OWASP has merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control.
In 2007, OWASP split Broken Access Control into these two categories to bring more attention to each half of the access control problem (data and functionality). They no longer feel that it was necessary and have decided merged them back together.
2013-A4: Insecure Direct Object References:
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
2013-A7: Missing Function Level Access Control:
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
Dropped: 2013-A10: Unvalidated Redirects and Forwards:
In 2010, OWASP added this category to raise awareness about this problem. However, data shows that this issue isn’t as prevalent as was expected. After being in the last two releases of Top 10, this time it didn’t make the cut.
2017-A7: Insufficient Attack Protection:
Detecting, responding to, and blocking attacks make applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.
2017-A10: Underprotected APIs:
Testing your APIs for vulnerabilities should be similar to testing the rest of your application for vulnerabilities. Different types of injection, authentication, access control, encryption, configuration, and other issues can exist in APIs just as in a traditional application.