The latest articles on DEV Community by Natasha Joshi (@natasha_joshi_). https://dev.to/natasha_joshi_ https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3852907%2Fdf88ea81-9f38-4628-9632-a7030e1342ae.png https://dev.to/natasha_joshi_ en Natasha Joshi Fri, 10 Apr 2026 07:31:18 +0000 https://dev.to/natasha_joshi_/api-security-in-2026-the-attack-surface-your-pentest-is-probably-missing-5gp3 https://dev.to/natasha_joshi_/api-security-in-2026-the-attack-surface-your-pentest-is-probably-missing-5gp3 <p><em>By the Security Research Team at <a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a> — Published March 2026</em></p> <blockquote> <p><em>"APIs are the new perimeter. Except unlike the old perimeter, most organizations have no idea how many they're running, who's calling them, or what data they're exposing."</em><br> — Red Team Lead, Fortune 100 Financial Institution</p> </blockquote> <p>The attack surface has shifted. Dramatically. In 2026, API traffic accounts for the majority of all internet communication — and it is the primary vector for data breaches across every sector. Not phishing. Not ransomware. APIs.</p> <p>The Optus breach: API. The Twitter 5.4 million user scrape: API. The Peloton user exposure: API. The T-Mobile 37 million record exfiltration: API. Each of these was not a sophisticated nation-state operation. Each was an attacker who found an API endpoint, understood what it did, and exploited a logic flaw or access control gap that no traditional scanner would have caught.</p> <p>This is the blog for the people who find those flaws — <strong>security engineers and penetration testers</strong> — and for the engineering leaders who are starting to realize that their API security posture is not where it needs to be.</p> <p>We're going to go deep. Real attack techniques, real payloads, real business impact numbers. And we're going to show you how <strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is changing what it means to secure an API — not just for the point-in-time pentest engagement, but as a continuous, intelligent property of your production environment.</p> <h2> Table of Contents </h2> <ol> <li>The API Explosion and Why It's a Security Disaster</li> <li>BOLA / IDOR: Still the Highest-Impact API Vulnerability</li> <li>Broken Function-Level Authorization: The Vertical Escalation</li> <li>Mass Assignment: When Your ORM Becomes a Backdoor</li> <li>Excessive Data Exposure: The API That Says Too Much</li> <li>Rate Limiting and Resource Exhaustion Attacks</li> <li>GraphQL-Specific Attack Surfaces</li> <li>API Key Mismanagement: Credentials in the Open</li> <li>Webhook Abuse and Callback Forgery</li> <li>Shadow APIs and Zombie Endpoints: The Inventory Problem</li> <li>JWT and OAuth Misconfigurations in API Authentication</li> <li>Business Logic Vulnerabilities: What Scanners Will Never Find</li> <li>How Precogs.ai Approaches API Security Differently</li> <li>Conclusion: From Point-in-Time Testing to Continuous API Intelligence</li> </ol> <h2> 1. The API Explosion and Why It's a Security Disaster </h2> <p>The average enterprise runs over <strong>900 APIs</strong>. The median large organization has no complete inventory of them. Development teams ship new endpoints daily. Microservices spawn internal APIs that are never formally documented. Mobile applications call undocumented backend endpoints. Third-party integrations introduce API surfaces you didn't build and can't fully audit.</p> <p>This is not a technology problem. It is an organizational and architectural problem — and traditional security tooling was not designed for it.</p> <h3> 1.1 Why APIs Break Differently Than Web Apps </h3> <p>Classic web application vulnerabilities — XSS, CSRF, clickjacking — are largely browser-mediated. APIs communicate machine-to-machine. There's no browser enforcing same-origin policy, no CORS to misconfigure, no rendered DOM to inject into. The attack surface is entirely logical: access control, data filtering, rate limiting, authentication, and business logic.</p> <p>This means:</p> <ul> <li> <strong>Automated scanners find very little.</strong> A scanner that sends <code>&lt;script&gt;alert(1)&lt;/script&gt;</code> into a JSON API field will get a 400 and move on. The real vulnerabilities are in what the API <em>does</em> with valid, correctly-typed input.</li> <li> <strong>Pentesters must understand the application, not just the protocol.</strong> The most valuable API findings come from reading OpenAPI specs, reverse-engineering mobile apps, tracing authentication flows, and understanding the business domain.</li> <li> <strong>Defense requires behavioral intelligence, not just signature matching.</strong> An attacker making 10,000 sequential requests to <code>/api/users/{id}</code> looks like normal API traffic at the packet level. It requires semantic understanding to identify it as BOLA enumeration.</li> </ul> <h3> 1.2 The Business Impact Reality Check </h3> <p>Let's put numbers to this, because the case for investment is compelling:</p> <ul> <li>The average cost of an API-related data breach in 2025 was <strong>$4.8M</strong> — above the overall average breach cost</li> <li>Organizations that suffered an API breach took an average of <strong>287 days</strong> to identify and contain it</li> <li>In regulated industries (financial services, healthcare), API breaches carry additional regulatory exposure: GDPR fines, HIPAA penalties, PCI-DSS audit failures</li> <li>API downtime from DDoS or resource exhaustion attacks costs SaaS companies an average of <strong>$300K per hour</strong> in lost revenue and support costs</li> </ul> <p>These are not theoretical risks. They are line items that CFOs, boards, and regulators are increasingly asking about.</p> <h2> 2. BOLA / IDOR: Still the Highest-Impact API Vulnerability </h2> <p>Broken Object Level Authorization — BOLA, or IDOR (Insecure Direct Object Reference) in traditional web security parlance — is the <strong>#1 API vulnerability</strong> in the OWASP API Security Top 10, every edition since its publication. It is responsible for the majority of large-scale API data breaches. It is also the most consistently underestimated vulnerability in pentest scopes.</p> <h3> 2.1 The Anatomy of a BOLA Vulnerability </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/v1/accounts/38291/transactions</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Bearer eyJhbGciOiJIUzI1NiJ9...</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.fintech-app.com</span> </code></pre> </div> <p>The application authenticates the user via the JWT. But does it check that account <code>38291</code> belongs to this user? If not, an attacker who changes <code>38291</code> to <code>38292</code>, <code>38293</code>, and so on can enumerate every account's transaction history.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># VULNERABLE: Authentication without authorization </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/v1/accounts/&lt;int:account_id&gt;/transactions</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@require_jwt</span> <span class="k">def</span> <span class="nf">get_transactions</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="n">transactions</span> <span class="o">=</span> <span class="n">Transaction</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">account_id</span><span class="o">=</span><span class="n">account_id</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="n">t</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">transactions</span><span class="p">])</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Authentication + object-level authorization </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/v1/accounts/&lt;int:account_id&gt;/transactions</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@require_jwt</span> <span class="k">def</span> <span class="nf">get_transactions</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="c1"># Verify the authenticated user owns this account </span> <span class="n">account</span> <span class="o">=</span> <span class="n">Account</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">account_id</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="n">g</span><span class="p">.</span><span class="n">current_user</span><span class="p">.</span><span class="nb">id</span> <span class="c1"># Enforce ownership </span> <span class="p">).</span><span class="nf">first_or_404</span><span class="p">()</span> <span class="n">transactions</span> <span class="o">=</span> <span class="n">Transaction</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">account_id</span><span class="o">=</span><span class="n">account</span><span class="p">.</span><span class="nb">id</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="n">t</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">transactions</span><span class="p">])</span> </code></pre> </div> <h3> 2.2 BOLA at Scale: The Enumeration Problem </h3> <p>The real damage from BOLA isn't typically one attacker manually changing IDs. It's automated enumeration — scripted iteration across ID ranges to harvest data at scale.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Attacker enumeration script (simplified for illustration) </span><span class="kn">import</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">enumerate_accounts</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">start</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">end</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">tasks</span> <span class="o">=</span> <span class="p">[</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://api.target.com/accounts/</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s">/transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">)</span> <span class="p">]</span> <span class="n">responses</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span><span class="o">*</span><span class="n">tasks</span><span class="p">,</span> <span class="n">return_exceptions</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">r</span> <span class="ow">in</span> <span class="nf">zip</span><span class="p">(</span><span class="nf">range</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">),</span> <span class="n">responses</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="nb">Exception</span><span class="p">)</span> <span class="ow">and</span> <span class="n">r</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="p">]</span> </code></pre> </div> <p>With sequential integer IDs, an attacker can harvest millions of records in hours. Even with UUIDs, if IDs are leaked through other endpoints (search results, notification payloads, audit logs), enumeration is still viable.</p> <h3> 2.3 Pentest Methodology for BOLA </h3> <p>When assessing an API for BOLA, the methodology should cover:</p> <ol> <li> <strong>Create two accounts</strong> (Account A and Account B). Collect all object IDs exposed to Account A. Attempt to access each using Account B's token.</li> <li> <strong>Test every HTTP verb</strong> — BOLA often exists on <code>GET</code> but is fixed, while <code>PUT</code>, <code>DELETE</code>, or <code>PATCH</code> on the same resource is still vulnerable.</li> <li> <strong>Check nested resources</strong> — <code>/api/orders/123/items/456</code> — authorization may be checked at the order level but not validated at the item level.</li> <li> <strong>Test unauthenticated access</strong> — some endpoints that should require auth don't. Try removing the <code>Authorization</code> header entirely.</li> <li> <strong>Test with an expired or revoked token</strong> — some implementations only check token signature, not revocation status.</li> </ol> <blockquote> <p><strong>Precogs.ai insight:</strong> During code-level analysis, Precogs.ai maps every API endpoint to its authorization implementation and flags endpoints where object retrieval queries are not scoped to the authenticated user's identity. This catches BOLA vulnerabilities in code review — before they ever reach a pentest scope.</p> </blockquote> <h2> 3. Broken Function-Level Authorization: The Vertical Escalation </h2> <p>Where BOLA is horizontal (user A accessing user B's data), Broken Function-Level Authorization (BFLA) is vertical — a regular user accessing functions reserved for admins.</p> <h3> 3.1 The Hidden Admin API </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Standard user flow — documented, tested, monitored </span><span class="nf">POST</span> <span class="nn">/api/v1/users/me/profile</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> # Admin endpoint — undocumented, untested, forgotten POST /api/v1/admin/users/38291/role HTTP/1.1 {"role": "admin"} </code></pre> </div> <p>Admin endpoints are frequently:</p> <ul> <li> <strong>Not documented</strong> in public API specs</li> <li> <strong>Not included</strong> in standard pentest scopes</li> <li> <strong>Inadequately protected</strong> because developers assume "nobody knows about this"</li> <li> <strong>Accessible</strong> using standard user tokens because the middleware assumes routing handles authorization </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE: Authorization checked by route prefix only</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/admin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAdmin</span><span class="p">);</span> <span class="c1">// Middleware on /admin routes</span> <span class="c1">// But this admin function is accidentally mounted at a non-admin path:</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/:id/role</span><span class="dl">'</span><span class="p">,</span> <span class="nx">updateUserRole</span><span class="p">);</span> <span class="c1">// No admin check here</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SECURE: Function-level authorization at the handler, not just the route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/:id/role</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="nf">requireRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">),</span> <span class="nx">updateUserRole</span><span class="p">);</span> </code></pre> </div> <h3> 3.2 Finding BFLA in Practice </h3> <p>The most reliable source of hidden admin API endpoints is the application itself:</p> <ul> <li> <strong>JavaScript bundle analysis</strong> — Webpack bundles often contain route definitions for the admin panel, even when the admin panel is a separate deployment</li> <li> <strong>Mobile app reverse engineering</strong> — APK decompilation (<code>jadx</code>, <code>apktool</code>) frequently reveals API endpoints not in any documentation</li> <li> <strong>OpenAPI/Swagger spec</strong> — even when "internal" endpoints are stripped, version history in git or cached specs often reveal them</li> <li> <strong>Error messages</strong> — a 403 is more informative than a 404; it tells you the endpoint exists</li> </ul> <h2> 4. Mass Assignment: When Your ORM Becomes a Backdoor </h2> <p>Mass assignment vulnerabilities occur when an API endpoint automatically binds request body fields to model properties without explicitly specifying which fields are allowed to be updated.