APIs are the attack surface of modern applications. Most data breaches target APIs rather than front-end interfaces. Here are the vulnerability categories that actually cause incidents, with practical mitigation for each.
Broken Object Level Authorization (BOLA)
The most common API vulnerability. Occurs when an endpoint accepts an object ID in the request and returns or modifies that object without verifying that the requesting user is authorised to access it. Example: GET /api/orders/12345 returns the order regardless of whether the authenticated user owns it. Fix: always verify ownership at the data access layer, not just at the route level. Never trust client-supplied IDs without verification.
Mass Assignment
Occurs when an API endpoint accepts a JSON body and assigns all provided fields to a model object — including privileged fields the user should not be able to set (is_admin, account_balance, user_role). Fix: use explicit allow-lists for which fields can be set via each endpoint. Reject unknown fields by default.
Excessive Data Exposure
Returning more data than necessary — e.g., returning a full user object including hashed password, internal IDs, and admin flags in response to a public profile request. Fix: define explicit response schemas for each endpoint. Return only the fields the client legitimately needs. Avoid returning model objects directly from ORMs.
Missing Rate Limiting
APIs without rate limiting on authentication endpoints are vulnerable to credential stuffing (trying large numbers of username/password combinations automatically). Without rate limiting on data endpoints, scraping and denial of service are trivial. Fix: rate limit all endpoints, especially auth. Use exponential backoff for repeated failed authentication attempts.
JWT Vulnerabilities
Common JWT mistakes: accepting the “none” algorithm (attacker removes signature), using a weak secret (brute-forceable), not validating expiry (expired tokens accepted), trusting the algorithm specified in the token header. Fix: use a robust JWT library (not manual implementation), specify allowed algorithms explicitly, validate all claims including exp, and rotate secrets.
