Explains the 10 most critical security risks specific to APIs and how to mitigate them.
A ranking of API-specific security risks published by OWASP (Open Worldwide Application Security Project). The 2023 edition provides the latest list reflecting threats that have increased with the widespread adoption of APIs.
A vulnerability that allows unauthorized access to other users' data by manipulating object IDs. It is known as the most frequently occurring and easiest to exploit vulnerability.
Attackers can access other users' personal information, payment details, order history, and more simply by changing the ID in the URL or request parameters.
// Receives ID and returns data directly - no authorization check app.get('/api/users/:id/orders', async (req, res) => { const orders = await Order.find({ userId: req.params.id }); res.json(orders); });
// Verify against authenticated user's ID for authorization check app.get('/api/users/:id/orders', authenticate, async (req, res) => { if (req.user.id !== req.params.id && !req.user.isAdmin) { return res.status(403).json({ error: 'Forbidden' }); } const orders = await Order.find({ userId: req.params.id }); res.json(orders); });
A vulnerability that allows attackers to take over legitimate user accounts due to flawed authentication mechanism implementations.
Weak password policies, improper token management, lack of brute-force protection, inadequate session management, and more.
const jwt = require('jsonwebtoken'); function authenticate(req, res, next) { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'Token required' }); try { // Explicitly specify algorithm (prevents alg: none attack) const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'], issuer: 'your-app', }); req.user = decoded; next(); } catch (err) { res.status(401).json({ error: 'Invalid token' }); } }
A vulnerability where access control over the properties (fields) of objects included in API responses is insufficient. This item combines Excessive Data Exposure and Mass Assignment.
// Return only public fields from the user object function sanitizeUser(user, requesterId) { const publicFields = { id: user.id, name: user.name, avatar: user.avatar }; // Only the owner can see additional fields if (requesterId === user.id) { publicFields.email = user.email; publicFields.phone = user.phone; } return publicFields; // ❌ return user; would leak password_hash etc. }
A vulnerability where there are no limits on API request size, frequency, or resource consumption, leading to DoS attacks or cost surges.
const rateLimit = require('express-rate-limit'); // Global rate limiting app.use(rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // Maximum 100 requests standardHeaders: true, })); // Payload size limit app.use(express.json({ limit: '10kb' })); // Pagination upper limit app.get('/api/items', (req, res) => { const limit = Math.min(parseInt(req.query.limit) || 20, 100); // ... });
A vulnerability where proper access control is not implemented for admin functions and endpoints, allowing regular users to perform administrative operations.
function authorize(...roles) { return (req, res, next) => { if (!roles.includes(req.user.role)) { return res.status(403).json({ error: 'Insufficient permissions' }); } next(); }; } // Admin only access app.delete('/api/admin/users/:id', authenticate, authorize('admin'), deleteUser); // Admin and moderator app.put('/api/posts/:id/moderate', authenticate, authorize('admin', 'moderator'), moderatePost);
A vulnerability where critical business logic flows are not protected against automated attacks. Examples: ticket scalping, mass coupon harvesting, spam posting, etc.
A vulnerability where the server fetches a user-supplied URL without validation, enabling unauthorized access to internal networks.
const { URL } = require('url'); function isAllowedUrl(input) { try { const url = new URL(input); // Restrict protocols if (!['https:', 'http:'].includes(url.protocol)) return false; // Block private IP ranges const blocked = ['127.0.0.1', 'localhost', '0.0.0.0', '169.254.169.254']; if (blocked.includes(url.hostname)) return false; // Check internal network ranges (10.x, 172.16-31.x, 192.168.x) if (/^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.)/.test(url.hostname)) return false; return true; } catch { return false; } }
Improper security settings on API servers or frameworks. Includes allowing unnecessary HTTP methods, overly permissive CORS policies, exposure of debug information, and more.
const helmet = require('helmet'); const cors = require('cors'); app.use(helmet()); app.use(cors({ origin: ['https://app.example.com'], // Do not use wildcards methods: ['GET', 'POST', 'PUT', 'DELETE'], credentials: true, })); // Error handler: do not return stack traces in production app.use((err, req, res, next) => { res.status(500).json({ error: process.env.NODE_ENV === 'production' ? 'Internal Server Error' : err.message, }); });
A state where old API endpoint versions are left exposed without security patches applied. Also known as shadow APIs or zombie APIs.
A vulnerability where responses from third-party APIs are trusted without validation. If an external API is compromised, the impact propagates to your own system.
const Ajv = require('ajv'); const ajv = new Ajv(); // Validate external API responses with a schema const externalSchema = { type: 'object', required: ['id', 'status'], properties: { id: { type: 'string', maxLength: 50 }, status: { type: 'string', enum: ['active', 'inactive'] }, }, additionalProperties: false, }; const validate = ajv.compile(externalSchema); async function fetchExternalData() { const res = await fetch('https://api.external.com/data'); const data = await res.json(); if (!validate(data)) { throw new Error('External API response validation failed'); } return data; }
| ID | Vulnerability | Severity | Key Mitigation |
|---|---|---|---|
| API1 | Broken Object Level Authorization | Critical | Object-level authorization checks |
| API2 | Broken Authentication | Critical | Proper token management and brute-force protection |
| API3 | Broken Object Property Level Authorization | High | Explicit response field filtering |
| API4 | Unrestricted Resource Consumption | High | Rate limiting and payload size restrictions |
| API5 | Broken Function Level Authorization | High | Role-based access control |
| API6 | Unrestricted Access to Sensitive Business Flows | Medium | CAPTCHA and business-level rate limiting |
| API7 | Server Side Request Forgery | High | URL validation and private IP blocking |
| API8 | Security Misconfiguration | Medium | Security headers and CORS configuration |
| API9 | Improper Inventory Management | Medium | API inventory management and deprecation policies |
| API10 | Unsafe Consumption of APIs | Medium | Schema validation of external API responses |