Securing Your API: The OWASP Top 10

A presentation at PHPUK 2026 in February 2026 in London, UK by Rob Allen

Securing Your API The OWASP Top 10 Rob Allen, February 2026

57 % of organizations suffered an API-related data breach in the past two years Traceable 2025 Global State of API Security report Rob Allen ~ akrabat.com

Why APIs are different? Rob Allen ~ akrabat.com

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs Rob Allen ~ akrabat.com

OWASP API Security Top 10 Rob Allen ~ akrabat.com

OWASP API Security Top 10 Rob Allen ~ akrabat.com

Who are you and what can you access? Authentication and authorisation failures Rob Allen ~ akrabat.com

Broken Authentication APIs that don’t properly verify who you are #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Authentication APIs that don’t properly verify who you are • Weak/no token validation • Missing expiration on tokens • Credential stuffing attacks #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Authentication #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 APIs that don’t properly verify who you are • Weak/no token validation • Missing expiration on tokens • Credential stuffing attacks Example: API accepts JWT without verifying the signature Rob Allen ~ akrabat.com

Broken Authentication Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Authentication Prevention • Use established standards (OAuth 2.0, OpenID Connect) • Implement proper token validation and expiration • Rate limiting on auth endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Function Level Authorisation Users can access functionality they shouldn’t #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Function Level Authorisation Users can access functionality they shouldn’t • Incorrect authorisation checked on a function or resource • Legitimate calls to endpoints that the user shouldn’t have access to • Undocumented open endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Function Level Authorisation Users can access functionality they shouldn’t • Incorrect authorisation checked on a function or resource • Legitimate calls to endpoints that the user shouldn’t have access to • Undocumented open endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /debug/dump Rob Allen ~ akrabat.com

Broken Function Level Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Function Level Authorisation Prevention • Deny by default • Check roles/permissions on every endpoint • Don’t rely on hiding endpoints from documentation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Level Authorisation Users can access objects belonging to other users #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Level Authorisation Users can access objects belonging to other users • User can access another user’s resource • Changing an ID or key allows access to privileged data #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Level Authorisation Users can access objects belonging to other users • User can access another user’s resource • Changing an ID or key allows access to privileged data #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example:/users/123/orders - change to 124 and see someone else’s orders Rob Allen ~ akrabat.com

Broken Object Level Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Level Authorisation Prevention • Implement proper authorisation based on user policies • Check if the user has access the requested resource • Check that the operation is also allowed #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Property Authorisation Users can read or modify properties they shouldn’t #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Property Authorisation Users can read or modify properties they shouldn’t • Sending properties that this user shouldn’t see • Allowing this user to change a property they shouldnt #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Property Authorisation Users can read or modify properties they shouldn’t • Sending properties that this user shouldn’t see • Allowing this user to change a property they shouldnt #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: User updates profile, includes “role”: “admin” in payload Rob Allen ~ akrabat.com

Broken Object Property Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Broken Object Property Authorisation Prevention • Cherry pick object properties to return • Explicit allowlists for input properties #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Rob Allen ~ akrabat.com

Exploiting how your API works Business logic and resource abuse Rob Allen ~ akrabat.com

Unrestricted resource consumption APIs that can be abused through resource consumption #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted resource consumption APIs that can be abused through resource consumption • Expensive operations without throttling • Exhausting memory through requests for too much data • Denial of service #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted resource consumption APIs that can be abused through resource consumption • Expensive operations without throttling • Exhausting memory through requests for too much data • Denial of service #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /widgets?page=1&per_page=1000000 Rob Allen ~ akrabat.com

Unrestricted resource consumption Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted resource consumption Prevention • Rate limiting (per IP, per user, per endpoint) • Pagination with maximum limits • Resource quotas / Timeouts #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted access to business flows Critical workflows lack protection against automation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted access to business flows Critical workflows lack protection against automation • Some business flows are more sensitive than others • Legitimate calls, but unexpected order” • Excessive access may harm the business #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted access to business flows Critical workflows lack protection against automation • Some business flows are more sensitive than others • Legitimate calls, but unexpected order” • Excessive access may harm the business #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Ticket scalping bots, inventory hoarding Rob Allen ~ akrabat.com

