API Attacks — OWASP API Top 10

Why API Attacks Are the New Norm

Modern applications are API-driven. Every mobile app, single-page application, and third-party integration communicates via APIs. Traditional web application firewalls are designed for HTML forms and URL parameters — API traffic uses JSON/XML bodies, varied HTTP methods, and often lacks the referrer or user-agent patterns that WAFs expect.

APIs are a direct path to backend data. Authentication, authorization, and input validation must be implemented at the API level — but they often lag behind the front-end application’s security controls.
Traditional WAF rules often miss API attacks because the attack vector is in the JSON body, not in URL parameters.
API gateways (AWS API Gateway, Azure API Management, Kong, Apigee) provide logging and rate limiting, but detecting abuse requires understanding API-specific patterns.

MITRE ATT&CK maps API exploitation to T1190 (Exploit Public-Facing Application) and T1195 (Supply Chain Compromise) — APIs are a public-facing entry point to backend systems.

OWASP API Top 10 Overview

Rank	Risk	Analogy for Analysts
API1	Broken Object Level Authorization	User changes `{"user_id": 1234}` to `{"user_id": 5678}` and accesses another user’s data
API2	Broken Authentication	Weak or no authentication on API endpoints — anyone with the URL can call it
API3	Broken Object Property Level Authorization	Attacker sets `{"role": "admin", "is_admin": true}` in a registration request
API4	Unrestricted Resource Consumption	API endpoint that returns unlimited records — no pagination means data extraction
API5	Broken Function Level Authorization	Attacker calls `DELETE /api/admin/users` because the endpoint is not protected by admin role check
API6	Unrestricted Access to Sensitive Business Flows	Automated API abuse — credential stuffing, coupon abuse, vote manipulation
API7	Server Side Request Forgery	API endpoint accepts a URL parameter and fetches internal resources (see SSRF section)
API8	Security Misconfiguration	CORS misconfiguration, verbose error messages, unnecessary HTTP methods enabled
API9	Improper Inventory Management	Old API versions still running (`/api/v2/user` vs. `/api/v1/user` — v1 has a known vuln)
API10	Unsafe Consumption of APIs	Application calls third-party APIs with user-controlled URLs or data — supply chain risk

API1: Broken Object Level Authorization (BOLA)

BOLA is the most common API vulnerability and the top risk in the OWASP API Top 10. It occurs when an API endpoint does not verify that the authenticated user is authorized to access the specific object they requested.

How BOLA Works

GET /api/v1/users/1234/profile
Authorization: Bearer token-for-user-1234

→ Returns Alice's profile (legitimate — user 1234 is accessing their own profile)

GET /api/v1/users/5678/profile
Authorization: Bearer token-for-user-1234

→ Returns Bob's profile (BOLA — user 1234 should not access user 5678's profile)

BOLA Attack Patterns

Pattern	Request Example	Detection
Sequential ID enumeration	`GET /api/users/1`, `GET /api/users/2`, `GET /api/users/3`	Multiple 200 responses for sequentially incrementing IDs
UUID enumeration	`GET /api/invoices/uuid-001`, `uuid-002`, `uuid-003`	Multiple valid responses for different UUIDs from same session
Path traversal in object ID	`GET /api/users/../../admin/users`	Path traversal characters in API path parameter
POST body ID manipulation	POST `{"order_id": 1001}` → change to `{"order_id": 1002}`	Different objects returned than expected for the authenticated user
Batch endpoint abuse	`GET /api/users?id=1001,1002,1003`	Batch API call returns multiple records not owned by the user
Multi-tenant ID collision	`GET /api/tenant/42/invoices/1001` vs `GET /api/tenant/43/invoices/1001`	Same resource ID from different tenant contexts

Detection — BOLA in API Gateway Logs

SPL query — detect sequential ID access from a single session:

index=api_gateway
| rex field=uri_path "/(?:users|accounts|profiles|invoices|orders|documents)/(?<object_id>\d+)"
| stats dc(object_id) as unique_objects, count as total_calls by client_ip, user_id, user_agent
| where unique_objects > 10
| eval alert = "MEDIUM — BOLA enumeration: " . client_ip . " accessed " . unique_objects . " different object IDs"
| table _time, client_ip, user_id, unique_objects, total_calls, user_agent, alert
| sort - unique_objects

KQL query — detect BOLA via Azure API Management logs:

ApiManagementGatewayLogs
| where Url matches regex @"\/api\/[^\/]+\/(users|accounts|orders)\/\d+"
| summarize UniqueObjects = dcount(Url), TotalCalls = count() by CallerIp, UserId
| where UniqueObjects > 10
| project TimeGenerated, CallerIp, UserId, UniqueObjects, TotalCalls

API2: Broken Authentication

API authentication failures include weak token generation, missing authentication on endpoints, and improper session management.

