US-030US-031US-032
L4 — API Security
OWASP API Top 10 · Submit OpenAPI spec or live endpoint
Configure API Scan US-030
Drop openapi.json or swagger.yaml here · or
Token is used to test authenticated endpoints
Attempt incremented resource IDs (US-031)
Send 50 requests in 10 seconds to each endpoint (US-032)
API Findings US-030 to US-032
| Finding | API Top 10 | Endpoint | Severity |
|---|---|---|---|
| BOLA — Access other users' orders GET /orders/1042 returns user ID 1041's data |
API1:2023 | GET /orders/{id} |
CRITICAL |
| No rate limiting on /login 500 requests in 10s — all returned 200 |
API4:2023 | POST /auth/login |
HIGH |
| Excessive data exposure User profile returns password_hash field |
API3:2023 | GET /users/me |
HIGH |
| Missing object-level auth on /admin Standard user token can access admin endpoints |
API1:2023 | GET /admin/users |
CRITICAL |
| API version v1 still active with deprecated params Mass assignment possible via extra body fields |
API6:2023 | PUT /v1/users/{id} |
MEDIUM |
BOLA Remediation US-031
# ❌ VULNERABLE — fetches any order by ID
order = db.orders.find_one({"_id": order_id})
# ✅ FIXED — enforce ownership check
order = db.orders.find_one({
"_id": order_id,
"user_id": current_user.id # ← always filter by authenticated user
})
if not order:
raise HTTPException(status_code=403, detail="Access denied")