Summary  
This chapter covers identifying and mitigating common API security flaws such as broken object-level authorization, excessive data exposure, missing rate limiting, and injection vulnerabilities. It emphasizes enforcing proper authorization checks, limiting exposed data, implementing rate limiting, and validating all user input.

General domain of usage  
Penetration testing

## Introduction to APIs

An **API** (Application Programming Interface) is a set of rules that lets different software programs talk to each other. When you use a mobile app, visit a website, or interact with a cloud service, you are often using APIs without even realizing it.

## Common API-Specific Vulnerabilities

APIs often have unique weaknesses that attackers can exploit. Understanding these vulnerabilities helps you identify and test for them effectively.

### Broken Object Level Authorization

This vulnerability occurs when an API does not properly check if a user is allowed to access or modify a specific resource. Attackers can change object IDs in requests to access data that should be restricted.

**Example:**
- You are logged in as `user123` and send a request to `GET /api/user/123/profile` to view your profile.
- If you change the URL to `GET /api/user/124/profile` and the API returns another user's profile, the API is not enforcing proper authorization.

### Excessive Data Exposure

An API may return more information than necessary, exposing sensitive data to users who should not see it. This often happens when the backend returns full objects and relies on the client to filter out sensitive fields.

**Example:**
- An API response for a user profile includes `"passwordHash": "..."` and `"ssn": "..."` along with public information.
- Even if the client application hides these fields, an attacker inspecting the API response can see everything returned.

### Lack of Rate Limiting

When an API does not limit how many times a user can make requests in a given time period, attackers can abuse this to guess credentials, scrape data, or perform denial-of-service attacks.

**Example:**
- A login API allows unlimited attempts without any delay or blocking.
- An attacker can use automated tools to try thousands of username and password combinations very quickly.

### Injection Attacks

APIs that do not properly validate or sanitize user input can be vulnerable to injection attacks, such as SQL injection or command injection. Attackers can send malicious data to manipulate backend systems.

**Example:**
- An API endpoint accepts a search parameter: `GET /api/products?search=shoes`.
- An attacker sends `GET /api/products?search=shoes'; DROP TABLE users; --`.
- If the API does not sanitize input, this could delete the `users` table in the database.


Understanding these vulnerabilities allows you to design better tests and spot weaknesses during penetration testing. Always check for proper authorization, limit data exposure, enforce rate limiting, and validate all user input.

Which statement describes a good security practice for mitigating API vulnerabilities?

A hands-on course guiding learners through the essentials of web application and API penetration testing, from foundational concepts to exploitation techniques and professional reporting. Includes real-world scenarios, practical tasks, and review questions to reinforce learning.

Covers the foundational knowledge required for web application and API penetration testing, including methodologies, ethics, and reconnaissance.

Focuses on identifying and exploiting common vulnerabilities in web applications and APIs through practical, hands-on tasks.

Covers the process of documenting findings, creating professional reports, and recommending remediation steps.