</p> <h3> 4.1 The Classic Mass Assignment Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Intended: User updates their display name</span> <span class="c1">// Request body: { "name": "John Doe" }</span> <span class="c1">// What the attacker sends: { "name": "John Doe", "role": "admin", "verified": true, "credits": 999999 }</span> <span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/me</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// DANGEROUS: Spreads entire request body onto the user object</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SECURE: Explicit allowlist of updatable fields</span> <span class="kd">const</span> <span class="nx">ALLOWED_USER_FIELDS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bio</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">avatar_url</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">timezone</span><span class="dl">'</span><span class="p">];</span> <span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/me</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">updates</span> <span class="o">=</span> <span class="nf">pick</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">ALLOWED_USER_FIELDS</span><span class="p">);</span> <span class="c1">// lodash pick</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">updates</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> 4.2 Mass Assignment in Mongoose </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DANGEROUS: No schema-level protection</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span> <span class="p">},</span> <span class="c1">// Should never be user-settable</span> <span class="na">isVerified</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// Should never be user-settable</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SAFER: Use select: false for sensitive fields + application-level allowlisting</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">isVerified</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 4.3 Business Impact </h3> <p>Mass assignment vulnerabilities have led to some notable real-world incidents. GitHub had a mass assignment vulnerability in 2012 that allowed a researcher to add his SSH key to any repository — including the Rails repository itself. The attacker (a white-hat researcher) demonstrated the issue by pushing a commit. The business impact of a malicious exploitation would have been catastrophic: arbitrary code execution on any repository's CI/CD pipeline.</p> <p>In SaaS applications, mass assignment typically manifests as users elevating their own subscription tier, disabling billing, granting themselves admin roles, or accessing premium features without payment — direct revenue impact that is often difficult to detect without careful audit logging.</p> <h2> 5. Excessive Data Exposure: The API That Says Too Much </h2> <p>REST APIs frequently return far more data than the client needs, relying on the frontend to filter what's displayed. This is a pattern that's convenient for developers and catastrophic for security.</p> <h3> 5.1 The Over-Disclosure Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Serializing the full model object </span><span class="k">class</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="sh">'</span><span class="s">__all__</span><span class="sh">'</span> <span class="c1"># Includes password_hash, ssn, internal_flags, admin_notes... </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Explicit field declaration per context </span><span class="k">class</span> <span class="nc">UserPublicSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">member_since</span><span class="sh">'</span><span class="p">]</span> <span class="k">class</span> <span class="nc">UserPrivateSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">member_since</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">preferences</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <h3> 5.2 The Pentest Approach </h3> <p>When testing for excessive data exposure, go beyond looking at the response fields the UI displays. Look at the <em>raw API response</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Compare what the UI shows vs. what the API returns</span> curl <span class="nt">-s</span> https://api.target.com/v1/users/me <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> | jq <span class="nb">.</span> </code></pre> </div> <p>Common over-exposed fields found in real engagements:</p> <ul> <li>Internal database IDs and foreign key relationships (enabling enumeration)</li> <li>Password hashes (even bcrypt hashes enable offline cracking)</li> <li>Social Security Numbers, date of birth, full credit card details</li> <li>Internal admin flags (<code>is_beta_tester</code>, <code>is_flagged_for_fraud</code>, <code>internal_notes</code>)</li> <li>Other users' data embedded in aggregated responses</li> <li>Infrastructure details (server hostnames, internal IP addresses, stack traces) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Real-world</span><span class="w"> </span><span class="err">style</span><span class="w"> </span><span class="err">over-exposure</span><span class="w"> </span><span class="err">example</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"usr_38291"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Jane Smith"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jane@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"ssn_last4"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4821"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ssn_full"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXX-XX-4821"</span><span class="p">,</span><span class="w"> </span><span class="nl">"internal_fraud_score"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.12</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_on_watchlist"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"stripe_customer_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cus_NffrFeUfNV2Hib"</span><span class="p">,</span><span class="w"> </span><span class="nl">"admin_notes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Requested account review 2024-11-03"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Precogs.ai insight:</strong> Our platform performs response schema analysis against OpenAPI specifications and actual runtime behavior, flagging endpoints where response payloads contain fields that are not declared in the spec, exceed the data classification level appropriate for the endpoint's access control scope, or include fields matching patterns for sensitive data (hashes, government IDs, payment data).</p> </blockquote> <h2> 6. Rate Limiting and Resource Exhaustion Attacks </h2> <p>APIs that lack proper rate limiting are vulnerable to a range of attacks — from brute force credential attacks to application-layer DDoS to enumeration at scale.</p> <h3> 6.1 Credential Stuffing via Unenforced Rate Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/api/v1/auth/login</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="p">{</span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"victim@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Password123"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With no rate limiting, an attacker can attempt millions of credential combinations. The 2024 Snowflake customer breach — affecting Ticketmaster, Santander, and others — was facilitated partly by credential stuffing against APIs with insufficient rate limiting.</p> <p>Effective rate limiting must be:</p> <ul> <li> <strong>IP-based</strong> — but aware that attackers use residential proxy networks with millions of IPs</li> <li> <strong>Account-based</strong> — lock or throttle the account after N failures, regardless of source IP</li> <li> <strong>Action-based</strong> — different limits for login (strict) vs. read operations (lenient)</li> <li> <strong>Globally consistent</strong> — enforced at the API gateway level, not per-instance, to prevent bypass by targeting specific backend nodes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Redis-based sliding window rate limiter </span><span class="kn">import</span> <span class="n">redis</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">r</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">()</span> <span class="k">def</span> <span class="nf">check_rate_limit</span><span class="p">(</span><span class="n">identifier</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Sliding window rate limiter. identifier: e.g. f</span><span class="sh">"</span><span class="s">login:{ip}</span><span class="sh">"</span><span class="s"> or f</span><span class="sh">"</span><span class="s">login:account:{email}</span><span class="sh">"</span><span class="s"> limit: max requests per window window: window size in seconds </span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ratelimit:</span><span class="si">{</span><span class="n">identifier</span><span class="si">}</span><span class="sh">"</span> <span class="n">pipe</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="nf">pipeline</span><span class="p">()</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zremrangebyscore</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">now</span> <span class="o">-</span> <span class="n">window</span><span class="p">)</span> <span class="c1"># Remove old entries </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zadd</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="p">{</span><span class="nf">str</span><span class="p">(</span><span class="n">now</span><span class="p">):</span> <span class="n">now</span><span class="p">})</span> <span class="c1"># Add current request </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zcard</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Count requests in window </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">expire</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">window</span><span class="p">)</span> <span class="c1"># Set TTL </span> <span class="n">results</span> <span class="o">=</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">execute</span><span class="p">()</span> <span class="k">return</span> <span class="n">results</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="n">limit</span> <span class="c1"># True if within limit </span></code></pre> </div> <h3> 6.2 The SMS/OTP Enumeration Attack </h3> <p>A subtle resource exhaustion attack targets APIs that send SMS OTP codes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/api/v1/auth/send-otp</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">{"phone"</span><span class="p">:</span> <span class="s">"+1-555-000-0001"}</span> POST /api/v1/auth/send-otp HTTP/1.1 {"phone": "+1-555-000-0002"} # Repeated 100,000 times </code></pre> </div> <p>Without rate limiting on OTP send endpoints, an attacker can exhaust your SMS budget, deliver unwanted messages to end users, and potentially use your API as a spam platform. At $0.0075 per SMS, 100,000 requests costs $750 — and that's before considering the reputational damage.</p> <h2> 7. GraphQL-Specific Attack Surfaces </h2> <p>GraphQL has become the API technology of choice for complex frontend applications. Its flexibility — allowing clients to request exactly the data they need — introduces a unique set of security challenges that most teams are not adequately testing for.</p> <h3> 7.1 Introspection: The Gift to Attackers </h3> <p>By default, GraphQL endpoints expose a full schema via introspection queries. An attacker can map your entire data model, all available queries and mutations, all types and their fields — in a single request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Attacker's first move against any GraphQL endpoint</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="n">IntrospectionQuery</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">__schema</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">queryType</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">mutationType</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is legitimate functionality — but it should be disabled in production and restricted to internal tooling.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Disable introspection in production (Apollo Server)</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">introspection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> 7.2 Query Depth and Complexity Attacks </h3> <p>GraphQL's nested query capability enables a specific DoS attack — the deeply nested query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Attacker query designed to cause exponential resolver execution</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each level of nesting multiplies resolver calls. A depth-10 query against a social graph resolver can trigger millions of database calls from a single HTTP request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Protect with query depth limiting and complexity analysis</span> <span class="k">import</span> <span class="nx">depthLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-depth-limit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createComplexityLimitRule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-validation-complexity</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">validationRules</span><span class="p">:</span> <span class="p">[</span> <span class="nf">depthLimit</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="c1">// Max query depth</span> <span class="nf">createComplexityLimitRule</span><span class="p">(</span><span class="mi">1000</span><span class="p">),</span> <span class="c1">// Max complexity score</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> 7.3 Batching Attacks </h3> <p>GraphQL's batching feature — allowing multiple operations in a single request — can be abused to bypass rate limiting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Single</span><span class="w"> </span><span class="err">HTTP</span><span class="w"> </span><span class="err">request,</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="err">login</span><span class="w"> </span><span class="err">attempts</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mutation { login(email: </span><span class="se">\"</span><span class="s2">victim@example.com</span><span class="se">\"</span><span class="s2">, password: </span><span class="se">\"</span><span class="s2">Password1</span><span class="se">\"</span><span class="s2">) { token } }"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mutation { login(email: </span><span class="se">\"</span><span class="s2">victim@example.com</span><span class="se">\"</span><span class="s2">, password: </span><span class="se">\"</span><span class="s2">Password2</span><span class="se">\"</span><span class="s2">) { token } }"</span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="mi">500</span><span class="w"> </span><span class="err">operations...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>Rate limiters that count HTTP requests will see one request. The application processes 500 login attempts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Disable or limit batching</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">requestDidStart</span><span class="p">:</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">didResolveOperation</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Batch size exceeds limit</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h2> 8. API Key Mismanagement: Credentials in the Open </h2> <p>API keys are the authentication mechanism for machine-to-machine communication. They are also consistently mishandled — hardcoded into source code, committed to repositories, embedded in mobile apps, logged in plain text, and exposed in JavaScript bundles.