Every API Security Audit check

Unauthenticated API endpoints are the most direct path to a data breach. OWASP API Security Top 10 2023 API2 (Broken Authentication) consistently ranks auth bypass as a top attack vector — attackers scan for unprotected routes before attempting anything sophisticated. A single unguarded endpoint returning user records, order history, or internal configuration can expose thousands of records. Beyond data exposure, CWE-306 (Missing Authentication for Critical Function) is cited in breach post-mortems from healthcare to fintech: regulators treat unprotected endpoints as a compliance failure, not just a technical one.

Why this severity: Critical because any unauthenticated attacker can read or modify protected data without any credentials, making exploitation trivial and blast radius unbounded.

Broken Object Level Authorization (OWASP API Security Top 10 2023 API1) is the single most exploited API vulnerability class. Authentication confirms who you are; object-level authorization confirms what you can touch. Without it, any authenticated user can substitute another user's ID in a URL and retrieve or modify that user's data — orders, messages, payment methods, medical records. CWE-639 (Authorization Bypass Through User-Controlled Key) describes exactly this pattern: the key is user-supplied, the backend trusts it. Real-world incidents like the Optus breach involved straightforward IDOR on predictable object IDs.

Why this severity: Critical because any authenticated attacker with a valid session can exfiltrate or overwrite other users' private data by incrementing or guessing resource IDs.

Non-expiring tokens are stolen credentials that never go stale. If a JWT or session cookie is intercepted via XSS, a compromised device, or a logging system that captures auth headers, an attacker holds permanent access until the user explicitly rotates it — which most users never do. OWASP API2 (Broken Authentication) and CWE-613 (Insufficient Session Expiration) both flag long-lived tokens as a direct enabler of account takeover. Access tokens should be short-lived (15 min to 1 hour); refresh tokens can be longer but must rotate. Compliance frameworks including SOC 2 and PCI DSS require session timeout controls.

Why this severity: High because a stolen non-expiring token grants indefinite account access, turning a transient credential leak into a persistent breach.

Refresh tokens that can be reused indefinitely negate the security benefit of short-lived access tokens entirely. CWE-384 (Session Fixation) captures the structural problem: a compromised token remains valid forever as a fixed key to the account. OWASP API2 (Broken Authentication) specifically calls out refresh token replay as an authentication weakness. A single leaked refresh token — from a log, a compromised client, or a man-in-the-middle — gives an attacker persistent access that survives every access token expiry. Rotation with detection forces the attacker to race the legitimate user, and a race loss invalidates the entire session.

Why this severity: High because a stolen refresh token grants indefinite re-authentication capability, making it functionally equivalent to a never-expiring credential.

Broken Function Level Authorization (OWASP API Security Top 10 2023 API5) is what happens when authentication and object-level checks exist but role enforcement doesn't — any logged-in user reaches admin-only functions. CWE-269 (Improper Privilege Management) covers the pattern: the application knows what role a user has but doesn't consult it before executing privileged operations. A user who discovers `/api/admin/delete-user` or `/api/billing/refund-all` can invoke it if role checks are missing. Compromised non-admin accounts become full admin accounts. Internal tools are a common gap — developers add auth but skip role checks on 'internal' routes.

Why this severity: High because missing role checks let any authenticated user — including compromised accounts — execute privileged operations like deleting records or modifying system configuration.

Unvalidated API input is the foundation of injection attacks, mass assignment vulnerabilities, and type confusion bugs. OWASP API Security Top 10 2023 API6 (Unrestricted Access to Sensitive Business Flows) and API10 (Unsafe Consumption of APIs) both require that input arrives in the expected shape and type. CWE-20 (Improper Input Validation) is behind SQL injection, XSS, command injection, and business logic bypasses. When an endpoint accepts arbitrary JSON and passes it to a database call or business function, attackers supply crafted payloads — extra fields, wrong types, boundary values — to trigger unintended behavior. Schema validation is the first defense that makes all downstream trust explicit.

Why this severity: High because unvalidated input enables injection attacks and business logic bypass, with a direct path from HTTP request to database or system command.

