API 06:2023 โ€” Unrestricted Access to Sensitive Business Flows


A set of APIs exposes a business flow and an attacker abuses these APIs using automated methods to achieve a malicious intent, such as exfiltrating data or manipulating market or price data.

Use case

  • An attacker discovers an API to buy a product online and uses automation to bulk purchase all items of a newly released product which they later re-sell.ย 
  • Real-estate website’s price information can be scraped over time to predict house price trends in an area.
  • Attackers can use automation to perform actions faster than a human user and gain an unfair advantage on auction sites, or similar.

How to prevent

  • Understand business flows that could be sensitive to abuse and add extra layers of protection to these and ensure authentication is required, using recommended OAuth flows, like authorization_code.
  • Ensure that APIs are fully protected with robust rate-limiting in front of the API.
  • Monitor API access and restrict clients using either suspicious devices or originating from risky IP addresses.ย 
  • Identify non-human usage patterns such as impossibly quick transactions, and insert Captcha or other human detection controls.

OWASP API Security Top 10 2023 list