Unrestricted access to business flows Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unrestricted access to business flows Prevention • Device fingerprinting • Behavioral analysis • Transaction limits #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unsafe consumption of APIs Your API trusts third-party APIs too much #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unsafe consumption of APIs Your API trusts third-party APIs too much • Dependency on another’s vulnerabilities • Malicious data can be injected • Not accounting for failure #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unsafe consumption of APIs Your API trusts third-party APIs too much • Dependency on another’s vulnerabilities • Malicious data can be injected • Not accounting for failure #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Geolocation API takes 30 seconds to time out and locks your API Rob Allen ~ akrabat.com

Unsafe consumption of APIs Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Unsafe consumption of APIs Prevention • Validate all external data • Whitelist redirect URLs • Implement timeouts #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Rob Allen ~ akrabat.com

Operational security gaps Configuration and infrastructure vulnerabilities Rob Allen ~ akrabat.com

Security misconfiguration Insecure defaults and missing security hardening #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Security misconfiguration Insecure defaults and missing security hardening • • • • Default configurations Missing security updates Unnecessary features enabled Header misconfiguration (CORS, etc.) #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Security misconfiguration Insecure defaults and missing security hardening • • • • Default configurations Missing security updates Unnecessary features enabled Header misconfiguration (CORS, etc.) #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Error messages return stack traces Rob Allen ~ akrabat.com

Security misconfiguration Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Security misconfiguration Prevention • Regular security auditing and updates • Audit and remove unnecessary features • For APIs against browser-based clients, implement CORS security headers #1 #2 #3 #4 #5 #6 #7 #8 #9 and#10 Rob Allen ~ akrabat.com

Improper inventory management Do you know your API? #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Improper inventory management Do you know your API? • Old API versions still running • Shadow APIs (undocumented endpoints) • Non-production environments accessible #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Improper inventory management Do you know your API? • Old API versions still running • Shadow APIs (undocumented endpoints) • Non-production environments accessible #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: v1 API wasn’t decommissioned Rob Allen ~ akrabat.com

Improper inventory management Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Improper inventory management Prevention • Maintain API inventory/catalog • API Gateway / automated discovery tools • Retire old versions with clear timelines #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Server side request forgery API fetches remote resources without validation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Server side request forgery API fetches remote resources without validation • User-controlled URLs in API requests • API fetches a remote resource from user-supplied URL • Can access internal network endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Server side request forgery API fetches remote resources without validation • User-controlled URLs in API requests • API fetches a remote resource from user-supplied URL • Can access internal network endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /images?url=http://127.0.0.1:8080/metrics Rob Allen ~ akrabat.com

Server side request forgery Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

Server side request forgery Prevention • • • • Validate and sanitize URLs Whitelist for domains & media types, etc Disable HTTP redirection where possible Don’t sent raw responses to clients #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com

In Closing Rob Allen ~ akrabat.com

OWASP API Security Top 10 • Authentication & authorisation failures • Business logic & resource abuse • Configuration & infrastructure vulnerabilities Rob Allen ~ akrabat.com

Security requires • Defense in depth • Testing with the mindset of an attacker • Ongoing attention Rob Allen ~ akrabat.com

Resources OWASP API Security Project website owasp.org/www-project-api-security/ REST Security Cheat Sheet cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html API Security news apisecurity.io Rob Allen ~ akrabat.com

“Securing APIs isn’t optional; it is the frontline defense for protecting data integrity and maintaining digital trust.” Randy Barr, Cequence Security Rob Allen ~ akrabat.com

Thank you! slides: https://akrabat.com/7545 feedback: https://joind.in/talk/25432 Rob Allen ~ akrabat.com

Rob Allen
@akrabat

1 / 67

APIs are the foundation of our applications today and need to be secure. From broken authorisation and authentication to injection attacks, the OWASP API Security Top 10 identifies the most critical security issues facing APIs today. In this talk, we’ll walk through the items on the list and explore these security flaws and look at how to prevent them. By the end of this session, you’ll have a clear understanding of the most critical API security risks and be equipped with the knowledge to build more secure APIs.