OWASP_API_TOP10API6:2023voice-validated
OWASP_API_TOP10 API06: API6:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
APIs vulnerable to this risk expose a business flow — such as buying a ticket, posting a comment — without compensating for how the functionality could harm the business if used excessively in an automated manner. Includes lack of rate-limiting, lack of CAPTCHA, no anti-automation on critical workflows.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Attackers exploit public-facing API endpoints lacking rate-limiting to conduct reconnaissance or gain initial access. | 90% |
| T1078 | 2. Brute-forcing credentials via an API without rate limits enables attackers to acquire valid accounts. | 80% |
| T1059 | 3. Automated scripts interact with APIs to execute business logic excessively, causing resource strain. | 60% |
| T1136 | 4. Unlimited account creation via API endpoints facilitates persistent access and resource abuse. | 90% |
| T1068 | 5. Excessive API calls can trigger race conditions or logic bypasses, leading to privilege escalation. | 70% |
| T1562 | 6. High volume API requests overwhelm monitoring and logging systems, impairing defensive capabilities. | 80% |
| T1110 | 7. Lack of rate-limiting on authentication endpoints directly permits unlimited credential guessing. | 100% |
| T1046 | 8. Automated scanning of API endpoints discovers available business flows for exploitation. | 70% |
| T1087 | 9. Automated enumeration of user accounts via unrestricted API access reveals valid targets. | 80% |
| T1005 | 10. Excessive API calls retrieve large volumes of sensitive data from backend systems. | 70% |
| T1074 | 11. Automated collection of data through API calls stages information for subsequent exfiltration. | 60% |
| T1071 | 12. Attackers use standard API protocols for command and control, leveraging unrestricted access. | 70% |
| T1567 | 13. Unrestricted API access enables automated exfiltration of sensitive data over web services. | 90% |
| T1498 | 14. Excessive requests to an API cause service unavailability, resulting in Denial of Service. | 100% |
| T1499 | 15. Targeting specific API endpoints with high request volumes leads to Endpoint Denial of Service. | 100% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1. Implementing rate-limiting and throttling on API endpoints prevents excessive use of business flows. | 100% |
| M1047 | 2. Regular auditing of API access logs identifies anomalous usage patterns and potential abuse. | 90% |
| M1038 | 3. Strong user account management, including CAPTCHA, prevents automated account creation and brute force. | 80% |
| M1040 | 4. Network Intrusion Prevention Systems detect and block malicious automated API traffic. | 90% |
| M1051 | 5. Filtering network traffic based on request patterns, IP, or user-agent blocks automated attacks. | 90% |
| M1020 | 6. Automated systems detect and respond to excessive API usage, protecting critical business flows. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-770 | 1. The API allocates resources without limits or throttling, enabling excessive consumption. | 100% |
| CWE-400 | 2. Uncontrolled resource consumption occurs when an API allows unlimited requests, leading to system degradation. | 90% |
| CWE-307 | 3. Improper restriction of excessive authentication attempts allows brute-force attacks against API login endpoints. | 100% |
| CWE-862 | 4. Missing authorization permits any user to access and excessively use sensitive business flows. | 80% |
| CWE-287 | 5. Improper authentication, such as lacking CAPTCHA, allows automated access to API functions. | 70% |
| CWE-20 | 6. Improper input validation can exacerbate the impact of excessive requests on API business logic. | 60% |
| CWE-603 | 7. Reliance on client-side anti-automation mechanisms for APIs allows easy bypass by attackers. | 50% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0161 compute · voice-rubric self-validated