</p> <h3> 8.1 The GitHub Secret Scanning Problem </h3> <p>Studies consistently find that tens of thousands of API keys are committed to public GitHub repositories daily. The window between commit and exploitation is often <strong>under 4 minutes</strong> — automated bots scan GitHub's public event stream in real time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Hardcoded credentials </span><span class="n">STRIPE_SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk_live_4eC39HqLyjWDarjtT1zdp7dc</span><span class="sh">"</span> <span class="n">OPENAI_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk-proj-aBcDeFgHiJkLmNoPqRsTuVwXyZ</span><span class="sh">"</span> <span class="n">DATABASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">postgresql://admin:SuperSecret123@prod-db.internal:5432/app</span><span class="sh">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Environment variable injection </span><span class="kn">import</span> <span class="n">os</span> <span class="n">STRIPE_SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">STRIPE_SECRET_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">OPENAI_API_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">OPENAI_API_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">DATABASE_URL</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">DATABASE_URL</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h3> 8.2 API Keys in Mobile Applications </h3> <p>Mobile applications frequently contain embedded API keys that are extractable through static analysis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Extract strings from Android APK</span> apktool d target-app.apk <span class="nt">-o</span> decompiled/ <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"api_key</span><span class="se">\|</span><span class="s2">apiKey</span><span class="se">\|</span><span class="s2">API_KEY</span><span class="se">\|</span><span class="s2">Bearer</span><span class="se">\|</span><span class="s2">sk_live</span><span class="se">\|</span><span class="s2">AKIA"</span> decompiled/ <span class="c"># For iOS IPA files</span> unzip target-app.ipa <span class="nt">-d</span> extracted/ strings extracted/Payload/TargetApp.app/TargetApp | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(sk_|pk_|AKIA|Bearer)"</span> </code></pre> </div> <p>Keys found through mobile reverse engineering should be treated as fully compromised — they are accessible to any user who downloads the application.</p> <h3> 8.3 The Principle of Least Privilege for API Keys </h3> <p>Even when keys are properly secured, they often have excessive permissions. An API key used for a read-only analytics integration should not have write access to your database. A webhook verification key should not double as your admin API key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Key rotation and scoping best practices # 1. Separate keys per integration </span><span class="n">ANALYTICS_READ_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ANALYTICS_READ_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Read-only scope </span><span class="n">PAYMENT_WRITE_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">PAYMENT_WRITE_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Payment scope only </span><span class="n">ADMIN_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ADMIN_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Admin scope, stored in HSM </span> <span class="c1"># 2. Implement key rotation </span><span class="k">def</span> <span class="nf">rotate_api_key</span><span class="p">(</span><span class="n">key_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">new_key</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="c1"># Atomically update key with overlap window for zero-downtime rotation </span> <span class="nf">store_key_with_overlap</span><span class="p">(</span><span class="n">key_id</span><span class="p">,</span> <span class="n">new_key</span><span class="p">,</span> <span class="n">overlap_seconds</span><span class="o">=</span><span class="mi">300</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">key_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">key_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">rotation_time</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()}</span> </code></pre> </div> <h2> 9. Webhook Abuse and Callback Forgery </h2> <p>Webhooks — HTTP callbacks that notify your system of events in third-party platforms — introduce a reverse API attack surface. Your application is now receiving and trusting HTTP requests from external sources.</p> <h3> 9.1 The Unverified Webhook Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Processing webhook payload without signature verification </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">json</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">event</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">payment.completed</span><span class="sh">'</span><span class="p">:</span> <span class="c1"># Attacker sends fake payment.completed event and gets goods for free </span> <span class="n">order</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">order_id</span><span class="sh">'</span><span class="p">])</span> <span class="n">order</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="sh">'</span><span class="s">paid</span><span class="sh">'</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="nf">fulfill_order</span><span class="p">(</span><span class="n">order</span><span class="p">)</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">200</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Verify webhook signature using HMAC </span><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="n">WEBHOOK_SECRET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">PAYMENT_WEBHOOK_SECRET</span><span class="sh">"</span><span class="p">]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Signature-256</span><span class="sh">'</span><span class="p">)</span> <span class="n">raw_body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_data</span><span class="p">()</span> <span class="n">expected</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="n">WEBHOOK_SECRET</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">raw_body</span><span class="p">,</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span> <span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">sha256=</span><span class="si">{</span><span class="n">expected</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">signature</span><span class="p">):</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">401</span> <span class="c1"># Reject unverified webhooks </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">json</span> <span class="c1"># Now safe to process... </span></code></pre> </div> <h3> 9.2 Replay Attacks on Webhooks </h3> <p>Even with signature verification, an attacker who intercepts a valid signed webhook can replay it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Include timestamp in signature verification to prevent replay attacks </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Timestamp</span><span class="sh">'</span><span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Signature-256</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Reject webhooks older than 5 minutes </span> <span class="k">if</span> <span class="nf">abs</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="nf">int</span><span class="p">(</span><span class="n">timestamp</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">300</span><span class="p">:</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">400</span> <span class="c1"># Include timestamp in signature computation (as the provider should) </span> <span class="n">signed_payload</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="nf">get_data</span><span class="p">(</span><span class="n">as_text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="n">expected</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">WEBHOOK_SECRET</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">signed_payload</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">sha256=</span><span class="si">{</span><span class="n">expected</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">signature</span><span class="p">):</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">401</span> </code></pre> </div> <h2> 10. Shadow APIs and Zombie Endpoints: The Inventory Problem </h2> <p>One of the most underappreciated challenges in API security is the inventory problem: you cannot secure what you don't know exists.</p> <h3> 10.1 What Are Shadow and Zombie APIs? </h3> <ul> <li> <strong>Shadow APIs</strong>: Endpoints that exist in production but are not documented, not in any API gateway inventory, and not monitored. Often created during rapid development cycles, testing, or by developers who bypassed the standard deployment process.</li> <li> <strong>Zombie APIs</strong>: Endpoints that were once official but are no longer maintained — deprecated versions, legacy integrations, removed features whose backend routes were never deleted.</li> </ul> <p>Both categories share a critical characteristic: <strong>they receive no security attention</strong>. They are not updated with security patches. They are not covered by WAF rules. They are not monitored for anomalous traffic. And they often run older, more vulnerable code.</p> <h3> 10.2 Finding Shadow APIs in Pentests </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Enumerate from JavaScript bundles</span> curl <span class="nt">-s</span> https://target.com | <span class="nb">grep</span> <span class="nt">-oE</span> <span class="s1">'"/api/[^"]*"'</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># 2. Extract from mobile app traffic (proxy all app traffic through Burp)</span> <span class="c"># Review Burp target tree for all observed API paths</span> <span class="c"># 3. Wordlist-based discovery</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="se">\</span> <span class="nt">-w</span> /wordlists/api-endpoints.txt <span class="se">\</span> <span class="nt">-mc</span> 200,201,401,403 <span class="se">\ </span> <span class="c"># Include auth-protected responses</span> <span class="nt">-recursion</span> <span class="se">\</span> <span class="nt">-recursion-depth</span> 3 <span class="c"># 4. Check common versioning patterns</span> <span class="k">for </span>version <span class="k">in </span>v1 v2 v3 v4 beta internal admin legacy<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="se">\</span> <span class="s2">"https://api.target.com/</span><span class="nv">$version</span><span class="s2">/users"</span> <span class="k">done</span> </code></pre> </div> <h3> 10.3 The Business Impact of Shadow APIs </h3> <p>In a 2024 red team engagement documented by the Precogs.ai research team, a shadow API endpoint — a <code>/api/internal/export</code> route left over from a data migration 18 months prior — was found to accept unauthenticated requests and return a full database export in CSV format. The endpoint had never been documented, never appeared in any security scan, and had no authentication because it was originally designed for internal one-time use.</p> <p>The data exported included 2.3 million user records with PII. The client had no knowledge this endpoint existed until the engagement.</p> <blockquote> <p><strong>Precogs.ai performs continuous API discovery</strong> — analyzing your codebase, API gateway configurations, and traffic patterns to build a comprehensive, continuously updated inventory of every API endpoint your applications expose. Shadow and zombie endpoints are surfaced automatically, compared against your documented API spec, and flagged for review.</p> </blockquote> <h2> 11. JWT and OAuth Misconfigurations in API Authentication </h2> <p>Authentication is the front door of your API. The most sophisticated BOLA finding is irrelevant if an attacker can forge authentication tokens. JWT and OAuth — the dominant standards for API authentication — have well-documented implementation pitfalls that continue to appear in production systems.</p> <h3> 11.1 The <code>none</code> Algorithm Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># A JWT with alg: none — no signature required </span><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">json</span> <span class="n">header</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">none</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">header</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="c1"># Empty signature </span> <span class="c1"># If the server accepts this, authentication is completely broken </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Strict algorithm allowlisting in JWT verification </span><span class="kn">import</span> <span class="n">jwt</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># NEVER include "none" </span> <span class="n">options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">require</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">iat</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">]}</span> <span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">AuthenticationError</span><span class="p">(</span><span class="sh">"</span><span class="s">Token expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">AuthenticationError</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 11.2 OAuth Authorization Code Interception </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># OAuth flow with a redirect_uri vulnerability # Legitimate flow: GET /oauth/authorize?client_id=app&amp;redirect_uri=https://app.example.com/callback&amp;state=random # Attacker registers redirect_uri=https://evil.com/callback or exploits open redirect: GET /oauth/authorize?client_id=app&amp;redirect_uri=https://app.example.com/redirect?url=https://evil.com&amp;state=attacker # Authorization code is delivered to attacker's server → token theft </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Strict redirect_uri validation </span><span class="n">ALLOWED_REDIRECT_URIS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">app_client_id</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">https://app.example.com/oauth/callback</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">validate_redirect_uri</span><span class="p">(</span><span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">redirect_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">allowed</span> <span class="o">=</span> <span class="n">ALLOWED_REDIRECT_URIS</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">client_id</span><span class="p">,</span> <span class="p">[])</span> <span class="k">return</span> <span class="n">redirect_uri</span> <span class="ow">in</span> <span class="n">allowed</span> <span class="c1"># Exact match only, no prefix matching </span></code></pre> </div> <h3> 11.3 Token Scope Escalation </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Requesting a token with minimal scope POST /oauth/token grant_type=client_credentials&amp;scope=read:users # Using that token to call endpoints requiring broader scope DELETE /api/v1/users/38291 Authorization: Bearer &lt;token_with_read_scope&gt; </span></code></pre> </div> <p>If scope enforcement is not implemented at the endpoint level — only at token issuance — an attacker can use a limited-scope token to perform privileged operations.</p> <h2> 12. Business Logic Vulnerabilities: What Scanners Will Never Find </h2> <p>Business logic vulnerabilities are the highest-value findings in API security engagements. They cannot be found by automated scanners. They require understanding the application's domain, intended behavior, and the gap between what the API allows and what it should allow.