API security testing: OWASP API Top 10 explained with real exploits

APIs are a different attack surface from web applications. The OWASP API Security Top 10 (2023) reflects that. The bugs we find on Indian APIs cluster around three categories: BOLA, broken authentication, and unrestricted resource consumption. Here is each item with a worked exploit.

API1 — Broken Object Level Authorization (BOLA)

The most common critical bug we find. The API accepts an object ID in the URL or body and returns the object without verifying the caller owns it.

GET /api/v2/invoices/8124           ← my invoice
GET /api/v2/invoices/8125           ← someone else's invoice  ← returns 200

The fix is enforced at the data-access layer, not the controller. Every SELECT needs a WHERE tenant_id = current_user.tenant_id clause that cannot be bypassed by a developer who forgets. We have a dedicated post on BOLA / IDOR.

API2 — Broken Authentication

JWT signature not verified, refresh tokens that never expire, /oauth/token endpoints with no rate limit, password reset tokens with 20 bits of entropy.

The Indian fintech classic: a mobile login endpoint that accepts an MPIN, has no lockout, and uses a 4-digit space. 10,000 requests at 50 RPS = the user is owned in 200 seconds.

API3 — Broken Object Property Level Authorization

Two flavours — excessive data exposure and mass assignment.

Excessive data exposure: the API returns the full user object including password_hash, pan_number, is_admin, on the assumption that the client UI will only render the public fields.

Mass assignment: the API accepts a JSON body in PATCH /api/users/me and trusts every field. A user adds "is_admin": true and gets it.

API4 — Unrestricted Resource Consumption

The DoS-and-cost category. No rate limit on the password-reset endpoint = SMS-cost attack. No pagination on the list endpoint = a single request returns the full table. No file-size limit on the upload endpoint = disk fills. No timeout on the report-generation endpoint = workers exhausted.

This is the category that costs Indian SaaS most in real money — not breach impact, but cloud bill spikes.

API5 — Broken Function Level Authorization

Like BOLA but for functions instead of objects. The admin endpoint POST /api/admin/users is accessible to a regular user who guesses the path. Most often we find this in pairs: /v1/admin/X and /v1/X where the admin variant is forgotten in the auth middleware list.

API6 — Unrestricted Access to Sensitive Business Flows

New in 2023. The "scalper" category. A flow that is legitimate but should be rate-limited — booking a slot, redeeming an offer, signing up an account — has no abuse controls and gets exploited by automation. Indian e-commerce flash sales are the textbook case.

API7 — Server-Side Request Forgery (SSRF)

Same as the web SSRF category. APIs are slightly more exposed because URL inputs are common in webhook configs, image-by-URL upload endpoints, and OAuth callback registration.

API8 — Security Misconfiguration

CORS too open. Verbose error responses. Default credentials on management endpoints. OPTIONS exposes the full method list. TRACE enabled. X-Powered-By headers giving away framework versions.

API9 — Improper Inventory Management

Old API versions still live. /v1 deprecated but reachable, with the original BOLA still present. Staging and pre-prod environments indexed by Google. Internal-only endpoints exposed via the same gateway as public ones.

API10 — Unsafe Consumption of APIs

Your API calls a third-party API and trusts the response. The third party is compromised; you are now serving their data to your users. The newer category covers webhook receivers that accept unsigned payloads.

For a quote on an API engagement, see API security testing or contact us.