Skip to main content
1 min read Intermediate Web

Unsecured API Endpoints

Unsecured API Endpoints

AspectDetails
DescriptionUnsecured API endpoints expose functionality or data without proper authentication, authorization, or rate limiting. They are a top API risk (OWASP API Security Top 10) and often leak sensitive data or allow unauthorized actions.
Conditions to be Vulnerable- Endpoints lack authentication or rely on hidden/obscure URLs only.
- Missing object-level (BOLA/IDOR) or function-level authorization.
- Undocumented, debug, or deprecated endpoints left reachable; no rate limiting.
Where to Find- REST/GraphQL routes, mobile-app backends, internal APIs exposed externally.
- JS bundles and Swagger/OpenAPI docs revealing endpoint paths and parameters.
Common Exploits- Accessing other users' objects by changing an ID (BOLA/IDOR).
- Calling admin/internal functions directly; data scraping due to no rate limits.
ExampleGET /api/v1/users/1024/invoices returns another user's invoices when only the ID is changed and no ownership check exists. Or GET /api/internal/debug/config is reachable without auth and leaks secrets.
How to Test1. Enumerate endpoints from JS files, Swagger/OpenAPI, and traffic (Burp, kiterunner).
2. Call each without a token, then with a low-privilege token, and tamper object IDs.
3. Test method overrides, versioned/legacy routes, and rate-limit absence. Authorized targets only.
ToolsBurp Suite, Postman, kiterunner, ffuf, arjun
Mitigation- Require authentication and enforce object- and function-level authorization server-side.
- Inventory and retire undocumented/deprecated endpoints; protect docs and debug routes.
- Apply rate limiting, input validation, and least-privilege scopes.

Resources

CreditURL
OWASP API Security Top 10https://owasp.org/API-Security/editions/2023/en/0x11-t10/
OWASP Cheat Sheet - REST Securityhttps://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
PortSwigger - API testinghttps://portswigger.net/web-security/api-testing