    $order = Order::find($orderId); // Attacker changes ID to another user's order
    return response()->json($order); // Returns any order — no auth check
}
✓ Fixed 
<?php
// ✅ Object-level authorization check
public function show(int $orderId): JsonResponse
{
    $order = Order::where('id', $orderId)
        ->where('user_id', auth()->id()) // Only return if owned by current user
        ->firstOrFail();
    return response()->json($order);
}

// ✅ Mass assignment protection (API3)
public function update(Request $request, int $orderId): JsonResponse
{
    $order = Order::where('id', $orderId)
        ->where('user_id', auth()->id())
        ->firstOrFail();
    // Only allow safe fields — never $order->fill($request->all())
    $order->update($request->only(['shipping_address', 'notes']));
    return response()->json($order);
}
Added 23 Mar 2026
Views 51

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 2 pings T 2 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 1 ping M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Google 6 Scrapy 5 Perplexity 4 ChatGPT 3 Ahrefs 3 SEMrush 3 Claude 2 PetalBot 2 Bing 1 Meta AI 1 Sogou 1
Also referenced
Broken Access Control 63 Insecure Direct Object Reference (IDOR) 55 API Rate Limiting 47 Mass Assignment 46 OWASP Top 10 42 Role-Based Access Control (RBAC) 41
How they use it
crawler 35 crawler_json 4
Related categories
security 7.9k api_design 913
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
For every API endpoint that returns an object by ID, verify the authenticated user owns or has permission to access that specific object — not just that they are logged in.
📦 Applies To
web
✓ schema.org compliant