What is API Top 10 (OWASP API Security Top 10)?

Updated

OWASP's separate top-10 list for API-specific security risks. Distinct from the regular OWASP Top 10 (which is web-app-centric). 2023 edition is the current as of 2026: API01 BOLA, API02 Broken Authentication, API03 BOPLA (Broken Object Property Level Authorization), API04 Unrestricted Resource Consumption, API05 BFLA, API06 Unrestricted Access to Sensitive Business Flows, API07 SSRF, API08 Security Misconfiguration, API09 Improper Inventory, API10 Unsafe Consumption of Third-Party APIs.

Full explanation

Modern apps are mostly API-driven, and many bug classes are API-specific in shape. BOLA (API01) is the #1 because changing an ID in a URL is the simplest cross-tenant exploit. BOPLA (API03, new in 2023) covers the property-level analog: an API returns more fields than the user is authorized for. BFLA (API05) is BOLA at the function level — calling an admin endpoint as a regular user. The full list complements the regular Top 10 and the LLM Top 10. Securie's launch coverage targets API01, API03, API05, API07, API08 directly via the BOLA/BFLA, mass-assignment, SSRF, and misconfig specialists.

Example

An API endpoint `PATCH /users/:id` accepts a JSON body and applies the changes. A regular user sends `{"role": "admin"}` and the API merrily upgrades them. That's API03 BOPLA + API05 BFLA + classic mass-assignment all in one bug. Defense = explicit field-allow-lists, role checks at the function boundary, and integration tests that issue cross-role requests.

Related

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps
Guide
SSRF prevention in Node.js — validate the resolved IP, not the URL string

FAQ

Should I use this list or the regular OWASP Top 10?

Both. The API Top 10 is your primary if your app is API-first. The regular Top 10 still covers your auth, sessions, crypto, supply chain. They overlap (security misconfiguration appears in both) but each has unique entries.

How does this map to Securie's specialists?

API01 BOLA + API05 BFLA -> BOLA/BFLA/IDOR specialist. API03 BOPLA -> mass-assignment specialist. API07 SSRF -> SSRF specialist. API08 misconfig -> static-rules + iac_security. The remaining categories (API02, API04, API06, API09, API10) are mixed coverage today; full specialist parity is on the post-launch roadmap.