Index · Quick recall (Q&A)

4 min read
20 min read
Rapid overview

Quick recall (Q&A)

Q: What is BOLA and why is it the top API risk?

A: Broken Object Level Authorization is when an API endpoint receives an object id from the client, authenticates the caller, but never checks that the object actually belongs to or is permitted for that caller — so changing the id exposes other users' data. It's #1 because almost every API endpoint takes an object id, the checks are easy to forget per-endpoint, and the impact (mass data exposure) is severe.

Q: How does BOLA differ from BFLA?

A: BOLA is object-level ("can I access THIS specific object that isn't mine?"); BFLA (API5) is function-level ("can I invoke THIS operation/role I shouldn't have, like an admin endpoint?"). BOLA is wrong-object, BFLA is wrong-function.

Q: What two older risks were merged into API3 (BOPLA) in 2023?

A: Mass assignment (clients setting properties they shouldn't, like isAdmin) and excessive data exposure (returning more object properties than the client should see). Both are about authorizing access at the property level.

Q: What is mass assignment and how do you prevent it?

A: Binding the entire request body directly to a domain/ORM model, letting a client set sensitive fields (role, balance, verified). Prevent it with explicit allow-listed input DTOs that only contain the properties the operation legitimately accepts — never bind straight to the entity.

Q: What is excessive data exposure and the fix?

A: Returning full objects (including passwordHash, internal notes, other users' PII) and relying on the frontend to hide fields. Fix with output DTOs/serialization views that return only the fields the caller is entitled to, authorized by role where needed.

Q: Why is "authentication is not authorization" the theme of the API Top 10?

A: Most API breaches authenticate the caller correctly but fail the authorization check — at the object level (BOLA), function level (BFLA), or property level (BOPLA). Knowing who you are is not the same as checking what you're allowed to do to which resource.

Q: What is SSRF and a concrete attack example?

A: Server-Side Request Forgery is when the server fetches a client-influenced URL, letting the attacker make the server request internal targets. Classic example: submitting http://169.254.169.254/latest/meta-data/... to steal cloud IAM credentials from the metadata service.

Q: How do you defend against SSRF?

A: Allow-list schemes/hosts/ports, resolve the hostname and block private/loopback/link-local/metadata IP ranges, re-validate after redirects (DNS rebinding), disable redirects, segment the egress network away from internal services, and never return raw upstream responses.

Q: What does API4 (Unrestricted Resource Consumption) cover and how do you mitigate it?

A: No limits on CPU/memory/bandwidth/storage/cost a client can consume, enabling DoS and runaway bills. Mitigate with rate limiting/throttling, capped and validated pagination, request/upload size limits, query timeouts, and per-tenant quotas/spend limits on endpoints that trigger paid downstream calls.

Q: How is API6 (Sensitive Business Flow abuse) different from API4 rate limiting?

A: API4 targets technical resource exhaustion (request volume/size). API6 targets abuse of legitimate business flows (scalping stock, fake-account creation, coupon farming) where each request is individually valid; the defense is anti-automation (CAPTCHA, device fingerprinting, behavioral detection) aimed at intent, not just raw rate.

Q: What are shadow and zombie APIs (API9)?

A: Shadow APIs are undocumented/unknown endpoints or hosts not in your inventory; zombie APIs are deprecated-but-still-live versions that no longer get patched. Both expand attack surface. Fix with an authoritative, auto-generated inventory, current OpenAPI docs, and a formal deprecation/decommission process.

Q: What is API10 (Unsafe Consumption of APIs)?

A: Trusting data from third-party/upstream APIs more than direct user input — passing their responses into queries/templates unvalidated, or following their redirects blindly. Treat the integration boundary as a trust boundary: validate/sanitize upstream data, use TLS with cert validation, don't follow upstream redirects, and apply timeouts and allow-lists.

Q: What's the difference between API2 (Broken Authentication) and the authorization risks?

A: API2 is about proving identity correctly (strong credentials, brute-force protection, proper JWT validation, token lifecycle). The authorization risks (API1/3/5) assume identity is known and ask whether the caller is allowed to do what they're attempting.

Q: Why are unguessable IDs (UUIDs) not a sufficient BOLA defense?

A: They're only defense-in-depth — they make ids harder to enumerate but don't enforce ownership. IDs leak (logs, referrers, shared links), and the real fix is a server-side ownership/permission check (or scoping queries to the authenticated user) on every object access.

Q: How does CORS misconfiguration (API8) become a vulnerability?

A: Reflecting any Origin and allowing credentials lets a malicious website make authenticated cross-origin requests and read the responses. Lock CORS to a known allow-list of origins and avoid wildcard-with-credentials.

See also