SQL injection (CWE-89) remains one of the most reliably exploitable vulnerabilities in web applications, cited in OWASP API Security Top 10 2023 API10. String-concatenated queries hand attackers a direct channel into the database: they can extract the full schema, dump all rows, bypass authentication, or in some configurations execute OS commands via `xp_cmdshell`. NoSQL injection (CWE-943) achieves the same ends with operator injection like `{ $where: ... }` or `{ $gt: '' }`. ORMs and parameterized queries separate code from data at the driver level — a string from user input can never become a SQL keyword or a query operator.

Why this severity: High because SQL and NoSQL injection give attackers direct read/write access to the entire database, potentially bypassing all application-level authorization.

A CORS wildcard (`Access-Control-Allow-Origin: *`) combined with `Access-Control-Allow-Credentials: true` is a configuration that browsers reject — but the attempt signals a misunderstanding of CORS that often accompanies other auth mistakes. The real risk is a permissive CORS policy that allows arbitrary origins with credentials: CWE-942 (Permissive Cross-domain Policy) and CWE-352 (CSRF) describe how this enables cross-site request forgery against cookie-authenticated APIs. OWASP API8 (Security Misconfiguration) covers CORS as a first-class misconfiguration class. Attackers host malicious pages that call your API with the victim's session cookie — the browser delivers it because your CORS policy permits the attacker's origin.

Why this severity: Medium because exploiting CORS misconfigurations requires a victim to visit an attacker-controlled page, reducing reach but enabling session-riding attacks against authenticated users.

Content-Type confusion attacks exploit the gap between what a server expects and what it receives. CWE-436 (Interpretation Conflict) captures the class: when a server parses a multipart form body as JSON, or an XML document through a JSON parser, unexpected behavior follows — from parser differentials enabling prototype pollution to content-sniffing attacks where the browser reinterprets a JSON response as HTML. OWASP API3 (Broken Object Property Level Authorization) and API6 both flag media type validation as a control boundary. APIs that accept arbitrary content types are vulnerable to parser-switching attacks where the attacker changes the Content-Type to trigger a different code path.

Why this severity: Medium because content-type confusion can redirect parsing to a different code path, creating exploitable differentials in applications that branch on content format.

Unbounded request bodies are a denial-of-service vector that requires no authentication and minimal sophistication. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) and CWE-770 (Allocation of Resources Without Limits) both flag missing body size limits as a resource exhaustion risk. Sending a 1 GB JSON payload to an endpoint that reads the full body before rejecting it consumes memory, CPU, and I/O on every request — a single attacker can saturate a server. Node.js HTTP servers buffer the request body before passing it to handlers; without a size limit, that buffer is attacker-controlled. Cloud functions with per-invocation memory limits are particularly vulnerable.

Why this severity: Medium because oversized payloads can exhaust server memory and CPU per request, enabling denial of service from a single source without authentication.

Server-side request forgery (CWE-918, OWASP A10 Server-Side Request Forgery) lets attackers weaponize your application's outbound HTTP client to probe or attack internal services — cloud metadata endpoints (`169.254.169.254`), internal databases, and private admin APIs that are not exposed to the internet. Any endpoint that fetches a user-supplied URL without validation is an SSRF vector. NIST 800-53 SI-10 requires input validation on all externally supplied values. In cloud environments, SSRF against the EC2 metadata endpoint can yield IAM credentials, giving an attacker full AWS account access.

Why this severity: Medium because SSRF requires a specific feature (outbound URL fetch) but can escalate to full cloud credential theft via the metadata service on major platforms.

Without per-user rate limiting, a single authenticated account can exhaust compute, database connections, and third-party API quotas for all users. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) identifies per-user rate limiting as the primary control against API abuse. CWE-770 (Allocation of Resources Without Limits) covers the structural gap. Beyond resource exhaustion, unthrottled authenticated endpoints expose LLM token costs, external API call charges, and email sending quotas to abuse by any valid user. Competitors, scrapers, and compromised accounts can all trigger cost events at scale without rate limiting.

Why this severity: Medium because unlimited authenticated requests enable resource exhaustion and cost amplification attacks that degrade service for all users without requiring new credentials.

Login, password reset, and account creation endpoints without IP-based rate limiting are open to brute-force credential stuffing and enumeration attacks. CWE-307 (Improper Restriction of Excessive Authentication Attempts) is the direct classification. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) applies because password reset emails and SMS OTPs are finite, paid resources attackers can exhaust. Credential stuffing tools spray millions of username/password combinations against unthrottled login endpoints. Without rate limiting, an attacker with a breached credential list can test thousands of combinations per minute from a single IP.

