Index · TL;DR
1 min readTL;DR
APIs need their own Top 10 — separate from the main web-app OWASP Top 10 — because APIs expose object-level and function-level operations directly to clients, without a server-rendered UI to hide what's reachable. A browser app never shows you the "edit anyone's invoice" button; an API endpoint like GET /api/orders/{id} happily accepts any id you type. The dominant problem, by a wide margin, is object-level authorization: endpoints that authenticate the caller (they know who you are) but fail to check that the specific object you asked for actually belongs to you. That single class — API1: Broken Object Level Authorization (BOLA) — is the most common and most impactful API vulnerability, which is why it sits at #1. The 2023 list also folds the old "mass assignment" and "excessive data exposure" issues into one property-level authorization risk (API3 / BOPLA), promotes resource-consumption and business-flow abuse, and adds SSRF and unsafe consumption of third-party APIs as first-class risks.