OWASP_API_TOP10API5:2023voice-validated
OWASP_API_TOP10 API05: API5:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorisation flaws. By exploiting these issues, attackers can gain access to other users' resources and/or administrative functions.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 5
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1. Limit access to resources by implementing robust authorization checks at every API endpoint. This directly prevents unauthorized access to resources and functions, addressing API5:2023. | 90% |
| M1038 | 2. Implement stringent user account management, including role-based access control (RBAC) and attribute-based access control (ABAC). This ensures proper authorization assignment and prevents API5:2023 flaws. | 90% |
| M1056 | 3. Employ privileged account management for administrative functions, enforcing least privilege and separation of duties. This mitigates the risk of administrative function exploitation in API5:2023. | 90% |
| M1047 | 5. Implement comprehensive logging and auditing of all access attempts and authorization decisions. This enables detection of authorization bypasses and exploitation attempts related to API5:2023. | 80% |
| M1043 | 6. Enforce multi-factor authentication (MFA) for all users, especially for administrative access. This strengthens authentication, reducing the likelihood of initial access that could lead to API5:2023 exploitation. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-285 | 1. Improper Authorization: The core weakness described by API5:2023, where an application fails to correctly enforce authorization rules. | 100% |
| CWE-863 | 2. Incorrect Authorization: The application's authorization logic contains errors, allowing unauthorized access to resources or functions, directly aligning with API5:2023. | 100% |
| CWE-862 | 3. Missing Authorization: An authorization check is entirely absent for a specific function or resource, a direct cause of API5:2023 vulnerabilities. | 100% |
| CWE-639 | 4. Authorization Bypass Through User-Controlled Key: Attackers manipulate identifiers to access unauthorized resources, a common scenario for API5:2023. | 90% |
| CWE-269 | 5. Improper Privilege Management: Flaws in how user privileges are defined, assigned, or enforced, leading to privilege escalation as described in API5:2023. | 90% |
| CWE-284 | 7. Improper Access Control: A broader category encompassing authorization failures, where the system fails to restrict access to resources. This is fundamental to API5:2023. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0180 compute · voice-rubric self-validated · 3 hallucination(s) dropped at validation