Why this severity: Low because brute force on unauthenticated endpoints is mitigated by strong passwords and MFA — but absent those controls, unthrottled login endpoints become the attack path.

NoSQL injection (CWE-943) is SQL injection's less-discussed cousin: instead of terminating a string and injecting SQL keywords, attackers inject MongoDB operators like `$where`, `$gt`, or `$regex` by submitting JSON objects where scalars are expected. OWASP API Security Top 10 2023 API10 (Unsafe Consumption of APIs) and OWASP A03 2021 (Injection) both cover this pattern. The attack is enabled by JavaScript's `...spread` operator or `Object.assign` applied to user input before a `findOne` or `find` call — a common pattern when developers forward query parameters directly to database operations. The impact ranges from authentication bypass (`{ password: { $gt: '' } }` matches any password) to full document exfiltration.

Why this severity: Low because NoSQL injection requires the application to spread or merge user input directly into query objects, a pattern more common in older codebases than in typed ORM usage.

GraphQL introspection exposes your complete API schema — every type, field, mutation, and query — to anyone who can reach the endpoint. OWASP API Security Top 10 2023 API8 (Security Misconfiguration) and CWE-200 (Exposure of Sensitive Information) both flag introspection as an information disclosure risk. Attackers use introspection to map internal data models, identify admin mutations, discover deprecated endpoints, and understand field naming conventions before crafting targeted queries. In a production API, the schema is sensitive internal documentation. Development environments may leave introspection on by default; that default should be explicitly disabled when deploying to production.

Why this severity: Low because introspection is an information disclosure risk, not a direct exploitation path — but it systematically reduces the effort required to find and exploit other vulnerabilities.

List endpoints without pagination caps are resource exhaustion vectors and data exfiltration shortcuts. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) and CWE-400 (Uncontrolled Resource Consumption) both target this pattern. A single request for `?limit=1000000` can trigger a full table scan, exhaust database memory, and return megabytes of records in a single response. Beyond DoS, unbounded pagination is a data exfiltration technique: a single API call retrieves every user record, every order, or every payment transaction. Even authenticated users should be limited to reasonable page sizes — trust boundaries apply to consumption, not just access.

Why this severity: Low because pagination bypass requires an authenticated request, but the impact — full table dumps and database memory exhaustion — scales with data volume.

Batch endpoints that accept unbounded arrays are denial-of-service vectors dressed as productivity features. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) and CWE-770 (Allocation of Resources Without Limits) both cover this class. A batch endpoint processing 10,000 items when your system is designed for 100 can exhaust connection pools, trigger N+1 database loads, and block the event loop. Unlike pagination, batch size is often not rate-limited because the request count stays low — an attacker sends one request per minute, each containing the maximum amount of work the server will perform. The same endpoint that handles 100 items correctly can be DoS-ed by requesting 100,000.

Why this severity: Low because batch size abuse requires a crafted authenticated request, but without limits a single request can consume resources proportional to an arbitrary multiplier.

GraphQL's type system allows clients to construct arbitrarily nested queries — a feature designed for flexibility that becomes a denial-of-service vector without depth limiting. CWE-400 (Uncontrolled Resource Consumption) and OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) both apply. A deeply nested query like `{ author { posts { comments { author { posts { comments { ... } } } } } } }` triggers exponential database joins with each additional level. Unlike REST, where resource boundaries are fixed in the URL, GraphQL puts the query structure in the client's hands. Depth limiting is a server-side control that caps the structural complexity a client can demand regardless of individual field costs.

Why this severity: Low because GraphQL depth attacks require a valid query and authenticated access, but the resource cost of deeply nested queries scales exponentially with depth.

HTTP transmits credentials, tokens, and user data in plaintext — any network intermediary can read or modify traffic. CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-311 (Missing Encryption of Sensitive Data) cover the structural failure. OWASP API Security Top 10 2023 API8 (Security Misconfiguration) and OWASP A02 2021 (Cryptographic Failures) classify unencrypted API transport as a first-order misconfiguration. Even internal-facing APIs that carry authentication tokens should use TLS — internal networks are not trusted networks. PCI DSS Requirement 4.2.1 and SOC 2 CC6.7 both require encryption of data in transit. HSTS prevents browsers from falling back to HTTP after the first HTTPS connection.

