Skip to main content
Version: Next

Security Vulnerability Guide

This section lists important vulnerabilities applicable to modern API driven applications.


A1Broken Object Level Authorization639
A2Broken Authentication425, 287
A3Excessive Data Exposure213
A4Lack of Resources and Rate Limits770
A5Broken Function Level Authorization1220
A6Mass Assignment915
A7Security Misconfiguration1349
A8Injection89, 77
A9Improper Asset Management1059
A10Insufficient Logging & Monitoring778

OWASP Web Top 10

A10Server Side Request Forgery918


This section lists issues related to API security and resilience, but which cannot be purely categorized as security vulnerabilities.

API Schema Non Conformance1215, 393
Unexpected 5XX Server Errors600
Undocumented Response Codes394
Inadequate Response Headers838
Incorrect Response Content Types838
Incorrect Response Body838


Baseline Security Controls are a minimum set of foundational controls that APIs should implement. These are based on security best practices.

This section lists vulnerabilities arising due to the violation of these security controls. A number of these issues are applicable to OWASP API A7.

IssueCWE / Reference
In Page Banner Information LeakTesting for Error Codes
Information Disclosure - Debug Error MessagesCWE-200
Information Disclosure - Sensitive Information in URLCWE-200
Information Disclosure - Sensitive Information in HTTP Referrer HeaderCWE-200
Application Error DisclosureCWE-200
X-Powered-By Information LeakCWE-200
Information Leak Via 'Server' HTTP Response HeaderCWE-200
Private IP Disclosure In ResponseCWE-200
PII Disclosure In ResponseCWE-359
Hash Disclosure In ResponseCWE-200
Cross-Domain (CORS) Misconfiguration (Passive)CWE-264
Sub Optimal Cache Control DirectivesCWE-525
Content Retrieved from CacheCWE-525
Missing Strict-Transport-Security HeaderStrict Transport Security Cheat Sheet
Missing Content-Type HeaderCWE-345
Missing X-Content-Type-Options HeaderCWE-693
Cookie Set Without HttpOnly FlagCWE-1004
Cookie Without Secure FlagCWE-614
Cookie Poisoning Via Query/Body ParametersCWE-20
Session ID in URL Via RewriteCWE-200
Suboptimal Anti-clickjacking HeadersCWE-1021
Open/Unrestricted URL Redirect Via URL Query ParameterCWE-601
Weak Authentication MethodCWE-326
Java Serialization DetectedCWE-502