</p> <h3> 12.1 Price Manipulation via API Parameter Tampering </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Legitimate checkout API call </span><span class="nf">POST</span> <span class="nn">/api/v1/checkout</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="s">{</span> <span class="s"> "items": [{"product_id": "prod_abc", "quantity": 2}],</span> <span class="s"> "coupon": "SAVE10"</span> <span class="s">}</span> # Attacker's manipulated call POST /api/v1/checkout HTTP/1.1 { "items": [{"product_id": "prod_abc", "quantity": 2, "unit_price": 0.01}], "discount_percentage": 99.9, "coupon": "SAVE10" } </code></pre> </div> <p>If the server accepts client-supplied pricing parameters instead of looking them up from a trusted source, an attacker can purchase items for near-zero cost.</p> <h3> 12.2 Workflow State Bypass </h3> <p>Many APIs implement multi-step workflows — checkout flows, KYC verification, onboarding sequences. Business logic vulnerabilities arise when steps can be skipped by calling later-stage API endpoints directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Intended flow: Step 1 → Step 2 → Step 3 → Complete # Attacker skips to Step 3 directly: POST /api/v1/kyc/complete Authorization: Bearer &lt;token_that_never_completed_step1_or_step2&gt; {"status": "verified"} </span></code></pre> </div> <h3> 12.3 The Pentest Mindset for Business Logic </h3> <p>Finding business logic vulnerabilities requires a methodology that goes beyond request fuzzing:</p> <ol> <li> <strong>Map the complete intended user journey</strong> — every step, every transition, every terminal state</li> <li> <strong>For each step, ask</strong>: what happens if I call the <em>next</em> endpoint without completing this one?</li> <li> <strong>Identify trust boundaries</strong>: which values come from the client? Which from the server? Which should <em>only</em> come from the server?</li> <li> <strong>Test negative quantities, zero values, and boundary conditions</strong> on every numeric parameter</li> <li> <strong>Test concurrent requests</strong> on stateful operations — race conditions are a class of business logic vulnerability</li> <li> <strong>Think like a motivated adversary</strong> with a financial incentive — what's the direct profit model for exploiting this?</li> </ol> <blockquote> <p><strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a> combines code-level analysis with API behavioral modeling</strong> to identify business logic vulnerabilities at the implementation level — tracing state machine transitions, identifying endpoints that accept client-supplied values that should be server-authoritative, and flagging missing state validation in workflow APIs.</p> </blockquote> <h2> 13. How Precogs.ai Approaches API Security Differently </h2> <p>Security engineers and pentesters understand the difference between running a scanner and actually assessing security. A scanner finds known patterns. A skilled assessor finds intent — gaps between what the system does and what it should do. <strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is built with that distinction at its core.</p> <h3> 13.1 API-First Code Analysis </h3> <p>Precogs.ai parses your codebase to construct a complete API model: every endpoint, its HTTP method, its path parameters, query parameters, request body schema, authentication requirements, and authorization logic. This model is then analyzed for:</p> <ul> <li> <strong>Missing authentication</strong> — endpoints reachable without a valid token</li> <li> <strong>Missing authorization</strong> — authenticated endpoints without object-level ownership checks (BOLA)</li> <li> <strong>Inconsistent authorization</strong> — endpoints where authorization is applied on some HTTP verbs but not others</li> <li> <strong>Schema trust violations</strong> — fields that should be server-authoritative but are accepted from client input (mass assignment, price manipulation)</li> <li> <strong>Excessive response fields</strong> — response serializers that include fields exceeding the declared data classification for the endpoint</li> </ul> <h3> 13.2 OpenAPI Spec Drift Detection </h3> <p>Your OpenAPI specification is a contract. Precogs.ai continuously compares your spec against your actual implementation and flags drift — endpoints that exist in code but not in the spec (shadow APIs), endpoints in the spec that no longer exist in code (zombie spec entries), and parameter schemas that don't match implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Your OpenAPI spec says:</span> <span class="na">paths</span><span class="pi">:</span> <span class="s">/users/{id}</span><span class="err">:</span> <span class="na">get</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">bearerAuth</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">id</span> <span class="na">in</span><span class="pi">:</span> <span class="s">path</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">format</span><span class="pi">:</span> <span class="s">uuid</span> <span class="c1"># Precogs.ai finds in your codebase:</span> <span class="c1"># - /users/{id} also responds to DELETE without any security scheme</span> <span class="c1"># - /api/internal/users/{id} exists in code but is absent from the spec entirely</span> </code></pre> </div> <h3> 13.3 Continuous Runtime API Monitoring </h3> <p>Beyond code analysis, Precogs.ai integrates with your API gateway or service mesh to analyze production traffic patterns — identifying:</p> <ul> <li> <strong>Enumeration attempts</strong>: Sequential access to object IDs at abnormal rates</li> <li> <strong>Abnormal parameter combinations</strong>: Requests with unusual field combinations that may indicate probing</li> <li> <strong>Scope escalation patterns</strong>: Tokens being used to call endpoints outside their declared scope</li> <li> <strong>Schema anomalies</strong>: Request bodies that include undeclared fields (mass assignment attempts)</li> <li> <strong>Baseline deviation</strong>: Significant increases in error rates, response sizes, or request frequencies per endpoint</li> </ul> <h3> 13.4 Pentest Augmentation </h3> <p>For security engineers and pentesters, Precogs.ai serves as a <strong>force multiplier</strong>:</p> <ul> <li> <strong>Pre-engagement:</strong> Run a Precogs.ai scan to get a prioritized map of the highest-risk endpoints before opening Burp Suite. Stop wasting engagement time on endpoints that are provably safe.</li> <li> <strong>During engagement:</strong> Cross-reference your findings with Precogs.ai's code-level analysis to understand <em>why</em> a vulnerability exists — not just <em>that</em> it does. This dramatically improves remediation guidance quality.</li> <li> <strong>Post-engagement:</strong> Use Precogs.ai's continuous monitoring to verify that findings are remediated and stay remediated across future deployments.</li> </ul> <h2> 14. Conclusion: From Point-in-Time Testing to Continuous API Intelligence </h2> <p>The annual penetration test is not a security strategy. It is a snapshot. A 5-day engagement against an application that ships 50 PRs per week will miss the vulnerability introduced on Day 6 of the sprint after the pentesters went home.</p> <p>The organizations that are winning the API security battle are not the ones doing more penetration tests. They are the ones that have made security a <strong>continuous, measurable property of their API development process</strong> — built into the PR review cycle, enforced by automated analysis, and monitored in real-time in production.</p> <p><strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is the platform that makes this possible. Built by security engineers for security engineers. Designed to augment — not replace — the human expertise that finds the vulnerabilities that matter. And purpose-built to operate at the velocity of modern software development.</p> <p>The attack surface is growing every day. The question is whether your visibility is growing with it.</p> <h3> Ready to Map Your API Attack Surface? </h3> <p><a href="https://precogs.ai" rel="noopener noreferrer"><strong>Request a demo at precogs.ai →</strong></a></p> <p>Precogs.ai integrates with GitHub, GitLab, Bitbucket, AWS API Gateway, Kong, and major API frameworks. Upload your OpenAPI spec and get a full BOLA/BFLA risk assessment in under 10 minutes.</p> <p><em>© 2026 Precogs.ai — AI-Native Application Security. All rights reserved.</em></p> <p><em>All attack techniques described in this article are presented for educational and defensive purposes. Always obtain explicit written authorization before testing any system you do not own.</em></p> apisecurity owasp devsecops ai Natasha Joshi Fri, 10 Apr 2026 07:31:18 +0000 https://dev.to/precogs_ai/api-security-in-2026-the-attack-surface-your-pentest-is-probably-missing-1dd2 https://dev.to/precogs_ai/api-security-in-2026-the-attack-surface-your-pentest-is-probably-missing-1dd2 <p><em>By the Security Research Team at <a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a> — Published March 2026</em></p> <blockquote> <p><em>"APIs are the new perimeter. Except unlike the old perimeter, most organizations have no idea how many they're running, who's calling them, or what data they're exposing."</em><br> — Red Team Lead, Fortune 100 Financial Institution</p> </blockquote> <p>The attack surface has shifted. Dramatically. In 2026, API traffic accounts for the majority of all internet communication — and it is the primary vector for data breaches across every sector. Not phishing. Not ransomware. APIs.</p> <p>The Optus breach: API. The Twitter 5.4 million user scrape: API. The Peloton user exposure: API. The T-Mobile 37 million record exfiltration: API. Each of these was not a sophisticated nation-state operation. Each was an attacker who found an API endpoint, understood what it did, and exploited a logic flaw or access control gap that no traditional scanner would have caught.</p> <p>This is the blog for the people who find those flaws — <strong>security engineers and penetration testers</strong> — and for the engineering leaders who are starting to realize that their API security posture is not where it needs to be.</p> <p>We're going to go deep. Real attack techniques, real payloads, real business impact numbers. And we're going to show you how <strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is changing what it means to secure an API — not just for the point-in-time pentest engagement, but as a continuous, intelligent property of your production environment.</p> <h2> Table of Contents </h2> <ol> <li>The API Explosion and Why It's a Security Disaster</li> <li>BOLA / IDOR: Still the Highest-Impact API Vulnerability</li> <li>Broken Function-Level Authorization: The Vertical Escalation</li> <li>Mass Assignment: When Your ORM Becomes a Backdoor</li> <li>Excessive Data Exposure: The API That Says Too Much</li> <li>Rate Limiting and Resource Exhaustion Attacks</li> <li>GraphQL-Specific Attack Surfaces</li> <li>API Key Mismanagement: Credentials in the Open</li> <li>Webhook Abuse and Callback Forgery</li> <li>Shadow APIs and Zombie Endpoints: The Inventory Problem</li> <li>JWT and OAuth Misconfigurations in API Authentication</li> <li>Business Logic Vulnerabilities: What Scanners Will Never Find</li> <li>How Precogs.ai Approaches API Security Differently</li> <li>Conclusion: From Point-in-Time Testing to Continuous API Intelligence</li> </ol> <h2> 1. The API Explosion and Why It's a Security Disaster </h2> <p>The average enterprise runs over <strong>900 APIs</strong>. The median large organization has no complete inventory of them. Development teams ship new endpoints daily. Microservices spawn internal APIs that are never formally documented. Mobile applications call undocumented backend endpoints. Third-party integrations introduce API surfaces you didn't build and can't fully audit.</p> <p>This is not a technology problem. It is an organizational and architectural problem — and traditional security tooling was not designed for it.</p> <h3> 1.1 Why APIs Break Differently Than Web Apps </h3> <p>Classic web application vulnerabilities — XSS, CSRF, clickjacking — are largely browser-mediated. APIs communicate machine-to-machine. There's no browser enforcing same-origin policy, no CORS to misconfigure, no rendered DOM to inject into. The attack surface is entirely logical: access control, data filtering, rate limiting, authentication, and business logic.</p> <p>This means:</p> <ul> <li> <strong>Automated scanners find very little.</strong> A scanner that sends <code>&lt;script&gt;alert(1)&lt;/script&gt;</code> into a JSON API field will get a 400 and move on. The real vulnerabilities are in what the API <em>does</em> with valid, correctly-typed input.</li> <li> <strong>Pentesters must understand the application, not just the protocol.</strong> The most valuable API findings come from reading OpenAPI specs, reverse-engineering mobile apps, tracing authentication flows, and understanding the business domain.</li> <li> <strong>Defense requires behavioral intelligence, not just signature matching.</strong> An attacker making 10,000 sequential requests to <code>/api/users/{id}</code> looks like normal API traffic at the packet level. It requires semantic understanding to identify it as BOLA enumeration.</li> </ul> <h3> 1.2 The Business Impact Reality Check </h3> <p>Let's put numbers to this, because the case for investment is compelling:</p> <ul> <li>The average cost of an API-related data breach in 2025 was <strong>$4.8M</strong> — above the overall average breach cost</li> <li>Organizations that suffered an API breach took an average of <strong>287 days</strong> to identify and contain it</li> <li>In regulated industries (financial services, healthcare), API breaches carry additional regulatory exposure: GDPR fines, HIPAA penalties, PCI-DSS audit failures</li> <li>API downtime from DDoS or resource exhaustion attacks costs SaaS companies an average of <strong>$300K per hour</strong> in lost revenue and support costs</li> </ul> <p>These are not theoretical risks. They are line items that CFOs, boards, and regulators are increasingly asking about.</p> <h2> 2. BOLA / IDOR: Still the Highest-Impact API Vulnerability </h2> <p>Broken Object Level Authorization — BOLA, or IDOR (Insecure Direct Object Reference) in traditional web security parlance — is the <strong>#1 API vulnerability</strong> in the OWASP API Security Top 10, every edition since its publication. It is responsible for the majority of large-scale API data breaches. It is also the most consistently underestimated vulnerability in pentest scopes.</p> <h3> 2.1 The Anatomy of a BOLA Vulnerability </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/v1/accounts/38291/transactions</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Bearer eyJhbGciOiJIUzI1NiJ9...</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.fintech-app.com</span> </code></pre> </div> <p>The application authenticates the user via the JWT. But does it check that account <code>38291</code> belongs to this user? If not, an attacker who changes <code>38291</code> to <code>38292</code>, <code>38293</code>, and so on can enumerate every account's transaction history.