Key Takeaways

  • BOLA (IDOR): The #1 API vulnerability. Changing `user_id=100` to `user_id=101` allows you to see someone else's data.
  • Rate Limiting: APIs need limits. Otherwise, a bot can call your login API 10,000 times a second to guess passwords.
  • Mass Assignment: Sending `{ "role": "admin" }` in a JSON request and having the API blindly accept it.

Modern apps are just fancy UIs that talk to APIs (Application Programming Interfaces). If the API is weak, the entire castle crumbles.

The Top Problems

1. BOLA (Broken Object Level Authorization)

This happens when the API doesn't check if the user requesting the object is the owner of the object. It's shockingly common.

2. Excessive Data Exposure

The API sends the FULL user object (password hash, address, SSN) to the mobile app, and the mobile app just hides the fields it doesn't need. A hacker sniffing traffic sees everything.

3. Lack of Resources & Rate Limiting

If an API endpoint does something heavy (e.g., resizing an image), an attacker can call it recursively to crash the server (DoS).

GraphQL vs REST

REST uses multiple endpoints (`/users`, `/posts`). GraphQL uses one endpoint (`/graphql`) where you ask for what you want. GraphQL is flexible but harder to secure because standard firewalls don't understand the complex queries.

Frequently Asked Questions (FAQ)

What is a Zombie API?
An old version of an API (e.g., `/v1/login`) that everyone forgot about but is still online. It usually lacks the security patches of `/v2`.
How to test API security?
Use "Postman" or "Burp Suite" to intercept requests and start changing IDs and parameters to see if the server breaks.

Secure the code repository.
Read Git Security