Bridging the Gap in Web API Security: A Systematic Review of Vulnerabilities, Misuse Patterns, and Developer Challenges

Web Application Programming Interfaces (Web APIs) have become fundamental components of modern software ecosystems. At the same time, they have emerged as major attack surfaces in web applications and distributed services. Although many web API vulnerabilities are well documented, a critical gap remains in understanding how insecure development practices, usability limitations, and developer-related issues contribute to recurring API security problems. To address this gap, this study presents a systematic review of web API security research using a PRISMA-guided methodology and a taxonomy-driven analytical approach. The review synthesizes findings from 50 selected studies covering web API architectural styles, usability concerns, authentication and access-control weaknesses, and common vulnerabilities. These vulnerabilities include SQL Injection (SQLi), Cross-Site Scripting (XSS), Broken Authentication, and Denial-of-Service (DoS) attacks within the context of the OWASP API Security Top 10 framework. The findings indicate that recurring web API vulnerabilities are associated not only with technical weaknesses but also with API usability issues, insecure development practices, inconsistent security guidance, and increasing implementation complexity. The review also identifies persistent research gaps involving usability-security integration, API evolution, secure-by-design development practices, and empirical validation of security tools and frameworks. By synthesizing these dimensions into a unified conceptual perspective, this study provides researchers and practitioners with a clearer understanding of the factors contributing to web API insecurity. The study also highlights directions for developing more resilient and developer-aware API security practices.