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># VULNERABLE: Authentication without authorization </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/v1/accounts/&lt;int:account_id&gt;/transactions</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@require_jwt</span> <span class="k">def</span> <span class="nf">get_transactions</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="n">transactions</span> <span class="o">=</span> <span class="n">Transaction</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">account_id</span><span class="o">=</span><span class="n">account_id</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="n">t</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">transactions</span><span class="p">])</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Authentication + object-level authorization </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/v1/accounts/&lt;int:account_id&gt;/transactions</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@require_jwt</span> <span class="k">def</span> <span class="nf">get_transactions</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="c1"># Verify the authenticated user owns this account </span> <span class="n">account</span> <span class="o">=</span> <span class="n">Account</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">account_id</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="n">g</span><span class="p">.</span><span class="n">current_user</span><span class="p">.</span><span class="nb">id</span> <span class="c1"># Enforce ownership </span> <span class="p">).</span><span class="nf">first_or_404</span><span class="p">()</span> <span class="n">transactions</span> <span class="o">=</span> <span class="n">Transaction</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">account_id</span><span class="o">=</span><span class="n">account</span><span class="p">.</span><span class="nb">id</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">([</span><span class="n">t</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">transactions</span><span class="p">])</span> </code></pre> </div> <h3> 2.2 BOLA at Scale: The Enumeration Problem </h3> <p>The real damage from BOLA isn't typically one attacker manually changing IDs. It's automated enumeration — scripted iteration across ID ranges to harvest data at scale.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Attacker enumeration script (simplified for illustration) </span><span class="kn">import</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">enumerate_accounts</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">start</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">end</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">tasks</span> <span class="o">=</span> <span class="p">[</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://api.target.com/accounts/</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s">/transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">)</span> <span class="p">]</span> <span class="n">responses</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span><span class="o">*</span><span class="n">tasks</span><span class="p">,</span> <span class="n">return_exceptions</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">r</span> <span class="ow">in</span> <span class="nf">zip</span><span class="p">(</span><span class="nf">range</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">),</span> <span class="n">responses</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="nb">Exception</span><span class="p">)</span> <span class="ow">and</span> <span class="n">r</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="p">]</span> </code></pre> </div> <p>With sequential integer IDs, an attacker can harvest millions of records in hours. Even with UUIDs, if IDs are leaked through other endpoints (search results, notification payloads, audit logs), enumeration is still viable.</p> <h3> 2.3 Pentest Methodology for BOLA </h3> <p>When assessing an API for BOLA, the methodology should cover:</p> <ol> <li> <strong>Create two accounts</strong> (Account A and Account B). Collect all object IDs exposed to Account A. Attempt to access each using Account B's token.</li> <li> <strong>Test every HTTP verb</strong> — BOLA often exists on <code>GET</code> but is fixed, while <code>PUT</code>, <code>DELETE</code>, or <code>PATCH</code> on the same resource is still vulnerable.</li> <li> <strong>Check nested resources</strong> — <code>/api/orders/123/items/456</code> — authorization may be checked at the order level but not validated at the item level.</li> <li> <strong>Test unauthenticated access</strong> — some endpoints that should require auth don't. Try removing the <code>Authorization</code> header entirely.</li> <li> <strong>Test with an expired or revoked token</strong> — some implementations only check token signature, not revocation status.</li> </ol> <blockquote> <p><strong>Precogs.ai insight:</strong> During code-level analysis, Precogs.ai maps every API endpoint to its authorization implementation and flags endpoints where object retrieval queries are not scoped to the authenticated user's identity. This catches BOLA vulnerabilities in code review — before they ever reach a pentest scope.</p> </blockquote> <h2> 3. Broken Function-Level Authorization: The Vertical Escalation </h2> <p>Where BOLA is horizontal (user A accessing user B's data), Broken Function-Level Authorization (BFLA) is vertical — a regular user accessing functions reserved for admins.</p> <h3> 3.1 The Hidden Admin API </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Standard user flow — documented, tested, monitored </span><span class="nf">POST</span> <span class="nn">/api/v1/users/me/profile</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> # Admin endpoint — undocumented, untested, forgotten POST /api/v1/admin/users/38291/role HTTP/1.1 {"role": "admin"} </code></pre> </div> <p>Admin endpoints are frequently:</p> <ul> <li> <strong>Not documented</strong> in public API specs</li> <li> <strong>Not included</strong> in standard pentest scopes</li> <li> <strong>Inadequately protected</strong> because developers assume "nobody knows about this"</li> <li> <strong>Accessible</strong> using standard user tokens because the middleware assumes routing handles authorization </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// VULNERABLE: Authorization checked by route prefix only</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/admin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAdmin</span><span class="p">);</span> <span class="c1">// Middleware on /admin routes</span> <span class="c1">// But this admin function is accidentally mounted at a non-admin path:</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/:id/role</span><span class="dl">'</span><span class="p">,</span> <span class="nx">updateUserRole</span><span class="p">);</span> <span class="c1">// No admin check here</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SECURE: Function-level authorization at the handler, not just the route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/:id/role</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="nf">requireRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">),</span> <span class="nx">updateUserRole</span><span class="p">);</span> </code></pre> </div> <h3> 3.2 Finding BFLA in Practice </h3> <p>The most reliable source of hidden admin API endpoints is the application itself:</p> <ul> <li> <strong>JavaScript bundle analysis</strong> — Webpack bundles often contain route definitions for the admin panel, even when the admin panel is a separate deployment</li> <li> <strong>Mobile app reverse engineering</strong> — APK decompilation (<code>jadx</code>, <code>apktool</code>) frequently reveals API endpoints not in any documentation</li> <li> <strong>OpenAPI/Swagger spec</strong> — even when "internal" endpoints are stripped, version history in git or cached specs often reveal them</li> <li> <strong>Error messages</strong> — a 403 is more informative than a 404; it tells you the endpoint exists</li> </ul> <h2> 4. Mass Assignment: When Your ORM Becomes a Backdoor </h2> <p>Mass assignment vulnerabilities occur when an API endpoint automatically binds request body fields to model properties without explicitly specifying which fields are allowed to be updated.</p> <h3> 4.1 The Classic Mass Assignment Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Intended: User updates their display name</span> <span class="c1">// Request body: { "name": "John Doe" }</span> <span class="c1">// What the attacker sends: { "name": "John Doe", "role": "admin", "verified": true, "credits": 999999 }</span> <span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/me</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// DANGEROUS: Spreads entire request body onto the user object</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SECURE: Explicit allowlist of updatable fields</span> <span class="kd">const</span> <span class="nx">ALLOWED_USER_FIELDS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bio</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">avatar_url</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">timezone</span><span class="dl">'</span><span class="p">];</span> <span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/users/me</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">updates</span> <span class="o">=</span> <span class="nf">pick</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">ALLOWED_USER_FIELDS</span><span class="p">);</span> <span class="c1">// lodash pick</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">updates</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> 4.2 Mass Assignment in Mongoose </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DANGEROUS: No schema-level protection</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span> <span class="p">},</span> <span class="c1">// Should never be user-settable</span> <span class="na">isVerified</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// Should never be user-settable</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SAFER: Use select: false for sensitive fields + application-level allowlisting</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">isVerified</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 4.3 Business Impact </h3> <p>Mass assignment vulnerabilities have led to some notable real-world incidents. GitHub had a mass assignment vulnerability in 2012 that allowed a researcher to add his SSH key to any repository — including the Rails repository itself. The attacker (a white-hat researcher) demonstrated the issue by pushing a commit. The business impact of a malicious exploitation would have been catastrophic: arbitrary code execution on any repository's CI/CD pipeline.</p> <p>In SaaS applications, mass assignment typically manifests as users elevating their own subscription tier, disabling billing, granting themselves admin roles, or accessing premium features without payment — direct revenue impact that is often difficult to detect without careful audit logging.</p> <h2> 5. Excessive Data Exposure: The API That Says Too Much </h2> <p>REST APIs frequently return far more data than the client needs, relying on the frontend to filter what's displayed. This is a pattern that's convenient for developers and catastrophic for security.</p> <h3> 5.1 The Over-Disclosure Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Serializing the full model object </span><span class="k">class</span> <span class="nc">UserSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="sh">'</span><span class="s">__all__</span><span class="sh">'</span> <span class="c1"># Includes password_hash, ssn, internal_flags, admin_notes... </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Explicit field declaration per context </span><span class="k">class</span> <span class="nc">UserPublicSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">member_since</span><span class="sh">'</span><span class="p">]</span> <span class="k">class</span> <span class="nc">UserPrivateSerializer</span><span class="p">(</span><span class="n">ModelSerializer</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">User</span> <span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">member_since</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">preferences</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <h3> 5.2 The Pentest Approach </h3> <p>When testing for excessive data exposure, go beyond looking at the response fields the UI displays. Look at the <em>raw API response</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Compare what the UI shows vs. what the API returns</span> curl <span class="nt">-s</span> https://api.target.com/v1/users/me <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> | jq <span class="nb">.</span> </code></pre> </div> <p>Common over-exposed fields found in real engagements:</p> <ul> <li>Internal database IDs and foreign key relationships (enabling enumeration)</li> <li>Password hashes (even bcrypt hashes enable offline cracking)</li> <li>Social Security Numbers, date of birth, full credit card details</li> <li>Internal admin flags (<code>is_beta_tester</code>, <code>is_flagged_for_fraud</code>, <code>internal_notes</code>)</li> <li>Other users' data embedded in aggregated responses</li> <li>Infrastructure details (server hostnames, internal IP addresses, stack traces) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Real-world</span><span class="w"> </span><span class="err">style</span><span class="w"> </span><span class="err">over-exposure</span><span class="w"> </span><span class="err">example</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"usr_38291"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Jane Smith"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jane@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"ssn_last4"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4821"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ssn_full"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXX-XX-4821"</span><span class="p">,</span><span class="w"> </span><span class="nl">"internal_fraud_score"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.12</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_on_watchlist"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"stripe_customer_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cus_NffrFeUfNV2Hib"</span><span class="p">,</span><span class="w"> </span><span class="nl">"admin_notes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Requested account review 2024-11-03"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Precogs.ai insight:</strong> Our platform performs response schema analysis against OpenAPI specifications and actual runtime behavior, flagging endpoints where response payloads contain fields that are not declared in the spec, exceed the data classification level appropriate for the endpoint's access control scope, or include fields matching patterns for sensitive data (hashes, government IDs, payment data).</p> </blockquote> <h2> 6. Rate Limiting and Resource Exhaustion Attacks </h2> <p>APIs that lack proper rate limiting are vulnerable to a range of attacks — from brute force credential attacks to application-layer DDoS to enumeration at scale.</p> <h3> 6.1 Credential Stuffing via Unenforced Rate Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/api/v1/auth/login</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="p">{</span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"victim@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Password123"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With no rate limiting, an attacker can attempt millions of credential combinations. The 2024 Snowflake customer breach — affecting Ticketmaster, Santander, and others — was facilitated partly by credential stuffing against APIs with insufficient rate limiting.