Home/Compliance
owasp-api-2023

owasp-api-2023. Security Controls

10 controls · cross-mapped to ATT&CK techniques
Translate between regulatory language and what attackers actually do. Each control maps to MITRE ATT&CK techniques; open a control to see those techniques and whether we hold detection coverage for them.
NIST 800-53 (1246)NIST CSF (106)ISO 27001:2022 (93)PCI-DSS v4.0 (75)CIS v8.1 (62)CRI Profile (60)CSA CCM v4 (57)SOC 2 TSC (57)OWASP API (10)OWASP Mobile (10)OWASP Web (10)
10
Total controls
0%
Detection coverage
0
Covered controls
10
Coverage gaps
▤ Export audit (CSV) Coverage report Self-assessment Show gaps only
▶ Check your own detection coverage

Paste the ATT&CK technique IDs you have Sigma/YARA rules for (one per line, e.g. T1059, T1190). The controls below will update to show YOUR coverage instead of ours.

Red team insight A owasp-api-2023 compliant org should have detection for the green-tagged techniques below. Controls showing no technique coverage are likely blind spots. Use gaps view to enumerate unmonitored attack paths.

Controls

10 shown of 10
API10:2023
Unsafe Consumption of APIs
Developers tend to trust data received from third-party APIs more than user input, leading to weaker security standards.
family A framework owasp-api-2023
API1:2023
Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues.
family A framework owasp-api-2023
API2:2023
Broken Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens.
family A framework owasp-api-2023
API3:2023
Broken Object Property Level Authorization
This combines API3:2019 Excessive Data Exposure and API6:2019 Mass Assignment, focusing on object property authorization.
family A framework owasp-api-2023
API4:2023
Unrestricted Resource Consumption
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Sometimes consumed by paid integrations.
family A framework owasp-api-2023
API5:2023
Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws.
family A framework owasp-api-2023
API6:2023
Unrestricted Access to Sensitive Business Flows
APIs vulnerable to this risk expose a business flow without compensating for how the functionality could harm the business if used excessively in an automated manner.
family A framework owasp-api-2023
API7:2023
Server Side Request Forgery
SSRF flaws can occur when an API is fetching a remote resource without validating the user-supplied URI.
family A framework owasp-api-2023
API8:2023
Security Misconfiguration
APIs and the systems supporting them typically contain complex configurations. Misconfigurations can be exploited.
family A framework owasp-api-2023
API9:2023
Improper Inventory Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important.
family A framework owasp-api-2023
Showing 1-10 of 10
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin