Index · Interview talking points
1 min readRapid overview
Interview talking points
- The headline: authentication is not authorization. The top three API risks (BOLA, BOPLA, BFLA) are all authorization failures at different granularities — object, property, function — by callers who are already authenticated.
- BOLA (API1) is #1 because every endpoint takes an object id and the per-object ownership check is trivially easy to forget. Best fix: scope every query to the authenticated principal so a foreign id returns 404, and centralize the check.
- 2023 changes worth naming: mass assignment + excessive data exposure merged into API3 (BOPLA); SSRF added as API7; "Unsafe Consumption of APIs" added as API10; resource-consumption and business-flow abuse promoted.
- DTOs are the antidote to BOPLA — allow-listed input DTOs stop mass assignment, output DTOs/serialization views stop excessive data exposure. Never bind the raw request body to an ORM entity, never serialize the raw entity back.
- SSRF (API7) is now a top API risk because so many APIs fetch URLs (webhooks, imports, avatars). The crown-jewel target is the cloud metadata service (
169.254.169.254); defense is host/scheme allow-listing plus blocking internal IP ranges after DNS resolution and redirects. - API4 vs API6: API4 is technical rate/cost limiting; API6 is anti-automation on business flows. Mention both rate limiting and CAPTCHA/device-fingerprinting to show you understand the distinction between exhausting resources and abusing valid flows at scale.
- Inventory matters (API9): you can't secure what you don't know about — shadow and zombie APIs are a leading cause of breaches because an old, unpatched version stays online. Push for auto-generated inventories and a deprecation process.
- Trust boundaries (API10): "trusted" third-party integrations are still untrusted input. Validate upstream responses, use TLS with cert validation, and don't follow upstream redirects — the partner can be compromised.