Two Main Types of API Attacks

relemedf5w023 · Post by **relemedf5w023** » Sun Feb 09, 2025 6:48 am

According to him, the Open Web Application Security Project ( OWASP ) in its latest version also emphasizes the importance of OAuth authentication security in API services and API security in general.

“We know that developers are under pressure to deliver features and content quickly,” says Kare. “That means there’s a never-ending battle to discover and gain visibility into where APIs are, where APIs are in apps, how they’re being accessed.”

While Kare doesn’t claim that API security is an issue that developers should manage, he does point to development practices that can put companies at risk. He cites the case of a well-known fitness company whose API didn’t have proper authentication because the developer thought the initial version wouldn’t last long and would be refactored in the next development cycle. “Of course, that didn’t happen, and the result was an API that was accessible with little or no authentication, which exposed personal data,” Kare laments.

It’s also important not to use third-party APIs in an unsafe way, he says. And API care should extend to mobile apps, the Internet of Things (including in-car systems), and operational technology apps. “There’s a huge amount of API data in your car right now,” Kare says. “It’s accessible to app developers, service technicians, and can be used by malicious people.”

Ker lists two main ways to attack APIs or use shadow APIs:

Broken Object Property Level Authorization (BOPLA) is a vulnerability that occurs when an API does not properly manage authorization at the object property level. If the API provides more information peru mobile database was required in the additional request, it allows attackers to extract the information they need. This is a new addition to the OWASP list that focuses on the authorization of individual properties within an object. An attacker can exploit this to access or manipulate unauthorized properties.
Broken Object Level Authorization (BOLA) is a vulnerability that occurs when an application or API grants access to data objects based on the user's role, but does not check whether the user has permission to access those specific objects. This is when an attacker changes the identity number to one and gains access to other customers' data.
“So it’s very easy for a scripted agent bot to mine information, which is what happened in the fitness company case,” says Care. “If we had a discovery system, we would have found these exposed endpoints ourselves, and we would have said, ‘Hey, look, this is what we need to do here. If you manipulate URLs, you can uncover shadow APIs.’”