OWASP API Security Top-10 Risks for 2023 Released

Back in April we took an in-depth look at the proposed OWASP Top-10 API Security Risks list for 2023. This Release Candidate (RC) contained a few changes from the 4-year-old version, most notably:

1. Created a new category API3:2023RC (Broken Object Property Level Authorization) by essentially combining API6:2019 (Mass Assignment) with API3:2019 (Excessive Data Exposure).
2. Created a new category API6:2023RC (Server Side Request Forgery), overlapping with A10:2021 from the web application security risks version.
3. Created a new category API8:2023RC (Lack of Protection from Automated Threats) to cover API abuse by malicious bots.
4. Created a new category API10:2023RC (Unsafe Consumption of APIs) and adding API8:2019 (Injection) into it.
5. Eliminated API10:2019 (Insufficient Logging & Monitoring) from the top-10 list.

Well, it appears the final version of the OWASP API Security Top-10 2023 has been released, although you’d be forgiven for not knowing yet as it’s not on the project page, which still points to the (now removed) RC repo page.

And surprise, there are several changes from the RC version:

At first blush, the final 2023 version seems to retain most of the changes in category naming, language and intent from the 2019 edition which we saw in the RC version. In fact, the changes do not appear to have a big impact:

1. API6:2023RC (Server Side Request Forgery) is now API7:2023 – this seems to just be a step down in the rankings.
2. API7:2023RC (Security Misconfiguration) is now API8:2023 – again, this just seems like a step down in the rankings.
3. API8:2023RC (Lack of Protection from Automated Threats) is gone, replaced by (or at least combined into) API6:2023 (Unrestricted Access to Sensitive Business Data Flows) – this looks like just it was renamed and raised in the ranking, since these appear to be similar in intent and both the RC and final 2023 versions reference API10:2019 (Insufficient Logging & Monitoring).

However, there are a couple of areas which stand out:

• First, we note that Injection risks are still “missing” from the final 2023 version, as we highlighted in our in-depth analysis of the RC version (PDF).
• Second, it appears that the risk rankings (which is the product of likelihood x impact) have changed across the board, and in some cases substantially.

So, stay tuned as we dig into the details of the final 2023 OWASP Top-10 API Security Risks list, and help you understand the impact on your API security program.