Common API Authentication Issues

Issue	How It Looks in Logs	Severity
Missing auth on endpoint	200 response to `GET /api/admin/users` without Authorization header	Critical
Weak JWT secret	JWT can be decoded using common secret keys (`secret`, `password`, `supersecret`)	High
No token expiry	Token never expires — reused months later	High
Token in URL	`GET /api/users?token=abc123` — token leaked in server logs, referrer headers, bookmarks	Medium
Rate limiting bypass	Auth endpoints have no rate limiting — unlimited brute force attempts	Critical
Improper password reset	Password reset token is predictable (timestamp-based, short numeric)	High

Detection — API Authentication Issues

index=api_gateway
| search http_method="POST" uri_path="/api/*login*" OR uri_path="/api/*auth*" OR uri_path="/api/*token*"
| stats count by client_ip, uri_path, response_code, user_agent
| where count > 100
| eval alert = "HIGH — " . count . " auth attempts from " . client_ip . " — possible credential brute force"
| table _time, client_ip, uri_path, count, alert
| sort - count

API3: Broken Object Property Level Authorization (Mass Assignment)

Mass assignment (also called auto-binding) occurs when an API endpoint binds client-provided data directly to internal objects without filtering which fields can be modified.

How Mass Assignment Works

The API accepts a JSON body and saves it to a database object directly:

POST /api/users/register
Legitimate: {"username": "alice", "email": "alice@example.com", "password": "s3cur3"}

Attack:     {"username": "alice", "email": "alice@example.com", "password": "s3cur3", "role": "admin", "is_admin": true}

→ The API saves all fields — Alice is now an admin

Mass Assignment Attack Patterns

Attack Field	Target Model	Impact
`"role": "admin"`	User model	Direct privilege escalation
`"is_admin": true`	User model	Boolean privilege flag
`"credit": 1000000`	Account model	Balance manipulation
`"verified": true`	User model	Bypass email verification
`"email": "attacker@evil.com"`	User model	Account takeover via email change
`"group_ids": [1, 2, 3]`	User model	Add user to privileged groups
`"subscription": "premium"`	Subscription model	Free service upgrade
`"deleted": false`	Content model	Restore deleted content

Detection — Mass Assignment

index=api_gateway
| search http_method="POST" OR http_method="PUT" OR http_method="PATCH"
| search request_body IN ("*role*:*admin*", "*is_admin*:true", "*verified*:true", "*is_verified*:true", "*permissions*:*admin*")
| stats count by client_ip, uri_path, request_body
| eval alert = "HIGH — Possible mass assignment to " . uri_path . " from " . client_ip
| table _time, client_ip, uri_path, request_body, alert

API4: Unrestricted Resource Consumption

APIs that do not enforce rate limiting, pagination, or payload size limits allow attackers to exhaust server resources or extract large datasets.

Attack Vectors

Vector	Pattern	Impact
No pagination	`GET /api/users` returns all 100,000 users in one response	Data extraction — attacker crawls all records
No rate limiting	`POST /api/login` with 10,000 requests per second	Brute force, credential stuffing
Large payload	`POST /api/upload` with 1GB file	DoS via memory/disk exhaustion
Expensive queries	`GET /api/search?q=a&q=aa&q=aaa` or `GET /api/reports?dateRange=2000-01-01..2026-12-31`	CPU exhaustion from unoptimized queries
Batch abuse	`POST /api/batch` with 1000 sub-requests in a single call	Amplification attack
GraphQL depth attack	Nested GraphQL query: `{ posts { comments { user { posts { comments { user { ... } } } } } } }`	Recursive query DoS

Detection — Resource Exhaustion

KQL query — detect large API responses (data extraction):

ApiManagementGatewayLogs
| where ResponseBodySize > 5000000 (5 MB responses)
| summarize count() by CallerIp, Url, ResponseBodySize
| where count_ > 10
| project TimeGenerated, CallerIp, Url, ResponseBodySize, count_

SPL query — detect GraphQL depth attacks:

index=api_gateway source="graphql"
| eval query_depth = len(mvfilter(match(query, "\{"))) (count of opening braces)
| where query_depth > 10
| eval alert = "HIGH — GraphQL query depth " . query_depth . " from " . client_ip . " — possible recursive DoS"
| table _time, client_ip, query_depth, query
| sort - query_depth

API5: Broken Function Level Authorization

BFLA occurs when API endpoints do not enforce role-based access. An authenticated user can call admin-level API functions.

