Two Main Types of API Attacks

relemedf5w023 · Post by **relemedf5w023** » Sun Feb 09, 2025 5:35 am

Ker lists two main ways to attack APIs or use shadow APIs:

Broken Object Property Level Authorization (BOPLA) is a vulnerability that occurs when an API does not properly manage authorization at the object property level. If the API provides more information than was required in the additional request, it allows attackers to extract the information they need. This is a new addition to the OWASP list that focuses on the authorization of individual properties within an object. An attacker can exploit this to access or manipulate unauthorized properties.
Broken Object Level Authorization (BOLA) is a vulnerability that occurs when an application or API grants access to data objects based on the user's role, but does not check whether the user has permission to access those specific objects. This is when an attacker changes the identity number to one and gains access to other customers' data.
“So it’s very easy for a scripted agent bot to mine information, which is what happened in the fitness company case,” says Care. “If we had a discovery system, we would have found these exposed endpoints ourselves, and we would have said, ‘Hey, look, this is what we need to do here. If you manipulate URLs, you can uncover shadow APIs.’”

What can developers do?
Kare stresses that developers should not use Social netherlands mobile database numbers, phone numbers, or email addresses as customer identifiers. He says that a lack of authentication for logins could allow an attacker to scour an entire customer database. In one case he cites, a broken login was compounded by a lack of validation of user input, allowing an attacker to access credit histories and other sensitive financial information.

“We ran into our old friend BOPLA again – it turns out that an API with very weak authentication can be queried for a credit score,” explains Kare. “And guess what, not only can you pull information about the victim and do a little identity theft, but you can also check how good a victim they are, how much credit can be obtained in their name.”

All of these can be easily fixed once discovered; but again, many companies don't discover API security flaws because they don't monitor them.