</p> <p>Effective rate limiting must be:</p> <ul> <li> <strong>IP-based</strong> — but aware that attackers use residential proxy networks with millions of IPs</li> <li> <strong>Account-based</strong> — lock or throttle the account after N failures, regardless of source IP</li> <li> <strong>Action-based</strong> — different limits for login (strict) vs. read operations (lenient)</li> <li> <strong>Globally consistent</strong> — enforced at the API gateway level, not per-instance, to prevent bypass by targeting specific backend nodes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Redis-based sliding window rate limiter </span><span class="kn">import</span> <span class="n">redis</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">r</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">()</span> <span class="k">def</span> <span class="nf">check_rate_limit</span><span class="p">(</span><span class="n">identifier</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Sliding window rate limiter. identifier: e.g. f</span><span class="sh">"</span><span class="s">login:{ip}</span><span class="sh">"</span><span class="s"> or f</span><span class="sh">"</span><span class="s">login:account:{email}</span><span class="sh">"</span><span class="s"> limit: max requests per window window: window size in seconds </span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ratelimit:</span><span class="si">{</span><span class="n">identifier</span><span class="si">}</span><span class="sh">"</span> <span class="n">pipe</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="nf">pipeline</span><span class="p">()</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zremrangebyscore</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">now</span> <span class="o">-</span> <span class="n">window</span><span class="p">)</span> <span class="c1"># Remove old entries </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zadd</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="p">{</span><span class="nf">str</span><span class="p">(</span><span class="n">now</span><span class="p">):</span> <span class="n">now</span><span class="p">})</span> <span class="c1"># Add current request </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zcard</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Count requests in window </span> <span class="n">pipe</span><span class="p">.</span><span class="nf">expire</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">window</span><span class="p">)</span> <span class="c1"># Set TTL </span> <span class="n">results</span> <span class="o">=</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">execute</span><span class="p">()</span> <span class="k">return</span> <span class="n">results</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="n">limit</span> <span class="c1"># True if within limit </span></code></pre> </div> <h3> 6.2 The SMS/OTP Enumeration Attack </h3> <p>A subtle resource exhaustion attack targets APIs that send SMS OTP codes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/api/v1/auth/send-otp</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">{"phone"</span><span class="p">:</span> <span class="s">"+1-555-000-0001"}</span> POST /api/v1/auth/send-otp HTTP/1.1 {"phone": "+1-555-000-0002"} # Repeated 100,000 times </code></pre> </div> <p>Without rate limiting on OTP send endpoints, an attacker can exhaust your SMS budget, deliver unwanted messages to end users, and potentially use your API as a spam platform. At $0.0075 per SMS, 100,000 requests costs $750 — and that's before considering the reputational damage.</p> <h2> 7. GraphQL-Specific Attack Surfaces </h2> <p>GraphQL has become the API technology of choice for complex frontend applications. Its flexibility — allowing clients to request exactly the data they need — introduces a unique set of security challenges that most teams are not adequately testing for.</p> <h3> 7.1 Introspection: The Gift to Attackers </h3> <p>By default, GraphQL endpoints expose a full schema via introspection queries. An attacker can map your entire data model, all available queries and mutations, all types and their fields — in a single request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Attacker's first move against any GraphQL endpoint</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="n">IntrospectionQuery</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">__schema</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">queryType</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">mutationType</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is legitimate functionality — but it should be disabled in production and restricted to internal tooling.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Disable introspection in production (Apollo Server)</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">introspection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> 7.2 Query Depth and Complexity Attacks </h3> <p>GraphQL's nested query capability enables a specific DoS attack — the deeply nested query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Attacker query designed to cause exponential resolver execution</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">friends</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each level of nesting multiplies resolver calls. A depth-10 query against a social graph resolver can trigger millions of database calls from a single HTTP request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Protect with query depth limiting and complexity analysis</span> <span class="k">import</span> <span class="nx">depthLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-depth-limit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createComplexityLimitRule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-validation-complexity</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">validationRules</span><span class="p">:</span> <span class="p">[</span> <span class="nf">depthLimit</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="c1">// Max query depth</span> <span class="nf">createComplexityLimitRule</span><span class="p">(</span><span class="mi">1000</span><span class="p">),</span> <span class="c1">// Max complexity score</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> 7.3 Batching Attacks </h3> <p>GraphQL's batching feature — allowing multiple operations in a single request — can be abused to bypass rate limiting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Single</span><span class="w"> </span><span class="err">HTTP</span><span class="w"> </span><span class="err">request,</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="err">login</span><span class="w"> </span><span class="err">attempts</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mutation { login(email: </span><span class="se">\"</span><span class="s2">victim@example.com</span><span class="se">\"</span><span class="s2">, password: </span><span class="se">\"</span><span class="s2">Password1</span><span class="se">\"</span><span class="s2">) { token } }"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mutation { login(email: </span><span class="se">\"</span><span class="s2">victim@example.com</span><span class="se">\"</span><span class="s2">, password: </span><span class="se">\"</span><span class="s2">Password2</span><span class="se">\"</span><span class="s2">) { token } }"</span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="mi">500</span><span class="w"> </span><span class="err">operations...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>Rate limiters that count HTTP requests will see one request. The application processes 500 login attempts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Disable or limit batching</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">requestDidStart</span><span class="p">:</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">didResolveOperation</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Batch size exceeds limit</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h2> 8. API Key Mismanagement: Credentials in the Open </h2> <p>API keys are the authentication mechanism for machine-to-machine communication. They are also consistently mishandled — hardcoded into source code, committed to repositories, embedded in mobile apps, logged in plain text, and exposed in JavaScript bundles.</p> <h3> 8.1 The GitHub Secret Scanning Problem </h3> <p>Studies consistently find that tens of thousands of API keys are committed to public GitHub repositories daily. The window between commit and exploitation is often <strong>under 4 minutes</strong> — automated bots scan GitHub's public event stream in real time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Hardcoded credentials </span><span class="n">STRIPE_SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk_live_4eC39HqLyjWDarjtT1zdp7dc</span><span class="sh">"</span> <span class="n">OPENAI_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk-proj-aBcDeFgHiJkLmNoPqRsTuVwXyZ</span><span class="sh">"</span> <span class="n">DATABASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">postgresql://admin:SuperSecret123@prod-db.internal:5432/app</span><span class="sh">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Environment variable injection </span><span class="kn">import</span> <span class="n">os</span> <span class="n">STRIPE_SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">STRIPE_SECRET_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">OPENAI_API_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">OPENAI_API_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">DATABASE_URL</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">DATABASE_URL</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h3> 8.2 API Keys in Mobile Applications </h3> <p>Mobile applications frequently contain embedded API keys that are extractable through static analysis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Extract strings from Android APK</span> apktool d target-app.apk <span class="nt">-o</span> decompiled/ <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"api_key</span><span class="se">\|</span><span class="s2">apiKey</span><span class="se">\|</span><span class="s2">API_KEY</span><span class="se">\|</span><span class="s2">Bearer</span><span class="se">\|</span><span class="s2">sk_live</span><span class="se">\|</span><span class="s2">AKIA"</span> decompiled/ <span class="c"># For iOS IPA files</span> unzip target-app.ipa <span class="nt">-d</span> extracted/ strings extracted/Payload/TargetApp.app/TargetApp | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(sk_|pk_|AKIA|Bearer)"</span> </code></pre> </div> <p>Keys found through mobile reverse engineering should be treated as fully compromised — they are accessible to any user who downloads the application.</p> <h3> 8.3 The Principle of Least Privilege for API Keys </h3> <p>Even when keys are properly secured, they often have excessive permissions. An API key used for a read-only analytics integration should not have write access to your database. A webhook verification key should not double as your admin API key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Key rotation and scoping best practices # 1. Separate keys per integration </span><span class="n">ANALYTICS_READ_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ANALYTICS_READ_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Read-only scope </span><span class="n">PAYMENT_WRITE_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">PAYMENT_WRITE_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Payment scope only </span><span class="n">ADMIN_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ADMIN_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Admin scope, stored in HSM </span> <span class="c1"># 2. Implement key rotation </span><span class="k">def</span> <span class="nf">rotate_api_key</span><span class="p">(</span><span class="n">key_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">new_key</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="c1"># Atomically update key with overlap window for zero-downtime rotation </span> <span class="nf">store_key_with_overlap</span><span class="p">(</span><span class="n">key_id</span><span class="p">,</span> <span class="n">new_key</span><span class="p">,</span> <span class="n">overlap_seconds</span><span class="o">=</span><span class="mi">300</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">key_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">key_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">rotation_time</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()}</span> </code></pre> </div> <h2> 9. Webhook Abuse and Callback Forgery </h2> <p>Webhooks — HTTP callbacks that notify your system of events in third-party platforms — introduce a reverse API attack surface. Your application is now receiving and trusting HTTP requests from external sources.</p> <h3> 9.1 The Unverified Webhook Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DANGEROUS: Processing webhook payload without signature verification </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">json</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">event</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">payment.completed</span><span class="sh">'</span><span class="p">:</span> <span class="c1"># Attacker sends fake payment.completed event and gets goods for free </span> <span class="n">order</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">order_id</span><span class="sh">'</span><span class="p">])</span> <span class="n">order</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="sh">'</span><span class="s">paid</span><span class="sh">'</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="nf">fulfill_order</span><span class="p">(</span><span class="n">order</span><span class="p">)</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">200</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Verify webhook signature using HMAC </span><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="n">WEBHOOK_SECRET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">PAYMENT_WEBHOOK_SECRET</span><span class="sh">"</span><span class="p">]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Signature-256</span><span class="sh">'</span><span class="p">)</span> <span class="n">raw_body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_data</span><span class="p">()</span> <span class="n">expected</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="n">WEBHOOK_SECRET</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">raw_body</span><span class="p">,</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span> <span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">sha256=</span><span class="si">{</span><span class="n">expected</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">signature</span><span class="p">):</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">401</span> <span class="c1"># Reject unverified webhooks </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">json</span> <span class="c1"># Now safe to process... </span></code></pre> </div> <h3> 9.2 Replay Attacks on Webhooks </h3> <p>Even with signature verification, an attacker who intercepts a valid signed webhook can replay it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SAFE: Include timestamp in signature verification to prevent replay attacks </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/webhooks/payment</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">handle_payment_webhook</span><span class="p">():</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Timestamp</span><span class="sh">'</span><span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Signature-256</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Reject webhooks older than 5 minutes </span> <span class="k">if</span> <span class="nf">abs</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="nf">int</span><span class="p">(</span><span class="n">timestamp</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">300</span><span class="p">:</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">400</span> <span class="c1"># Include timestamp in signature computation (as the provider should) </span> <span class="n">signed_payload</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="nf">get_data</span><span class="p">(</span><span class="n">as_text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="n">expected</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">WEBHOOK_SECRET</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">signed_payload</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">sha256=</span><span class="si">{</span><span class="n">expected</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">signature</span><span class="p">):</span> <span class="k">return</span> <span class="sh">''</span><span class="p">,</span> <span class="mi">401</span> </code></pre> </div> <h2> 10. Shadow APIs and Zombie Endpoints: The Inventory Problem </h2> <p>One of the most underappreciated challenges in API security is the inventory problem: you cannot secure what you don't know exists.