Back to Journal Application Security

OWASP API Security Top 10 - Securing APIs Against the Most Critical Threats

A deep dive into the OWASP API Security Top 10 2023 — what each API vulnerability is, how attackers exploit it, and how to build defences into your API design, development, and operations.

Savadub GRC Team ·
OWASP API Security Top 10 - Securing APIs Against the Most Critical Threats

OWASP API Security Top 10: Protecting Your APIs from the Most Critical Threats

APIs are the backbone of the modern digital economy — connecting mobile apps, microservices, partners, and customers. They are also among the most commonly exploited attack surfaces in modern applications. The OWASP API Security Top 10 (updated in 2023) identifies the most critical API security risks, providing a framework for API developers, architects, and security teams to understand and defend against the attack patterns targeting APIs specifically — which differ meaningfully from the web application vulnerabilities in the standard OWASP Top 10.

API1 — Broken Object Level Authorisation (BOLA)

What it is: BOLA (formerly IDOR) is the most common and impactful API vulnerability. APIs expose endpoints that handle object identifiers — user IDs, account numbers, document IDs. When the API fails to verify that the authenticated user has authorisation to access the specific object they are requesting, an attacker can manipulate the ID to access any object in the system.

Real-world impact: A ride-sharing API that returns trip details at /api/trips/{tripId} without verifying that the requesting user owns that trip allows any authenticated user to access any trip in the database by enumerating trip IDs.

Remediation: Implement object-level authorisation checks in every API function that accesses a database record. Use user-specific object IDs (UUIDs rather than sequential integers), and always verify server-side that the authenticated user has the right to access the requested object.

API2 through API10: The Full API Security Landscape

API2 — Broken Authentication: Weak authentication mechanisms — missing authentication on sensitive endpoints, accepting expired tokens, weak API key generation, missing rate limiting on authentication endpoints. Implement standards-based authentication (OAuth 2.0, OpenID Connect). Enforce strong token validation. Rate-limit authentication attempts.

API3 — Broken Object Property Level Authorisation: APIs that expose more data properties than necessary, or allow clients to modify properties they shouldn't be able to — leading to mass assignment vulnerabilities and data exposure. Implement strict input/output schemas. Never auto-bind client-supplied properties to internal objects without explicit allowlisting.

API4 — Unrestricted Resource Consumption: APIs without rate limiting, payload size limits, or request complexity controls are vulnerable to DoS attacks and resource exhaustion. Implement rate limiting per client/user. Set payload size limits. Timeout long-running operations.

API5 — Broken Function Level Authorisation: Missing access control at the API function level — admin-only endpoints accessible to regular users, or restricted operations not properly guarded. Deny all access by default. Explicitly permit access to each function based on role. Test authorisation for all API endpoints during security assessment.

API6 — Unrestricted Access to Sensitive Business Flows: Business logic vulnerabilities that allow abuse of legitimate API flows — buying unlimited limited-edition items, bypassing two-factor authentication flows, or exploiting referral systems. Identify critical business flows and implement anti-abuse controls — CAPTCHA, device fingerprinting, rate limiting based on business logic.

API7 — Server-Side Request Forgery (SSRF): API features that make HTTP requests based on user-supplied URLs can be exploited to access internal services, cloud metadata endpoints, or other resources. Validate and restrict all user-supplied URLs. Implement network-level controls.

API8 — Security Misconfiguration: Insecure defaults, debug endpoints exposed in production, verbose error messages, missing TLS, permissive CORS policies. Harden API gateway and server configurations. Disable debug endpoints in production. Implement strict CORS policies. Return generic error messages to clients.

API9 — Improper Inventory Management: Outdated, unpatched, or undocumented API versions and endpoints that lack the same security controls as the current production API. Maintain a complete API inventory. Document and control API versioning. Retire old API versions. Apply security controls consistently across all versions.

API10 — Unsafe Consumption of APIs: Trusting data from external APIs without adequate validation, or using third-party APIs over insecure channels. Validate all data received from external APIs. Use encrypted connections for all third-party API calls. Apply the same input validation to third-party API responses as to user-supplied data.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like