TOC Table of Contents Table of Contents About OWASP TOC Table of Contents...............................................2 FW Foreword.............................................................3 I Introduction..............................................................4 RN Release Notes.......................................................5 RISK API Security Risk.............................................6 T10 OWASP API Security Top 10 - 2019..................7 API1:2019 Broken Object Level Authorization.........8 API2:2019 Broken User Authentication...................10 API3:2019 Excessive Data Exposure.......................12 API4:2019 Lack of Resources & Rate Limiting......14 API5:2019 Broken Function Level Authorization. . .16 API6:2019 Mass Assignment...................................18 API7:2019 Security Misconfiguration.....................20 API8:2019 Injection.................................................22 API9:2019 Improper Assets Management................24 API10:2019 Insufficient Logging & Monitoring.....26 +D What’s Next for Developers...............................28 +DSO What’s Next for DevSecOps.........................29 +DAT Methodology and Data..................................30 +ACK Acknowledgments........................................31 The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. At OWASP, you'll find free and open: Application security tools and standards. Complete books on application security testing, secure code development, and secure code review. • Presentations and videos. • Cheat sheets on many common topics. • Standard security controls and libraries. • Local chapters worldwide. • Cutting edge research. • Extensive conferences worldwide. • Mailing lists. Learn more at: https://www.owasp.org. • • All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security require improvements in these areas. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. Come join us! https://owasp.org This work is licensed under a Creative Commons Attribution ShareAlike 4.0 International License FW Foreword A foundational element of innovation in today’s app-driven world is the Application Programming Interface (API). From banks, retail, and transportation to IoT, autonomous vehicles, and smart cities, APIs are a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible. Although a broader web application security risks Top 10 still makes sense, due to their particular nature, an API-specific security risks list is required. API security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks associated with APIs. If you're familiar with the OWASP Top 10 Project, then you'll notice the similarities between both documents: they are intended for readability and adoption. If you're new to the OWASP Top 10 series, you may be better off reading the API Security Risks and Methodology and Data sections before jumping into the Top 10 list. You can contribute to OWASP API Security Top 10 with your questions, comments, and ideas at our GitHub project repository: • https://github.com/OWASP/API-Security/issues • https://github.com/OWASP/API-S