๐Ÿš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney.

OWASP API Top 10 ยท 2023 edition

OWASP API Top 10 Challenges

Map your API security training to the OWASP API Security Top 10 (2023). Developers fix BOLA, broken authentication, SSRF and more in real APIs โ€” the same flaws behind the breaches that make headlines.

Capability, not checkbox compliance

Hands-On Challenges for Every Category

APIs are the largest attack surface in modern products, and the OWASP API Security Top 10 (2023) is the standard for securing them. Every challenge below is a real API with a real vulnerability: developers fix it without breaking functionality, and every verified fix becomes reportable evidence of API security capability.

API1:2023

Broken Object Level Authorization

APIs that expose object IDs without checking the caller is allowed to access that object โ€” the most common API attack.

API5:2023

Broken Function Level Authorization

Admin and privileged endpoints reachable by regular users because function-level checks are missing.

API6:2023

Unrestricted Access to Sensitive Business Flows

Legitimate business flows โ€” purchasing, booking, posting โ€” abused at scale because nothing limits automated access.

API7:2023

Server Side Request Forgery

APIs that fetch attacker-supplied URLs, letting requests reach internal services and cloud metadata.

API8:2023

Security Misconfiguration

Unhardened API infrastructure: verbose errors, permissive CORS, debug endpoints and discovery features left on.

Roll it out

Turn the Standard Into a Training Program

Assign these challenges to your team as learning pathways, track verified fixes, and report OWASP API Top 10 coverage to auditors, customers and the board โ€” with evidence, not attendance sheets.