BFLA Examples

Endpoint	Unauthorized Access	Impact
`DELETE /api/users/1234`	Any authenticated user can delete users	Account deletion abuse
`PUT /api/config/smtp`	Any authenticated user can modify config	SMTP config hijacking for phishing
`POST /api/admin/users`	Any user can create admin accounts	Privilege escalation
`GET /api/v2/admin/audit/logs`	v2 had auth, v1 does not — attacker uses v1	Log access via old API version
`PATCH /api/users/{id}/permissions`	User modifies their own permissions	Self-elevation

Detection — BFLA

index=api_gateway
| search http_method IN ("DELETE", "POST", "PUT", "PATCH") uri_path IN ("*/admin/*", "*/config/*", "*/permissions/*", "*/roles/*", "*/delete*")
| stats count by client_ip, user_id, http_method, uri_path, response_code
| where response_code = 200
| eval alert = "HIGH — " . user_id . " called admin function " . http_method . " " . uri_path . " — verify authorization"
| table _time, client_ip, user_id, uri_path, response_code, alert

API6: Unrestricted Access to Sensitive Business Flows

Attackers abuse business-critical API endpoints at high volume — credential stuffing (login API), coupon abuse (discount API), vote manipulation, or reservation bots.

Detection — Business Flow Abuse

Key indicators:

High call volume to a single endpoint from a single IP or IP range
Low time between requests — faster than humanly possible
Repetitive request patterns with incremental changes (sequential IDs, cyclic values)
Call volume that spikes and stays elevated — not bursty like legitimate traffic

SPL query — detect credential stuffing via login API:

index=api_gateway
| search uri_path IN ("*/login*", "*/auth*", "*/token*")
| stats count by client_ip, uri_path, bin(_time, 60s)
| where count > 20 (20 login attempts per minute = credential stuffing)
| eval alert = "HIGH — " . count . " login attempts in 60s from " . client_ip . " — credential stuffing"
| table _time, client_ip, uri_path, count, alert

API Specific Detection Techniques

API Gateway Logs

API gateway logs (AWS API Gateway, Azure API Management, Kong, Nginx, Cloudflare) are the primary detection source. Key fields:

Field	What It Shows	Detection Use
`httpMethod`	GET, POST, PUT, PATCH, DELETE, OPTIONS	Unexpected methods on sensitive endpoints
`path`	Full API path	Path traversal, old API versions
`requestBody`	JSON/XML payload	Parameter tampering, mass assignment
`responseBody`	JSON/XML response	Excessive data exposure
`statusCode`	HTTP response code	200 to admin endpoints from non-admin users
`integrationLatency`	Backend response time	Slow responses = time-based exploitation
`callerIp`	Source IP	Known bad IPs, unexpected geolocation
`userAgent`	Client identifier	Automation tooling, missing browser headers
`authProvider`	Auth mechanism	Missing auth, expired tokens

JSON Schema Validation

API gateways can validate JSON payloads against a schema. Schema validation catches:

Extra fields in the request body (mass assignment attempts)
Wrong data types (string instead of number, null in required fields)
Fields outside allowed ranges (negative amounts, future dates)
Missing required fields (bypassing security-critical parameters)

API Attack Investigation Workflow

Phase 1: Identify Which API Endpoint Was Targeted

Finding	What It Suggests
Sequential ID enumeration on a user endpoint	BOLA — attacker testing object-level authorization
POST `{"role": "admin"}` to registration	Mass assignment — attacker trying to escalate privileges
2000 requests/minute to login	Credential stuffing or brute force
No Authorization header on admin endpoints	Missing authentication — the endpoint was unprotected

Phase 2: Determine Data Exposure

Log Pattern	Data Exposed
Large response bodies (5MB+)	Full dataset extraction — no pagination
200 status on sequential IDs	Each response = a different user’s data
GraphQL introspection query in logs	`__schema` query = attacker mapping the full API schema
Error messages showing stack traces (`ORA-00942`, `SQLSTATE`)	Database structure exposed via verbose errors

Phase 3: Containment

Action	Implementation
Rate limit the endpoint	API Gateway rate limiting — XX requests per IP per minute
Block the IP	WAF IP block rule
Invalidate tokens	Force re-authentication for affected users
Audit the endpoint	Review API code for authorization checks
Disable old API versions	Remove `/api/v1/` endpoints that lack auth

Web Application Attacks — SSRF, CSRF, Command Injection, Path Traversal, IDOR — detection and response for T1190 techniques
Container and Kubernetes Threats — detection and response for T1611, T1525, T1574.002 techniques
Kill Chain — covers the kill chain concepts
OSI Model — covers the osi model concepts
Metasploit — detection and response for T1203 techniques