Web Security Academy alignment with the OWASP Top 10 API vulnerabilities

The OWASP Foundation periodically publishes a list of critical API-specific security risks. Although some of these risks have a different name in the context of APIs, many of them align with our existing Web Security Academy topics.

The table below specifies which Web Security Academy topics are relevant to the OWASP Top 10 API vulnerabilities:

Risk

Relevant Web Security Academy topics

Broken object level authorization

Access control vulnerabilities and privilege escalation

Broken authentication

Authentication vulnerabilities

OAuth 2.0 authentication vulnerabilities

JWT attacks

Broken object property level authorization

Mass assignment vulnerabilities

Unrestricted resource consumption

Race conditions

File upload vulnerabilities

Broken function level authorization

Access control vulnerabilities and privilege escalation

Unrestricted access to sensitive business flows

Business logic vulnerabilities

Server side request forgery

Server-side request forgery (SSRF)

Security misconfiguration

Cross-origin resource sharing (CORS)

Information disclosure vulnerabilities

HTTP Host header attacks

HTTP request smuggling

Improper inventory management

API testing

Unsafe consumption of APIs

API testing

You can read more about the OWASP API Top 10 on the OWASP website, at OWASP API Security Top 10 - 2023.