OWASP API Top 10:2023
Vulkro covers all ten categories of the OWASP API Security Top 10:2023, plus the LLM Top 10 (LLM01 prompt injection, LLM06 PII in prompts).
| ID | Category | Notes |
|---|---|---|
| API1 | Broken Object Level Authorization | IDOR / BOLA - endpoints accept caller-controlled IDs without scoping checks. Highest-frequency category in real-world breaches. |
| API2 | Broken Authentication | Missing auth, weak auth, sessions accepting forged tokens, JWT alg-confusion. |
| API3 | Broken Object Property Level Authorization | Mass-assignment / unbounded request body; clients can write fields they shouldn't (e.g. is_admin: true). |
| API4 | Unrestricted Resource Consumption | Missing rate limits, unbounded query results, expensive search-without-pagination. |
| API5 | Broken Function Level Authorization | Privileged endpoints accessible to lower-privilege roles. |
| API6 | Unrestricted Access to Sensitive Business Flows | Bot abuse: ticket scalping, signup fraud, account takeover via password reset. |
| API7 | Server Side Request Forgery (SSRF) | User-controlled URL fed to a server-side HTTP client. |
| API8 | Security Misconfiguration | CORS reflects origin + credentials, debug mode on, default secrets, insecure cookies. |
| API9 | Improper Inventory Management | Undocumented / shadow endpoints, OpenAPI spec drift, unprotected admin paths. |
| API10 | Unsafe Consumption of APIs | Trusting upstream API responses without validation; SSRF-style misuse. |
How to read a finding
Every finding emitted by vulkro scan carries:
category- one ofBrokenObjectLevelAuth,BrokenAuthentication, etc.severity-Critical | High | Medium | Low.confidence-High | Medium | Low.confidence_reason- a one-line explanation. Example:"taint flowed from req.body to db.query without sanitiser"or"runtime-confirmed via active probe".compliance_controls- a list of framework controls this finding relates to.
Beyond OWASP API: specialised detectors
Vulkro ships 50+ specialised detectors that don't always map cleanly to the OWASP categories:
- Crypto weakness - md5 / sha1 / ECB / static IV /
Math.randomfor secrets / pickle deserialisation. - Webhook signature bypass - patterns where signature verification is skipped or comparison is non-constant-time.
- Slopsquat-style typosquatted packages -
react-dom-extra,requets,lodahs, etc. - GraphQL safe-pattern checks - schema-suggestions enabled in prod, introspection over public endpoint.
- Prompt injection / PII in prompt - LLM01 / LLM06.
- Inline secrets in URLs -
?token=...in source / git history.