I still remember when websites were just... websites? The days when you’d be redirected to a customer support contact person to make a purchase. Those days are long gone. Today, everything you do is online, from something as complex as checking your bank balance to simply ordering coffee, all these happen through APIs. But like they say, with every great innovation comes even greater threats (I know no one says that, but maybe they should!)
As I was going through the OWASP Top 10 for APIs, I noticed they’re not only everywhere, but also very vulnerable.
So in this article, I’ll be talking about API security flaws according to OWASP and how to make them not so vulnerable when integrating them.
API stands for Application Programming Interface, but that's not helpful, is it?
I think of API as an ATM. I don't walk into the bank vault to grab my cash, instead, I use the ATM interface, enter my PIN, request what I need, and the ATM communicates with the bank's systems to verify my identity and deliver exactly what I’m authorized to receive. The ATM is the API, the secure middleman between me and my money.
APIs ensure the flow of data between the user interface and the backend. When I tap "show balance" in my banking app, an API fetches that number from the bank's servers. When I post on social media, an API carries my brilliant thoughts to the database.
APIs can become dangerous when an application’s backend functionalities are exposed to users using the APIs. Essentially, the APIs shouldn’t grant or deliver these confidential features to the users even if they request for it.
APIs are different from traditional web applications in that:
API vulnerabilities often expose more data than traditional web vulnerabilities. When a web page has XSS, you might lose a session cookie. When an API has broken authorization, you might lose your entire database.
OWASP released their API Security Top 10, and it's different from the web application list (Check out my article on OWASP Top 10 for Web Apps.) These vulnerabilities are specific to how APIs work and how they're attacked.
This is basically IDOR (Insecure Direct Object Reference) for APIs, and it's first for a reason.
So after authenticating as user Mel, I can access another user's info. Sound familiar? It should, since it's the same concept as IDOR in web apps, but it's even more common in APIs.
GET /api/users/123/profile (Mel's profile)
GET /api/users/124/profile (Someone else's profile)
The problem here is authorization, not authentication. I (Mel) am properly authenticated (the API knows who I am), but the authorization is broken (the API doesn't check if I can access user 124's data).
This access control should be enforced at the application logic design phase.
If BOLA is about "can this user access this data?", Broken Authentication is about "is this really the user they claim to be?"
I’m talking about:
This one's interesting because it's actually a combination of two problems:
PUT /api/users/me
{
"name": "Mel",
"email": "mel@example.com",
"role": "admin" // other users shouldn't be able to set this!
}
GET /api/users/search?name=Mel
Response:
{
"id": 123,
"name": "Mel",
"email": "mel@example.com",
"password_hash": "...", // Shouldn't be here!
"ssn": "123-45-6789", // Shouldn't be here!
"credit_score": 750 // Shouldn't be here!
}
APIs are designed for machine-to-machine conversation. They're built to withstand many requests at once. But obviously, the fact that they are designed for machine-to-machine doesn’t mean that’s what always happens. Most often than not, this property of APIs is abused, and without proper controls, attackers can:
Examples of said abuses include:
This is about the abuse of API endpoints by using methods users shouldn't have access to. Like replacing passive methods (GET) with active ones (PUT, DELETE).
GET /api/invoices/123 (View invoice - allowed)
DELETE /api/invoices/123 (Delete invoice - should not be allowed!)
GET /api/users/balance (Check balance - allowed)
PUT /api/users/balance (Modify balance - shouldn’t be allowed)
An API endpoint is a specific URL where an API can be accessed by a client, it's where you send your requests to get or manipulate data. I’ll remember it if I think of it as a specific department in a company: just as I’d go to HR for employee info or Accounting for invoices, I’d hit /api/users to get user data or /api/invoices for invoice information.
Each endpoint typically handles one specific function (like GET /api/users/123 retrieves user 123's info, while DELETE /api/users/123 removes that user), and together, all these endpoints make up the complete API that applications use to talk to each other.
This is about the abuse of legitimate business flows through automation.
This means:
These are legitimate functions being used in illegitimate ways. Rate limiting and CAPTCHAs aren't always effective because the attackers might use distributed systems or solve CAPTCHAs programmatically.
API endpoints that accept URLs as input can be exposed to SSRF vulnerabilities. The API requests a URL, but the URL provided contains a command or points to internal resources.
For example:
POST /api/fetch-image
{
"url": "http://internal-server/admin/delete-everything"
}
Instead of fetching an innocent image, your API just triggered an internal admin function.
What attackers can do:
This covers vulnerabilities from... well, misconfiguring things. It's usually what bots are looking for:
Common misconfigurations:
This one got me giggling a bit because it seems so insignificant, yet it's part of the top 10 security concerns when it comes to APIs.
You can't secure what you don't know exists. You need an appropriate, all-round view of your API environment:
Attackers are vigilant, checking how you handle API updates. They check for:
This exposes the risk of using third-party APIs. Your API might be secure, but what about the APIs you consume?
You're not just managing your own APIs anymore, but we’re relying more on external APIs whose security posture you can't fully control or even assess.
That payment processor API you integrated last year?
The social media authentication service?
The analytics platform?
Each one is a potential blind spot in your security inventory.
For example, if your application uses address information and you use a third-party API for address validation. An attacker might:
You can’t have a secure house but trust a sketchy locksmith with your keys now, can you?
After going through these vulnerabilities, I've realized API security requires a different mindset than traditional web security:
As I continue exploring API security, I'm struck by how critical yet overlooked it is. We spend so much time securing our web applications, but APIs often handle more sensitive operations with less security scrutiny.
The OWASP API Security Top 10 isn't just another list to memorize but a wake-up call. APIs are the new battleground for cybersecurity, and we need to treat them with the respect (and security controls) they deserve.
And remember: every API endpoint is a door into your system. Make sure you know where all your doors are, who has the keys, and what's behind them.