</p> <h3> 10.1 What Are Shadow and Zombie APIs? </h3> <ul> <li> <strong>Shadow APIs</strong>: Endpoints that exist in production but are not documented, not in any API gateway inventory, and not monitored. Often created during rapid development cycles, testing, or by developers who bypassed the standard deployment process.</li> <li> <strong>Zombie APIs</strong>: Endpoints that were once official but are no longer maintained — deprecated versions, legacy integrations, removed features whose backend routes were never deleted.</li> </ul> <p>Both categories share a critical characteristic: <strong>they receive no security attention</strong>. They are not updated with security patches. They are not covered by WAF rules. They are not monitored for anomalous traffic. And they often run older, more vulnerable code.</p> <h3> 10.2 Finding Shadow APIs in Pentests </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Enumerate from JavaScript bundles</span> curl <span class="nt">-s</span> https://target.com | <span class="nb">grep</span> <span class="nt">-oE</span> <span class="s1">'"/api/[^"]*"'</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># 2. Extract from mobile app traffic (proxy all app traffic through Burp)</span> <span class="c"># Review Burp target tree for all observed API paths</span> <span class="c"># 3. Wordlist-based discovery</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="se">\</span> <span class="nt">-w</span> /wordlists/api-endpoints.txt <span class="se">\</span> <span class="nt">-mc</span> 200,201,401,403 <span class="se">\ </span> <span class="c"># Include auth-protected responses</span> <span class="nt">-recursion</span> <span class="se">\</span> <span class="nt">-recursion-depth</span> 3 <span class="c"># 4. Check common versioning patterns</span> <span class="k">for </span>version <span class="k">in </span>v1 v2 v3 v4 beta internal admin legacy<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="se">\</span> <span class="s2">"https://api.target.com/</span><span class="nv">$version</span><span class="s2">/users"</span> <span class="k">done</span> </code></pre> </div> <h3> 10.3 The Business Impact of Shadow APIs </h3> <p>In a 2024 red team engagement documented by the Precogs.ai research team, a shadow API endpoint — a <code>/api/internal/export</code> route left over from a data migration 18 months prior — was found to accept unauthenticated requests and return a full database export in CSV format. The endpoint had never been documented, never appeared in any security scan, and had no authentication because it was originally designed for internal one-time use.</p> <p>The data exported included 2.3 million user records with PII. The client had no knowledge this endpoint existed until the engagement.</p> <blockquote> <p><strong>Precogs.ai performs continuous API discovery</strong> — analyzing your codebase, API gateway configurations, and traffic patterns to build a comprehensive, continuously updated inventory of every API endpoint your applications expose. Shadow and zombie endpoints are surfaced automatically, compared against your documented API spec, and flagged for review.</p> </blockquote> <h2> 11. JWT and OAuth Misconfigurations in API Authentication </h2> <p>Authentication is the front door of your API. The most sophisticated BOLA finding is irrelevant if an attacker can forge authentication tokens. JWT and OAuth — the dominant standards for API authentication — have well-documented implementation pitfalls that continue to appear in production systems.</p> <h3> 11.1 The <code>none</code> Algorithm Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># A JWT with alg: none — no signature required </span><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">json</span> <span class="n">header</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">none</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">header</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="c1"># Empty signature </span> <span class="c1"># If the server accepts this, authentication is completely broken </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Strict algorithm allowlisting in JWT verification </span><span class="kn">import</span> <span class="n">jwt</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># NEVER include "none" </span> <span class="n">options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">require</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">iat</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">]}</span> <span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">AuthenticationError</span><span class="p">(</span><span class="sh">"</span><span class="s">Token expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">AuthenticationError</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 11.2 OAuth Authorization Code Interception </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># OAuth flow with a redirect_uri vulnerability # Legitimate flow: GET /oauth/authorize?client_id=app&amp;redirect_uri=https://app.example.com/callback&amp;state=random # Attacker registers redirect_uri=https://evil.com/callback or exploits open redirect: GET /oauth/authorize?client_id=app&amp;redirect_uri=https://app.example.com/redirect?url=https://evil.com&amp;state=attacker # Authorization code is delivered to attacker's server → token theft </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SECURE: Strict redirect_uri validation </span><span class="n">ALLOWED_REDIRECT_URIS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">app_client_id</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">https://app.example.com/oauth/callback</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">validate_redirect_uri</span><span class="p">(</span><span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">redirect_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">allowed</span> <span class="o">=</span> <span class="n">ALLOWED_REDIRECT_URIS</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">client_id</span><span class="p">,</span> <span class="p">[])</span> <span class="k">return</span> <span class="n">redirect_uri</span> <span class="ow">in</span> <span class="n">allowed</span> <span class="c1"># Exact match only, no prefix matching </span></code></pre> </div> <h3> 11.3 Token Scope Escalation </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Requesting a token with minimal scope POST /oauth/token grant_type=client_credentials&amp;scope=read:users # Using that token to call endpoints requiring broader scope DELETE /api/v1/users/38291 Authorization: Bearer &lt;token_with_read_scope&gt; </span></code></pre> </div> <p>If scope enforcement is not implemented at the endpoint level — only at token issuance — an attacker can use a limited-scope token to perform privileged operations.</p> <h2> 12. Business Logic Vulnerabilities: What Scanners Will Never Find </h2> <p>Business logic vulnerabilities are the highest-value findings in API security engagements. They cannot be found by automated scanners. They require understanding the application's domain, intended behavior, and the gap between what the API allows and what it should allow.</p> <h3> 12.1 Price Manipulation via API Parameter Tampering </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Legitimate checkout API call </span><span class="nf">POST</span> <span class="nn">/api/v1/checkout</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="s">{</span> <span class="s"> "items": [{"product_id": "prod_abc", "quantity": 2}],</span> <span class="s"> "coupon": "SAVE10"</span> <span class="s">}</span> # Attacker's manipulated call POST /api/v1/checkout HTTP/1.1 { "items": [{"product_id": "prod_abc", "quantity": 2, "unit_price": 0.01}], "discount_percentage": 99.9, "coupon": "SAVE10" } </code></pre> </div> <p>If the server accepts client-supplied pricing parameters instead of looking them up from a trusted source, an attacker can purchase items for near-zero cost.</p> <h3> 12.2 Workflow State Bypass </h3> <p>Many APIs implement multi-step workflows — checkout flows, KYC verification, onboarding sequences. Business logic vulnerabilities arise when steps can be skipped by calling later-stage API endpoints directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Intended flow: Step 1 → Step 2 → Step 3 → Complete # Attacker skips to Step 3 directly: POST /api/v1/kyc/complete Authorization: Bearer &lt;token_that_never_completed_step1_or_step2&gt; {"status": "verified"} </span></code></pre> </div> <h3> 12.3 The Pentest Mindset for Business Logic </h3> <p>Finding business logic vulnerabilities requires a methodology that goes beyond request fuzzing:</p> <ol> <li> <strong>Map the complete intended user journey</strong> — every step, every transition, every terminal state</li> <li> <strong>For each step, ask</strong>: what happens if I call the <em>next</em> endpoint without completing this one?</li> <li> <strong>Identify trust boundaries</strong>: which values come from the client? Which from the server? Which should <em>only</em> come from the server?</li> <li> <strong>Test negative quantities, zero values, and boundary conditions</strong> on every numeric parameter</li> <li> <strong>Test concurrent requests</strong> on stateful operations — race conditions are a class of business logic vulnerability</li> <li> <strong>Think like a motivated adversary</strong> with a financial incentive — what's the direct profit model for exploiting this?</li> </ol> <blockquote> <p><strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a> combines code-level analysis with API behavioral modeling</strong> to identify business logic vulnerabilities at the implementation level — tracing state machine transitions, identifying endpoints that accept client-supplied values that should be server-authoritative, and flagging missing state validation in workflow APIs.</p> </blockquote> <h2> 13. How Precogs.ai Approaches API Security Differently </h2> <p>Security engineers and pentesters understand the difference between running a scanner and actually assessing security. A scanner finds known patterns. A skilled assessor finds intent — gaps between what the system does and what it should do. <strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is built with that distinction at its core.</p> <h3> 13.1 API-First Code Analysis </h3> <p>Precogs.ai parses your codebase to construct a complete API model: every endpoint, its HTTP method, its path parameters, query parameters, request body schema, authentication requirements, and authorization logic. This model is then analyzed for:</p> <ul> <li> <strong>Missing authentication</strong> — endpoints reachable without a valid token</li> <li> <strong>Missing authorization</strong> — authenticated endpoints without object-level ownership checks (BOLA)</li> <li> <strong>Inconsistent authorization</strong> — endpoints where authorization is applied on some HTTP verbs but not others</li> <li> <strong>Schema trust violations</strong> — fields that should be server-authoritative but are accepted from client input (mass assignment, price manipulation)</li> <li> <strong>Excessive response fields</strong> — response serializers that include fields exceeding the declared data classification for the endpoint</li> </ul> <h3> 13.2 OpenAPI Spec Drift Detection </h3> <p>Your OpenAPI specification is a contract. Precogs.ai continuously compares your spec against your actual implementation and flags drift — endpoints that exist in code but not in the spec (shadow APIs), endpoints in the spec that no longer exist in code (zombie spec entries), and parameter schemas that don't match implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Your OpenAPI spec says:</span> <span class="na">paths</span><span class="pi">:</span> <span class="s">/users/{id}</span><span class="err">:</span> <span class="na">get</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">bearerAuth</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">id</span> <span class="na">in</span><span class="pi">:</span> <span class="s">path</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">format</span><span class="pi">:</span> <span class="s">uuid</span> <span class="c1"># Precogs.ai finds in your codebase:</span> <span class="c1"># - /users/{id} also responds to DELETE without any security scheme</span> <span class="c1"># - /api/internal/users/{id} exists in code but is absent from the spec entirely</span> </code></pre> </div> <h3> 13.3 Continuous Runtime API Monitoring </h3> <p>Beyond code analysis, Precogs.ai integrates with your API gateway or service mesh to analyze production traffic patterns — identifying:</p> <ul> <li> <strong>Enumeration attempts</strong>: Sequential access to object IDs at abnormal rates</li> <li> <strong>Abnormal parameter combinations</strong>: Requests with unusual field combinations that may indicate probing</li> <li> <strong>Scope escalation patterns</strong>: Tokens being used to call endpoints outside their declared scope</li> <li> <strong>Schema anomalies</strong>: Request bodies that include undeclared fields (mass assignment attempts)</li> <li> <strong>Baseline deviation</strong>: Significant increases in error rates, response sizes, or request frequencies per endpoint</li> </ul> <h3> 13.4 Pentest Augmentation </h3> <p>For security engineers and pentesters, Precogs.ai serves as a <strong>force multiplier</strong>:</p> <ul> <li> <strong>Pre-engagement:</strong> Run a Precogs.ai scan to get a prioritized map of the highest-risk endpoints before opening Burp Suite. Stop wasting engagement time on endpoints that are provably safe.