OWASP API Security Top 10 2023 - Download the complete beginner's guide to all of the recent changes
Download NowThe table below details the findings codes.
| Finding name | Finding code | Description |
|---|---|---|
| Unauthenticated endpoints | firetail:authenticated-endpoint-removed.json | An endpoint that previously required authentication has been changed to no longer require authentication. |
| Numeric IDs | owasp:api1:2019-no-numeric-ids.json | An endpoint is using a numeric parameter for identifying resources. |
| Insecure auth scheme | owasp:api2:2019-auth-insecure-schemes.json | An endpoint has an insecure authentication scheme set. |
| Non-standard JSON Web Token | owasp:api2:2019-jwt-best-practices.json | An endpoint is using JSON Web Tokens (JWT) that do not adhere to best current practices detailed in RFC8725. |
| API key in URL | owasp:api2:2019-no-api-keys-in-url.json | An endpoint is using URL parameters to pass in API keys. |
| Credentials in URL | owasp:api2:2019-no-credentials-in-url.json | An endpoint is using URL parameters to pass in credentials. |
| Basic HTTP auth | owasp:api2:2019-no-http-basic.json | An endpoint is using Basic HTTP authentication. |
| Missing global security | owasp:api2:2019-protection-global-safe.json | An endpoint was found that is not protected by any security scheme. |
| Missing authentication | owasp:api2:2019-protection-global-unsafe-strict.json | An operation is missing authentication. |
| Missing global security | owasp:api2:2019-protection-global-unsafe.json | An endpoint was found that is not protected by any security scheme. |
| Missing 401 response | owasp:api3:2019-define-error-responses-401.json | An endpoint is missing the definition for a 401 response. |
| Missing 500 response | owasp:api3:2019-define-error-responses-500.json | An endpoint is missing the definition for a 500 response. |
| Missing 4xx response | owasp:api3:2019-define-error-validation.json | An endpoint is missing the definition for a 4xx response. |
| Missing array limit | owasp:api4:2019-array-limit.json | An endpoint is returning an array of items without having a specified limit on the maximum number of items that can be returned. |
| Undefined integer format | owasp:api4:2019-integer-format.json | An endpoint is missing format information for an integer parameter. |
| Legacy integer limit | owasp:api4:2019-integer-limit-legacy.json | An endpoint is using legacy limits for an integer parameter. |
| Undefined integer limit | owasp:api4:2019-integer-limit.json | An endpoint is missing limit information for an integer parameter. |
| Missing 429 response | owasp:api4:2019-rate-limit-response-429.json | An endpoint is missing a rate limit response. |
| Missing retry header | owasp:api4:2019-rate-limit-retry-after.json | An endpoint is missing the Retry-After header for 429 responses. |
| Missing rate limit headers | owasp:api4:2019-rate-limit.json | An endpoint is missing rate limit headers in 2xx and 4xx responses. |
| Undefined string limit | owasp:api4:2019-string-limit.json | An endpoint is missing limit information for a string parameter. |
| Unrestricted string | owasp:api4:2019-string-restricted.json | An endpoint is missing restrictions for a string parameter. |
| Unconstrained additional properties | owasp:api6:2019-constrained-additionalProperties.json | An endpoint allows for unconstrained additional properties. |
| Missing additional properties | owasp:api6:2019-no-additionalProperties.json | An endpoint is missing the setting for additional properties. |
| Insecure host (OAS2) | owasp:api7:2019-security-hosts-https-oas2.json | The host is specified with an insecure protocol (HTTP). |
| Insecure host (OAS3) | owasp:api7:2019-security-hosts-https-oas3.json | The host is specified with an insecure protocol (HTTP). |
To learn how to view findings and understand the information they contain, go to Findings overview.
