Securing Your API The OWASP Top 10 Rob Allen, February 2026
A presentation at PHPUK 2026 in February 2026 in London, UK by Rob Allen
Securing Your API The OWASP Top 10 Rob Allen, February 2026
57 % of organizations suffered an API-related data breach in the past two years Traceable 2025 Global State of API Security report Rob Allen ~ akrabat.com
Why APIs are different? Rob Allen ~ akrabat.com
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs Rob Allen ~ akrabat.com
OWASP API Security Top 10 Rob Allen ~ akrabat.com
OWASP API Security Top 10 Rob Allen ~ akrabat.com
Who are you and what can you access? Authentication and authorisation failures Rob Allen ~ akrabat.com
Broken Authentication APIs that don’t properly verify who you are #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Authentication APIs that don’t properly verify who you are • Weak/no token validation • Missing expiration on tokens • Credential stuffing attacks #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Authentication #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 APIs that don’t properly verify who you are • Weak/no token validation • Missing expiration on tokens • Credential stuffing attacks Example: API accepts JWT without verifying the signature Rob Allen ~ akrabat.com
Broken Authentication Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Authentication Prevention • Use established standards (OAuth 2.0, OpenID Connect) • Implement proper token validation and expiration • Rate limiting on auth endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Function Level Authorisation Users can access functionality they shouldn’t #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Function Level Authorisation Users can access functionality they shouldn’t • Incorrect authorisation checked on a function or resource • Legitimate calls to endpoints that the user shouldn’t have access to • Undocumented open endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Function Level Authorisation Users can access functionality they shouldn’t • Incorrect authorisation checked on a function or resource • Legitimate calls to endpoints that the user shouldn’t have access to • Undocumented open endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /debug/dump Rob Allen ~ akrabat.com
Broken Function Level Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Function Level Authorisation Prevention • Deny by default • Check roles/permissions on every endpoint • Don’t rely on hiding endpoints from documentation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Level Authorisation Users can access objects belonging to other users #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Level Authorisation Users can access objects belonging to other users • User can access another user’s resource • Changing an ID or key allows access to privileged data #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Level Authorisation Users can access objects belonging to other users • User can access another user’s resource • Changing an ID or key allows access to privileged data #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example:/users/123/orders - change to 124 and see someone else’s orders Rob Allen ~ akrabat.com
Broken Object Level Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Level Authorisation Prevention • Implement proper authorisation based on user policies • Check if the user has access the requested resource • Check that the operation is also allowed #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Property Authorisation Users can read or modify properties they shouldn’t #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Property Authorisation Users can read or modify properties they shouldn’t • Sending properties that this user shouldn’t see • Allowing this user to change a property they shouldnt #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Property Authorisation Users can read or modify properties they shouldn’t • Sending properties that this user shouldn’t see • Allowing this user to change a property they shouldnt #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: User updates profile, includes “role”: “admin” in payload Rob Allen ~ akrabat.com
Broken Object Property Authorisation Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Broken Object Property Authorisation Prevention • Cherry pick object properties to return • Explicit allowlists for input properties #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Rob Allen ~ akrabat.com
Exploiting how your API works Business logic and resource abuse Rob Allen ~ akrabat.com
Unrestricted resource consumption APIs that can be abused through resource consumption #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted resource consumption APIs that can be abused through resource consumption • Expensive operations without throttling • Exhausting memory through requests for too much data • Denial of service #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted resource consumption APIs that can be abused through resource consumption • Expensive operations without throttling • Exhausting memory through requests for too much data • Denial of service #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /widgets?page=1&per_page=1000000 Rob Allen ~ akrabat.com
