Index · Interview talking points

1 min read
20 min read
Rapid overview

Interview talking points

  • The headline: authentication is not authorization. The top three API risks (BOLA, BOPLA, BFLA) are all authorization failures at different granularities — object, property, function — by callers who are already authenticated.
  • BOLA (API1) is #1 because every endpoint takes an object id and the per-object ownership check is trivially easy to forget. Best fix: scope every query to the authenticated principal so a foreign id returns 404, and centralize the check.
  • 2023 changes worth naming: mass assignment + excessive data exposure merged into API3 (BOPLA); SSRF added as API7; "Unsafe Consumption of APIs" added as API10; resource-consumption and business-flow abuse promoted.
  • DTOs are the antidote to BOPLA — allow-listed input DTOs stop mass assignment, output DTOs/serialization views stop excessive data exposure. Never bind the raw request body to an ORM entity, never serialize the raw entity back.
  • SSRF (API7) is now a top API risk because so many APIs fetch URLs (webhooks, imports, avatars). The crown-jewel target is the cloud metadata service (169.254.169.254); defense is host/scheme allow-listing plus blocking internal IP ranges after DNS resolution and redirects.
  • API4 vs API6: API4 is technical rate/cost limiting; API6 is anti-automation on business flows. Mention both rate limiting and CAPTCHA/device-fingerprinting to show you understand the distinction between exhausting resources and abusing valid flows at scale.
  • Inventory matters (API9): you can't secure what you don't know about — shadow and zombie APIs are a leading cause of breaches because an old, unpatched version stays online. Push for auto-generated inventories and a deprecation process.
  • Trust boundaries (API10): "trusted" third-party integrations are still untrusted input. Validate upstream responses, use TLS with cert validation, and don't follow upstream redirects — the partner can be compromised.

See also