OWASP_API_TOP10API3:2023voice-validated
OWASP_API_TOP10 API03: API3:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Lack of or improper authorisation validation at the object property level. Leads to information exposure or manipulation by unauthorised parties (excessive data exposure + mass assignment combined). Sensitive object properties returned in API responses or accepted in API requests without authorisation.
ATT&CK techniques this article tests · 13
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. An attacker uses a valid account to exploit object property authorization flaws, gaining access to unauthorized data or functions beyond their intended scope. This directly relates to the improper authorization validation at the object property level. | 90% |
| T1087 | 1. Excessive data exposure in API responses reveals details about other user accounts or sensitive properties, aiding further reconnaissance and unauthorized discovery of system components. | 85% |
| T1530 | 1. API exposes sensitive data stored in cloud services due to improper object property authorization, allowing unauthorized parties to retrieve cloud-hosted information. | 80% |
| T1537 | 1. Mass assignment allows an attacker to modify object properties to redirect sensitive data to their own cloud storage, facilitating data exfiltration to external accounts. | 75% |
| T1567 | 1. Sensitive object properties are directly exfiltrated by an attacker through API responses that return excessive data, leading to unauthorized data transfer over web services. | 90% |
| T1485 | 1. Mass assignment modifies critical object properties, leading to irreversible data loss or corruption, impacting data integrity and availability. | 70% |
| T1490 | 1. An attacker modifies system recovery or backup settings through mass assignment, hindering restoration efforts and impacting system resilience. | 65% |
| T1565.001 | 1. General collection of sensitive data from information repositories (e.g., databases) via API responses that exhibit excessive data exposure. | 85% |
| T1003 | 1. API responses or mass assignment vulnerabilities expose system-level credentials stored within object properties, enabling credential dumping. | 70% |
| T1083 | 1. Discovering sensitive files and directories through excessive data exposure in API responses, revealing system structure and valuable targets. | 75% |
| T1020 | 1. Automated scripts collect and exfiltrate large volumes of sensitive object properties exposed by the API, facilitating efficient data theft. | 80% |
| T1059 | 1. Mass assignment allows injecting and executing arbitrary commands through API object properties, leading to command and scripting interpreter abuse. | 60% |
| T1098 | 1. Mass assignment modifies user account properties, such as roles, permissions, or passwords, for privilege escalation or unauthorized account control. | 85% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1037 | 1. Implement strict least privilege principles for API access, ensuring users and services can only interact with object properties explicitly authorized for their role. 2. This prevents unauthorized property modification and data exposure. | 95% |
| M1038 | 1. Ensure robust authorization checks are implemented at the object property level for all user accounts accessing API endpoints. 2. This prevents both excessive data exposure and mass assignment vulnerabilities. | 90% |
| M1040 | 1. Deploy Data Loss Prevention (DLP) solutions to monitor and prevent sensitive object properties from being exposed or exfiltrated in API responses. 2. This protects against unauthorized data disclosure. | 85% |
| M1045 | 1. Securely configure API endpoints and data models to explicitly define which object properties are readable or writable by specific roles. 2. This prevents excessive data exposure and mass assignment by design. | 90% |
| M1046 | 1. Conduct regular vulnerability scanning and penetration testing specifically targeting API authorization logic and data exposure flaws. 2. This identifies and remediates object property vulnerabilities. | 80% |
| M1047 | 1. Implement comprehensive logging and monitoring of API requests and responses for unauthorized access attempts or modifications of object properties. 2. This enables detection of exploitation. | 85% |
| M1052 | 1. Educate developers on secure coding practices, emphasizing the importance of granular authorization checks for object properties and preventing mass assignment. 2. This reduces the introduction of flaws. | 75% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. This CWE directly addresses the 'excessive data exposure' aspect of API3, where sensitive information is returned to an unauthorized actor via API responses. | 95% |
| CWE-915 | 1. This CWE directly addresses the 'mass assignment' aspect of API3, where dynamically-determined object attributes can be improperly modified by an attacker. | 95% |
| CWE-862 | 1. This CWE covers scenarios where authorization checks are entirely absent for specific object properties, allowing any authenticated user to access or modify them. | 90% |
| CWE-863 | 1. This CWE covers situations where authorization checks are present but flawed, leading to incorrect decisions that permit unauthorized access or manipulation of object properties. | 90% |
| CWE-639 | 1. This CWE is relevant if an attacker can manipulate object IDs or keys to bypass authorization and access or modify properties belonging to other users or entities. | 80% |
| CWE-269 | 1. This CWE applies when improper authorization at the object property level allows a user to escalate privileges by modifying their own or another user's role or permissions. | 85% |
| CWE-749 | 1. This CWE is relevant if internal or dangerous methods/functions related to object property manipulation are exposed via the API, allowing unauthorized invocation. | 75% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0180 compute · voice-rubric self-validated · 2 hallucination(s) dropped at validation