What is the OWASP API Security Top 10?

The OWASP API Security Top 10 (2023 edition) identifies the most critical API security risks. (1) Broken Object Level Authorization (BOLA/IDOR): APIs not verifying the user is authorized to access the specific object by ID — most common API vulnerability. (2) Broken Authentication: weak auth mechanisms, missing rate limiting on auth endpoints. (3) Broken Object Property Level Authorization: exposing or allowing modification of object properties a user shouldn't access (mass assignment, data exposure). (4) Unrestricted Resource Consumption: no rate limiting, request size limits, or resource quotas. (5) Broken Function Level Authorization: regular users accessing admin functions. (6) Unrestricted Access to Sensitive Business Flows: no controls on abusing legitimate business logic at scale (scalping, credential stuffing). (7) SSRF. (8) Security Misconfiguration. (9) Improper Inventory Management: forgotten old API versions. (10) Unsafe Consumption of APIs: trusting data from third-party APIs without validation.