Back to All Questions
Question 66 of 100
API Security Testing
Advanced
Q66: What are Common Security Risks in APIs?
🛡️Core Concept
What are Common Security Risks in APIs?
Key Takeaways & Architecture Summary
- ✓BOLA/IDOR: Accessing other tenants' private records using their IDs.
- ✓Broken Authentication: Missing token expiration or poor password checks.
- ✓Mass Assignment: Modifying restricted fields (e.g. admin: true) in payloads.
- ✓Injection Attacks: Injecting SQL, NoSQL, or script strings into parameters.
Direct Answer Summary
API security risks, as defined by the OWASP API Security Top 10, include BOLA (Broken Object Level Authorization), broken authentication, mass assignment, injection vulnerabilities, and rate limit failures. Security testing involves trying to bypass validation parameters, escalate scopes, and access unauthorized data.
⚠️ Senior Engineering Warning (Red Flag)
Never assume that standard firewalls prevent API vulnerabilities. Firewalls block network attacks but cannot detect logic flaws like BOLA, where a valid token reads another tenant's private data.
💡 STAR Architectural Explanation & Pro Tip
To prevent mass assignment, developers should use specific Data Transfer Objects (DTOs) that bind only secure, white-listed properties rather than mapping raw payloads directly to database entities.
RestAssuredTest.java
Rest-Assured + Java// ❌ Vulnerable Mass Assignment payload (QA test escalates role)
// PUT /api/v1/profile
{
"username": "tester",
"email": "tester@email.com",
"isAdmin": true // Escalation attempt -> Must be rejected by server!
}