OWASP_API_TOP10API4:2023voice-validated
OWASP_API_TOP10 API04: API4:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources, such as emails/SMS/phone calls or biometrics validation, are made available by service providers via API integrations and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 0
| Mitigation | What it does | Confidence |
|---|
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-770 | 1. This CWE directly describes the core vulnerability of 'Allocation of Resources Without Limits or Throttling', which is the root cause of API4:2023. 2. European organisations must implement strict resource limits. | 100% |
| CWE-400 | 1. This CWE broadly covers 'Uncontrolled Resource Consumption', encompassing CPU, memory, bandwidth, and other resources mentioned in API4:2023. 2. It is a fundamental weakness leading to DoS. | 100% |
| CWE-20 | 1. Improper input validation allows attackers to submit requests that trigger resource-intensive operations, directly contributing to the issues in API4:2023. 2. Robust validation is crucial for API security. | 90% |
| CWE-307 | 1. Improper restriction of excessive authentication attempts can exhaust external services (e.g., SMS, email) or CPU resources for hashing, leading to increased operational costs as per API4:2023. 2. This targets specific external dependencies. | 90% |
| CWE-799 | 1. This CWE, 'Improper Control of Interaction Frequency', directly addresses the lack of rate limiting or throttling mechanisms, a primary cause of unrestricted resource consumption in API4:2023. 2. Implementing rate limits is a key defense. | 100% |
| CWE-404 | 1. Improper resource shutdown or release can lead to resource accumulation and eventual exhaustion, contributing to the DoS scenarios described in API4:2023. 2. Efficient resource management is essential. | 80% |
| CWE-613 | 1. Insufficient session expiration can allow attackers to maintain long-lived sessions, tying up server resources over extended periods, contributing to resource exhaustion as per API4:2023. 2. Proper session management reduces attack surface. | 60% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0175 compute · voice-rubric self-validated