BOLA.api
An endpoint hands out any userโs records if you guess the ID. Add object-level authorization checks so users can only reach their own data.
Map your API security training to the OWASP API Security Top 10 (2023). Developers fix BOLA, broken authentication, SSRF and more in real APIs โ the same flaws behind the breaches that make headlines.
APIs are the largest attack surface in modern products, and the OWASP API Security Top 10 (2023) is the standard for securing them. Every challenge below is a real API with a real vulnerability: developers fix it without breaking functionality, and every verified fix becomes reportable evidence of API security capability.
APIs that expose object IDs without checking the caller is allowed to access that object โ the most common API attack.
Flawed token, password and session mechanisms that let attackers take over accounts.
Excessive data exposure and mass assignment: APIs that return or accept object properties the caller should never touch.
Missing rate limits and quotas that let attackers exhaust CPU, memory, bandwidth or your bill.
Admin and privileged endpoints reachable by regular users because function-level checks are missing.
Legitimate business flows โ purchasing, booking, posting โ abused at scale because nothing limits automated access.
APIs that fetch attacker-supplied URLs, letting requests reach internal services and cloud metadata.
Unhardened API infrastructure: verbose errors, permissive CORS, debug endpoints and discovery features left on.
Assign these challenges to your team as learning pathways, track verified fixes, and report OWASP API Top 10 coverage to auditors, customers and the board โ with evidence, not attendance sheets.