API Security — How Attackers Break A
API Security — How Attackers Break
1. Broken Authentication
How attackers break it:
Using stolen/breached passwords
- Credential stuffing
- Brute-force login
- Bypassing MFA
- Using replay attacks on JWT tokens
Example:
/login endpoint accepts unlimited attempts → brute force
- Tokens are not rotated → attacker reuses
2. Broken Authorization (IDOR)
The #1 cause of API data breaches.
How attackers break it:
Change the object ID in a URL to access others’ data
- GET /accounts/123 → change to → GET /accounts/124
Real issue:
Developers validate that the resource exists, but don’t validate ownership.
3. Lack of Rate Limiting
How attackers break it:
Brute force your login
- Denial-of-service by sending massive calls
- Enumerating IDs
- Scraping customer data
4. Missing Input Validation
How attackers break it:
SQL Injection
- NoSQL Injection
- Command Injection
- XML External Entities (XXE)
- Path Traversal
Example:
GET /files?path=../../etc/passwd
5. Excessive Data Exposure
How attackers break it:
- API returns too much data, even if UI doesn’t show it
- Hackers intercept response using tools like Burp Suite, Postman, Fiddler
Comments
Post a Comment