Common API Vulnerabilities and How to Detect Them

Understanding common API vulnerabilities helps security testers and developers identify weaknesses that could be exploited during penetration testing.

Information Disclosure occurs when APIs unintentionally expose user data or internal details in responses, such as publicly accessible WordPress user lists. Example request:

GET https://www.sitename.org/wp-json/wp/v2/users

Attackers can use the returned slugs for credential stuffing or brute‑force attacks.

Broken Object‑Level Authorization (BOLA) allows unauthorized access to resources by guessing or enumerating object IDs. Sample response:

{
  "id": "5501",
  "first_name": "Cloud",
  "last_name": "Strife",
  "link": "https://www.bestgame.com/user/strife.buster.97",
  "username": "strife.buster.97"
}

Testing involves probing API endpoints for predictable ID patterns.

User Authentication Break describes weak or missing authentication mechanisms, such as absent token validation or insecure password‑reset flows that can be abused with massive request volumes.

Over‑Exposed Data refers to API responses that return more information than required, e.g., an account query revealing privileged user details and internal admin accounts.

GET /api/v3/account?name=Cloud+Strife

# response
{
  "id": "5501",
  "first_name": "Cloud",
  "last_name": "Strife",
  "privilege": "user",
  "representative": [{
    "name": "Don Corneo",
    "id": "2203",
    "email": "[email protected]",
    "privilege": "super-admin",
    "admin": true,
    "two_factor_auth": false
  }]
}

Lack of Rate Limiting can lead to denial‑of‑service conditions when an API accepts unlimited requests; testing includes attempting to bypass limits by changing parameters, clients, or IP addresses.

Broken Function‑Level Authorization (BFLA) lets a user perform actions reserved for higher‑privilege roles. Detect by reviewing API documentation and sending privileged‑operation requests with a non‑admin account.

Mass Assignment occurs when an API accepts unexpected parameters that map directly to internal objects, allowing attackers to set fields such as isAdmin :

{
  "User": "scuttleph1sh",
  "Password": "GreatPassword123",
  "isAdmin": true
}

Security Misconfiguration includes exposed server headers, missing TLS, default credentials, and unnecessary HTTP methods. Example vulnerable headers:

HTTP/ 200 OK
X-Powered-By: VulnService 1.11
X-XSS-Protection: 0
X-Response-Time: 566.43

Injection vulnerabilities arise when input is not sanitized before reaching back‑end systems, such as SQL injection payloads:

POST /api/v1/register HTTP/1.1
{ "Fname": "hAPI", "Lname": "Hacker", "Address": "' OR 1=0--" }

File‑system traversal via query parameters can also expose /etc/passwd contents.

Improper Asset Management involves exposing deprecated or development APIs, which may contain multiple other weaknesses.

Business Logic Flaws exploit intended application behavior, such as bypassing multi‑factor authentication by altering request parameters (e.g., setting MFA=false ).

Familiarity with these vulnerabilities enables efficient identification, exploitation during testing, and proper reporting to improve API security.