API6:2023 Unrestricted Access to Sensitive Business Flows - OWASP API Security Top 10
Learn about the security risk API6:2023 Unrestricted Access to Sensitive Business Flows in OWASP. Discover attack scenarios and prevention tips.
Overview
This JSON response provides information about API6:2023 Unrestricted Access to Sensitive Business Flows, a security risk listed in the OWASP API Security Top 10. It includes a description of the security weakness, example attack scenarios, and how to prevent such attacks.
Description
API6:2023 Unrestricted Access to Sensitive Business Flows is a security risk that involves exploiting sensitive business flows in an API to cause harm to the business. Attackers automate access to these flows, which can lead to various detrimental effects such as preventing legitimate users from purchasing a product or inflating the internal economy of a game. This JSON response provides further details about the vulnerability, including example attack scenarios and prevention measures.
How to Prevent ?
To prevent API6:2023 Unrestricted Access to Sensitive Business Flows, a two-layer mitigation approach is recommended. On the business side, it is important to identify the business flows that are sensitive and might harm the business if excessively used. On the engineering side, appropriate protection mechanisms need to be implemented to mitigate the business risk. Some protection mechanisms include device fingerprinting, human detection (captcha or biometric solutions), analyzing user flow for non-human patterns, and blocking IP addresses of Tor exit nodes and well-known proxies. Additionally, secure and limit access to APIs that are consumed directly by machines to avoid easy targeting by attackers.
Example Attack Scenarios:
Scenario #1: A technology company releases a new gaming console with limited stock. An attacker automates the process of buying the product and buys the majority of the stock before other legitimate users. The attacker later sells the product for a higher price on another platform.
Scenario #2: An airline company offers online ticket purchasing with no cancellation fee. A user books 90% of the seats for a desired flight with malicious intentions. A few days before the flight, the user cancels all the tickets at once, forcing the airline to discount the ticket prices to fill the flight. The user then buys a single ticket at a much cheaper price.
Scenario #3: A ride-sharing app has a referral program where users can invite friends and gain credit for each friend who joins. An attacker writes a script to automate registrations and adds credit to their own account. The attacker can then enjoy free rides or sell the accounts with excessive credits for cash.