Skip to content

OWASP API Security Top 10

Escape's default coverage. Every API scan maps findings to the OWASP API Security Top 10 (2023 edition), out of the box, without any configuration.

What We Cover

One-to-one mapping between each Top 10 category and Escape's built-in security tests:

  • API1:2023 Broken Object Level Authorization (BOLA): dedicated agent and detectors, Proof of Exploit included.
  • API2:2023 Broken Authentication: session hardening, token handling, multi-user testing.
  • API3:2023 Broken Object Property Level Authorization: mass-assignment and excessive-exposure detectors.
  • API4:2023 Unrestricted Resource Consumption: rate limits, timeouts, payload size bombs.
  • API5:2023 Broken Function Level Authorization: role-based access checks across authenticated users.
  • API6:2023 Unrestricted Access to Sensitive Business Flows: business-logic agent, workflow abuse.
  • API7:2023 Server Side Request Forgery: dedicated SSRF detectors across REST and GraphQL.
  • API8:2023 Security Misconfiguration: TLS posture, headers, CORS, debug endpoints.
  • API9:2023 Improper Inventory Management: Shadow API discovery (see Shadow API Discovery).
  • API10:2023 Unsafe Consumption of APIs: traffic inspection for trust-boundary violations.

How to Enable

Nothing to enable. OWASP API Top 10 coverage runs on every API scan by default. Filter the Issues view by the owasp-api-top-10 compliance tag to see the current posture.

What the Report Contains

Per asset: a table of the 10 categories, findings in scope for each, and a pass / fail summary. Useful as a first-page executive summary in any API security posture review.