Unrestricted resource consumption Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted resource consumption Prevention • Rate limiting (per IP, per user, per endpoint) • Pagination with maximum limits • Resource quotas / Timeouts #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted access to business flows Critical workflows lack protection against automation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted access to business flows Critical workflows lack protection against automation • Some business flows are more sensitive than others • Legitimate calls, but unexpected order” • Excessive access may harm the business #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted access to business flows Critical workflows lack protection against automation • Some business flows are more sensitive than others • Legitimate calls, but unexpected order” • Excessive access may harm the business #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Ticket scalping bots, inventory hoarding Rob Allen ~ akrabat.com
Unrestricted access to business flows Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unrestricted access to business flows Prevention • Device fingerprinting • Behavioral analysis • Transaction limits #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unsafe consumption of APIs Your API trusts third-party APIs too much #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unsafe consumption of APIs Your API trusts third-party APIs too much • Dependency on another’s vulnerabilities • Malicious data can be injected • Not accounting for failure #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unsafe consumption of APIs Your API trusts third-party APIs too much • Dependency on another’s vulnerabilities • Malicious data can be injected • Not accounting for failure #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Geolocation API takes 30 seconds to time out and locks your API Rob Allen ~ akrabat.com
Unsafe consumption of APIs Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Unsafe consumption of APIs Prevention • Validate all external data • Whitelist redirect URLs • Implement timeouts #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Rob Allen ~ akrabat.com
Operational security gaps Configuration and infrastructure vulnerabilities Rob Allen ~ akrabat.com
Security misconfiguration Insecure defaults and missing security hardening #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Security misconfiguration Insecure defaults and missing security hardening • • • • Default configurations Missing security updates Unnecessary features enabled Header misconfiguration (CORS, etc.) #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Security misconfiguration Insecure defaults and missing security hardening • • • • Default configurations Missing security updates Unnecessary features enabled Header misconfiguration (CORS, etc.) #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: Error messages return stack traces Rob Allen ~ akrabat.com
Security misconfiguration Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Security misconfiguration Prevention • Regular security auditing and updates • Audit and remove unnecessary features • For APIs against browser-based clients, implement CORS security headers #1 #2 #3 #4 #5 #6 #7 #8 #9 and#10 Rob Allen ~ akrabat.com
Improper inventory management Do you know your API? #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Improper inventory management Do you know your API? • Old API versions still running • Shadow APIs (undocumented endpoints) • Non-production environments accessible #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Improper inventory management Do you know your API? • Old API versions still running • Shadow APIs (undocumented endpoints) • Non-production environments accessible #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: v1 API wasn’t decommissioned Rob Allen ~ akrabat.com
Improper inventory management Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Improper inventory management Prevention • Maintain API inventory/catalog • API Gateway / automated discovery tools • Retire old versions with clear timelines #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Server side request forgery API fetches remote resources without validation #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Server side request forgery API fetches remote resources without validation • User-controlled URLs in API requests • API fetches a remote resource from user-supplied URL • Can access internal network endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Server side request forgery API fetches remote resources without validation • User-controlled URLs in API requests • API fetches a remote resource from user-supplied URL • Can access internal network endpoints #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Example: /images?url=http://127.0.0.1:8080/metrics Rob Allen ~ akrabat.com
Server side request forgery Prevention #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
Server side request forgery Prevention • • • • Validate and sanitize URLs Whitelist for domains & media types, etc Disable HTTP redirection where possible Don’t sent raw responses to clients #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 Rob Allen ~ akrabat.com
In Closing Rob Allen ~ akrabat.com
OWASP API Security Top 10 • Authentication & authorisation failures • Business logic & resource abuse • Configuration & infrastructure vulnerabilities Rob Allen ~ akrabat.com
Security requires • Defense in depth • Testing with the mindset of an attacker • Ongoing attention Rob Allen ~ akrabat.com
Resources OWASP API Security Project website owasp.org/www-project-api-security/ REST Security Cheat Sheet cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html API Security news apisecurity.io Rob Allen ~ akrabat.com
“Securing APIs isn’t optional; it is the frontline defense for protecting data integrity and maintaining digital trust.” Randy Barr, Cequence Security Rob Allen ~ akrabat.com
Thank you! slides: https://akrabat.com/7545 feedback: https://joind.in/talk/25432 Rob Allen ~ akrabat.com