Why this severity: Low because TLS is widely enforced at the infrastructure level by modern cloud platforms, but misconfigured internal services or development-mode settings can leave gaps.

Stack traces and internal error details handed back in API responses are reconnaissance gifts. CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-200 (Exposure of Sensitive Information to Unauthorized Actors) cover the pattern. OWASP API Security Top 10 2023 API8 (Security Misconfiguration) specifically calls out verbose error responses. A stack trace reveals internal library versions (useful for finding known CVEs), file system paths (useful for traversal attacks), database query structure (useful for injection), and internal service names. Frameworks default to verbose errors in development — that default must be explicitly reversed for production, and the mechanism for that reversal must be tested.

Why this severity: Low because error leakage is information disclosure rather than direct exploitation, but it accelerates every other attack class by revealing internal implementation details.

Unsigned webhooks let any attacker impersonate your event source and inject arbitrary payloads. CWE-345 (Insufficient Verification of Data Authenticity) and CWE-347 (Improper Verification of Cryptographic Signature) describe the failure. OWASP API Security Top 10 2023 API8 (Security Misconfiguration) covers unsigned webhook receipt as a trust boundary violation. Platforms like Stripe, GitHub, and Twilio all sign their webhooks with HMAC-SHA256 for this reason. Without signature verification, attackers who discover your webhook endpoint can send fake events — triggering account upgrades, order fulfillments, or permission changes — by simply POSTing correctly shaped JSON. Timing-safe comparison is required; string equality is vulnerable to timing attacks.

Why this severity: Info severity because webhook forgery requires knowing your endpoint URL, but the impact — injecting arbitrary business events — can be critical to business logic.

Audit logs are the difference between detecting a breach in hours and discovering it months later during an external notification. CWE-778 (Insufficient Logging) and OWASP API Security Top 10 2023 API9 (Improper Inventory Management / Insufficient Logging & Monitoring) both flag missing logs as an incident response failure, not just a monitoring gap. OWASP A09 2021 (Security Logging and Monitoring Failures) is one of the top-10 precisely because log absence is correlated with breach longevity. SOC 2 CC7.2, PCI DSS Requirement 10, and HIPAA audit controls all require API access to be logged with user, resource, and outcome. Logs with passwords or tokens embedded become a secondary breach surface — redact before writing.

Why this severity: Info severity because missing audit logs don't enable attacks directly, but they prevent detection and forensic reconstruction when other controls fail.

Publicly accessible API documentation — Swagger UI, Redoc, GraphQL Playground — hands attackers a complete, interactive map of your API surface. CWE-200 (Exposure of Sensitive Information) and OWASP API Security Top 10 2023 API8 (Security Misconfiguration) both target documentation exposure as a misconfiguration that eliminates reconnaissance effort. Schema docs reveal endpoint names, parameter types, authentication methods, and sometimes internal implementation details through field names and descriptions. Attackers use publicly available Swagger specs to auto-generate exploit code targeting specific endpoints. Intentionally public APIs (developer platforms, open standards) are a legitimate exception — but this must be a deliberate choice, not a default.

Why this severity: Info severity because documentation exposure doesn't enable exploitation alone, but it reduces the effort of every subsequent attack by providing an interactive schema map.

Disabling TLS certificate validation (`rejectUnauthorized: false`) makes every outbound HTTPS connection trivially man-in-the-middle-able. CWE-295 (Improper Certificate Validation) is the classification, and it's particularly dangerous for payment processor integrations, OAuth token exchanges, and inter-service calls where data sensitivity is highest. OWASP A02 2021 (Cryptographic Failures) and API Security Top 10 2023 API8 cover TLS misuse. Developers add `rejectUnauthorized: false` to work around local cert issues and commit it to production — a search across GitHub shows this pattern in thousands of repositories. An attacker on the same network path can intercept the full request and response, including auth tokens and payment data.

Why this severity: Info severity because exploiting disabled TLS validation requires network-path access, but the consequence — full MITM interception of sensitive API calls — is critical.