OWASP_API_TOP10API10:2023voice-validated
OWASP_API_TOP10 API10: API10:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. To compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. Implementing supply chain risk management directly addresses the threat from integrated third-party services, as per API10:2023. | 100% |
| M1053 | 1. Robust API security measures are essential for all APIs, including third-party integrations, as emphasized by API10:2023. | 100% |
| M1035 | 1. Limiting network access for third-party APIs reduces the attack surface and potential impact, as implied by API10:2023. | 90% |
| M1047 | 1. Auditing third-party API interactions detects anomalous behavior and potential compromises, addressing API10:2023 concerns. | 90% |
| M1050 | 1. Regular vulnerability scanning of third-party APIs identifies and remediates weaknesses before exploitation, as per API10:2023. | 90% |
| M1038 | 1. Network segmentation isolates third-party API access, minimizing the blast radius of a compromise, as implied by API10:2023. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 1. Third-party APIs often exhibit improper authentication, making them vulnerable to compromise, as described in API10:2023. | 100% |
| CWE-863 | 1. Incorrect authorization grants excessive permissions to third-party services, enabling broader attacks, as highlighted by API10:2023. | 100% |
| CWE-20 | 1. Improper input validation in third-party APIs allows attackers to inject malicious data, as implied by API10:2023. | 90% |
| CWE-502 | 1. Deserialization of untrusted data in third-party API communications can lead to remote code execution, a risk in API10:2023. | 90% |
| CWE-918 | 1. Server-Side Request Forgery (SSRF) in third-party APIs allows attackers to access internal resources, as per API10:2023. | 90% |
| CWE-200 | 1. Exposure of sensitive information occurs through compromised or misconfigured third-party APIs, a concern in API10:2023. | 90% |
| CWE-732 | 1. Incorrect permission assignments for third-party APIs grant them undue access to critical resources, as highlighted by API10:2023. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0177 compute · voice-rubric self-validated