owasp-api-security-top-10
OWASP API Security Top 10
This skill encodes the OWASP API Security Top 10 for secure API design, code review, and vulnerability prevention. References are loaded per risk (progressive disclosure).
Based on OWASP API Security Top 10:2023.
When to Read Which Reference
| Risk | Read |
|---|---|
| API1 Broken Object Level Authorization | references/api1-broken-object-level-authorization.md |
| API2 Broken Authentication | references/api2-broken-authentication.md |
| API3 Broken Object Property Level Authorization | references/api3-broken-object-property-authorization.md |
| API4 Unrestricted Resource Consumption | references/api4-unrestricted-resource-consumption.md |
| API5 Broken Function Level Authorization | references/api5-broken-function-level-authorization.md |
| API6 Unrestricted Access to Sensitive Business Flows | references/api6-sensitive-business-flows.md |
| API7 Server Side Request Forgery (SSRF) | references/api7-ssrf.md |
| API8 Security Misconfiguration | references/api8-security-misconfiguration.md |
| API9 Improper Inventory Management | references/api9-improper-inventory-management.md |
| API10 Unsafe Consumption of APIs | references/api10-unsafe-consumption-of-apis.md |
Quick Patterns
- Enforce object-level and function-level authorization on every API request; never trust client-supplied IDs without server-side checks.
- Validate and sanitize all inputs; treat third-party API responses as untrusted.
- Apply rate limiting, quotas, and cost controls to prevent abuse and DoS.
- Maintain an API inventory; retire or protect deprecated and debug endpoints.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Object-level auth (IDOR) | Verify user owns/can access the resource by ID server-side. See API1. |
| Function-level auth | Check user role before admin/sensitive operations. See API5. |
| Rate limiting | Apply per-user/IP limits, quotas, and timeouts. See API4. |
| SSRF prevention | Validate/allowlist URLs; block internal ranges. See API7. |
| Third-party APIs | Validate responses, use TLS, set timeouts. See API10. |
Safe - object-level authorization check:
@app.get("/api/orders/{order_id}")
def get_order(order_id: int, current_user: User):
order = Order.query.get(order_id)
if order.user_id != current_user.id:
raise HTTPException(403, "Access denied")
return order
Unsafe - missing authorization (IDOR vulnerability):
@app.get("/api/orders/{order_id}")
def get_order(order_id: int):
return Order.query.get(order_id) # Any user can access any order!
Rate limiting example (FastAPI):
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)
@app.get("/api/search")
@limiter.limit("10/minute")
def search(query: str):
return perform_search(query)
Workflow
- Object-level authorization (IDOR) → Read references/api1-broken-object-level-authorization.md.
- Authentication and tokens → Read references/api2-broken-authentication.md.
- Rate limiting / DoS → Read references/api4-unrestricted-resource-consumption.md.
- Admin vs user endpoints → Read references/api5-broken-function-level-authorization.md.
- User-supplied URLs in API → Read references/api7-ssrf.md.
- Third-party API consumption → Read references/api10-unsafe-consumption-of-apis.md.
Load reference files only when relevant to the task.
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-iot-top-10
OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.
7owasp-serverless-top-10
OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10.
7owasp-privacy-top-10
OWASP Top 10 Privacy Risks - prevention, detection, and remediation for privacy in web applications. Use when addressing app vulnerabilities, data leakage, breach response, consent, transparency, data deletion, data quality, session expiration, user access rights, excessive data collection.
6owasp-cicd-top-10
OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.
6