</li> <li> <strong>During engagement:</strong> Cross-reference your findings with Precogs.ai's code-level analysis to understand <em>why</em> a vulnerability exists — not just <em>that</em> it does. This dramatically improves remediation guidance quality.</li> <li> <strong>Post-engagement:</strong> Use Precogs.ai's continuous monitoring to verify that findings are remediated and stay remediated across future deployments.</li> </ul> <h2> 14. Conclusion: From Point-in-Time Testing to Continuous API Intelligence </h2> <p>The annual penetration test is not a security strategy. It is a snapshot. A 5-day engagement against an application that ships 50 PRs per week will miss the vulnerability introduced on Day 6 of the sprint after the pentesters went home.</p> <p>The organizations that are winning the API security battle are not the ones doing more penetration tests. They are the ones that have made security a <strong>continuous, measurable property of their API development process</strong> — built into the PR review cycle, enforced by automated analysis, and monitored in real-time in production.</p> <p><strong><a href="https://precogs.ai" rel="noopener noreferrer">Precogs.ai</a></strong> is the platform that makes this possible. Built by security engineers for security engineers. Designed to augment — not replace — the human expertise that finds the vulnerabilities that matter. And purpose-built to operate at the velocity of modern software development.</p> <p>The attack surface is growing every day. The question is whether your visibility is growing with it.</p> <h3> Ready to Map Your API Attack Surface? </h3> <p><a href="https://precogs.ai" rel="noopener noreferrer"><strong>Request a demo at precogs.ai →</strong></a></p> <p>Precogs.ai integrates with GitHub, GitLab, Bitbucket, AWS API Gateway, Kong, and major API frameworks. Upload your OpenAPI spec and get a full BOLA/BFLA risk assessment in under 10 minutes.</p> <p><em>© 2026 Precogs.ai — AI-Native Application Security. All rights reserved.</em></p> <p><em>All attack techniques described in this article are presented for educational and defensive purposes. Always obtain explicit written authorization before testing any system you do not own.</em></p> apisecurity owasp devsecops ai Natasha Joshi Fri, 10 Apr 2026 06:48:08 +0000 https://dev.to/precogs_ai/a-complete-guide-to-securing-ai-generated-code-from-pre-llm-sanitization-to-ai-native-sast-2026-582c https://dev.to/precogs_ai/a-complete-guide-to-securing-ai-generated-code-from-pre-llm-sanitization-to-ai-native-sast-2026-582c <h2> Introduction </h2> <p>GitHub Copilot alone has over 1.3 million paid subscribers and continues to see rapid adoption across enterprises. If your team uses GitHub Copilot or any AI coding assistant, you might have a security problem you probably haven't thought about yet.</p> <p>The problems are subtler than you'd expect, and they happen in two directions simultaneously:</p> <p><strong>Direction 1:</strong> AI assistants generate code that <em>looks</em> correct but contains security flaws like SQL injections, broken authentication, insecure API calls, because they were trained on millions of lines of public code, including the bad ones.</p> <p><strong>Direction 2:</strong> To get suggestions from these AI tools, developers paste their code in. That code sometimes contains API keys, customer PII, database credentials, and proprietary logic. Once pasted, it leaves your environment entirely.</p> <p>Most security teams have a plan for Direction 1. Almost nobody has a plan for Direction 2.</p> <p>This article walks through both problems, why traditional security tools don't solve either of them, and what a complete solution looks like.</p> <h2> The Scale of the Problem </h2> <p>AI coding assistants are no longer optional for competitive engineering teams. As of 2026:</p> <ul> <li>Over 50% of new code at many organisations is AI-assisted or AI-generated</li> <li>GitHub Copilot alone has over 1.3 million paid subscribers</li> <li>Cursor, Codeium, Amazon CodeWhisperer, and others are rapidly growing</li> </ul> <p>This means that in any given pull request, a significant portion of the code was never directly written by a human, it was suggested by a model trained on public data, accepted by a developer, and pushed into production. The security implications of this are still catching up to the adoption curve.</p> <h2> Problem 1: What AI-Generated Code Gets Wrong </h2> <p>AI models generate code by predicting what comes next based on training data. They are extremely good at producing code that <em>looks</em> right and <em>runs</em> correctly.</p> <p>But security is not about whether code runs — it's about whether it's safe under adversarial conditions. And AI models have no concept of adversarial intent.</p> <h3> Common Vulnerabilities in AI-Generated Code </h3> <p><strong>SQL Injection</strong></p> <p>AI models frequently generate database queries using string concatenation because that pattern appears frequently in training data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Copilot-generated — looks fine, is dangerous </span><span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE email = </span><span class="sh">'"</span> <span class="o">+</span> <span class="n">user_input</span> <span class="o">+</span> <span class="sh">"'"</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> </code></pre> </div> <p>An attacker can break out of the string and execute arbitrary database commands. The fix requires parameterised queries — which AI models sometimes generate correctly and sometimes don't, depending on context.</p> <p><strong>Hardcoded Credentials</strong></p> <p>AI models often suggest code with placeholder credentials that developers forget to replace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Copilot-suggested — left in production</span> <span class="kd">const</span> <span class="nx">dbConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prod-db.company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin123</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p><strong>Broken Authentication Logic</strong></p> <p>AI-generated authentication flows sometimes contain subtle logic errors — checking the wrong condition, skipping a validation step — that aren't obvious in code review but are immediately exploitable.</p> <p><strong>Insecure Deserialization</strong></p> <p>When generating code to parse JSON, XML, or serialised objects, AI tools often miss the validation steps that prevent attackers from injecting malicious payloads.</p> <p>The challenge is that these vulnerabilities are not obvious. The code passes syntax checks, passes basic testing, and often passes manual code review — because it <em>looks</em> correct.</p> <h2> Problem 2: The Invisible Data Leak Nobody Talks About </h2> <p>Here is the scenario playing out at companies globally, right now:</p> <ol> <li>Developer is building a feature that handles customer payment data</li> <li>They hit a tricky edge case and open Cursor or Copilot</li> <li>They paste their current code file into the AI prompt to get context-aware suggestions</li> <li>That file contains a real Stripe API key they haven't yet moved to environment variables</li> <li>The key is now in the AI tool's input — and depending on the tool and configuration, potentially in training data, logs, or cloud storage</li> </ol> <p>This is called <strong>pre-LLM data exposure</strong> and it's not theoretical. It's happening silently, at scale, across every engineering team that uses AI coding tools.</p> <p><strong>What's being exposed:</strong></p> <ul> <li>API keys and service credentials</li> <li>Customer PII (names, emails, credit card numbers)</li> <li>Internal infrastructure details (database hostnames, internal URLs)</li> <li>Proprietary business logic</li> </ul> <p>Traditional security tools scan your code <em>after</em> it's written. None of them sit between your developer and the AI tool they're querying.</p> <h2> Why Traditional SAST Tools Don't Solve Either Problem </h2> <p>Static Application Security Testing (SAST) tools like SonarQube, Semgrep, and Snyk were built for human-written code. They work by matching code against a library of known vulnerability patterns.</p> <p>This creates three specific gaps when applied to AI-generated code:</p> <p><strong>Gap 1: Pattern libraries don't cover AI-generated patterns</strong><br><br> AI models produce code structures that differ subtly from how humans write. A rule written to catch a human-written SQL injection may not catch the slightly different form an AI model generates.</p> <p><strong>Gap 2: False positive rates make alerts meaningless</strong><br><br> Traditional SAST tools produce false positive rates of 10–35%. When developers are already moving fast with AI assistance, they ignore alerts they don't trust. A tool with a 35% false alarm rate trains developers to dismiss warnings — including the real ones.</p> <p><strong>Gap 3: They can't see what leaves your environment</strong><br><br> No traditional SAST tool intercepts what gets pasted into an AI coding assistant. They scan repositories — not the data flowing to and from AI APIs.</p> <h2> What a Complete Solution Looks Like </h2> <p>Securing AI-assisted development requires addressing the entire workflow, not just the output:</p> <h3> Step 1: Pre-LLM Sanitization </h3> <p>Before any code reaches an AI model, strip it of PII, credentials, and secrets. This should happen automatically, inline, without requiring the developer to do anything differently.</p> <p>The technical approach: a scanner that combines regex pattern matching, ML-based Named Entity Recognition (NER), and Shannon entropy analysis to identify and redact sensitive content in real time — at 0.002 seconds per KB, so there's zero perceptible latency in the developer's workflow.</p> <h3> Step 2: AI-Native SAST </h3> <p>Scan AI-generated code with a scanner that understands code <em>semantics</em> — not just pattern matching. This requires a multi-model AI ensemble that can trace data flow across files, understand function-level dependencies, and evaluate whether a vulnerability is actually exploitable in context.</p> <p>Key metric: <strong>precision</strong>. A scanner with 98% precision means 98 out of 100 alerts are real. A scanner with 48% precision means more than half your alerts are noise.</p> <h3> Step 3: Agentic Remediation </h3> <p>Detection without remediation just creates a backlog. The next step is automated fix generation — an AI that not only identifies the vulnerability but writes the corrected code and opens a pull request. The developer reviews and merges. No manual research, no hours spent understanding the fix.</p> <h3> Step 4: Secrets Detection at Every Layer </h3> <p>Scan not just your codebase but your commit history, CI/CD pipelines, and container images for exposed credentials. Use multi-layer detection (not just regex) to catch credentials that don't follow standard formats — because attackers know what standard formats look like and deliberately use non-standard ones.</p> <h2> The CASTLE Benchmark: An Objective Measure </h2> <p>When evaluating security tools for AI-generated code, ask vendors for their <strong>CASTLE benchmark score</strong>. CASTLE (Code Analysis Security Testing and Language Evaluation) is an independent benchmark that measures how accurately an application security testing tool detects real vulnerabilities versus generating false alarms.</p> <h3> 2026 CASTLE Benchmark Results </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Precision</th> <th>Recall</th> <th>CASTLE Score</th> </tr> </thead> <tbody> <tr> <td>Precogs AI</td> <td>98%</td> <td>94%</td> <td>1145</td> </tr> <tr> <td>CodeQL</td> <td>48%</td> <td>29%</td> <td>634</td> </tr> <tr> <td>Snyk</td> <td>38%</td> <td>17%</td> <td>552</td> </tr> <tr> <td>Semgrep</td> <td>34%</td> <td>23%</td> <td>541</td> </tr> <tr> <td>SonarQube</td> <td>24%</td> <td>29%</td> <td>511</td> </tr> </tbody> </table></div> <p><em>Sources: <a href="https://www.precogs.ai/our-ai" rel="noopener noreferrer">precogs.ai/our-ai</a>, <a href="https://www.precogs.ai/blog/precogs-ai-redefines-code-security-topping-the-castle-benchmark-with-ai-native-precision" rel="noopener noreferrer">Precogs AI CASTLE Benchmark blog post</a></em></p> <p><strong>Precision</strong> tells you what percentage of alerts are real. <strong>Recall</strong> tells you what percentage of real vulnerabilities the tool finds. Both matter — a tool with 100% precision but 10% recall is useless because it misses 90% of real threats.</p> <h2> A Practical Checklist for Engineering Teams </h2> <p>If your team uses AI coding assistants, run through this checklist:</p> <ul> <li> <strong>Do you scan AI-generated code before it merges?</strong> If your security scan runs only in production or on a weekly schedule, vulnerabilities generated by Copilot are sitting in your codebase undetected.</li> <li> <strong>Does your SAST tool understand code context or just match patterns?</strong> Ask your vendor: does your tool do data flow analysis across files? If the answer is unclear, assume it doesn't.</li> <li> <strong>What is your tool's false positive rate?</strong> If you don't know, pull your last month of alerts and count how many developers marked as "not exploitable." That's your false positive rate.</li> <li> <strong>Do you scan what gets sent to AI tools?</strong> This is the hardest question because most teams have never thought about it. If the answer is no, you have an unmonitored data egress channel.</li> <li> <strong>Does your tool generate fixes or just alerts?</strong> Alerts without fixes create backlogs. Backlogs get deprioritised. Deprioritised vulnerabilities get exploited.</li> </ul> <h2> Conclusion </h2> <p>AI coding assistants are not going away. They make developers faster, and that's a genuine competitive advantage that no security policy can or should eliminate.</p> <p>But speed without security is borrowed time. The specific security challenges of AI-assisted development — insecure generated code, invisible data egress, pattern-based scanners that miss AI-generated vulnerabilities — are different enough from traditional challenges that they require tools built for this new reality.</p> <p>The checklist above is a starting point. The next step is running a real scan on your AI-generated code and seeing what's actually there.</p> <h2> About Precogs AI </h2> <p>Precogs AI is an AI-native application security platform built specifically for the AI-assisted development era. It provides:</p> <ul> <li> <strong>Pre-LLM Sanitization</strong> — automatically strip sensitive data before it reaches any AI model</li> <li> <strong>AI-native multi-model SAST scanning</strong> — 98% precision on the CASTLE benchmark</li> <li> <strong>Agentic fix generation</strong> — turns detected vulnerabilities into merged pull requests</li> <li> <strong>Binary security scanning</strong> — without source code, for comprehensive coverage</li> </ul> <p><a href="https://www.precogs.ai" rel="noopener noreferrer">Try it free — no credit card required</a> or book a 30-minute demo to see it on your own codebase.</p> <h1> Frequently Asked Questions </h1> <h2> Does Precogs AI work with GitHub Copilot specifically? </h2> <p>Yes. Precogs AI integrates directly into your GitHub workflow via the GitHub App. Every pull request — including code generated by Copilot — is automatically scanned before it merges.</p> <h2> What is Pre-LLM Sanitization? </h2> <p>It's an automated process in Precogs AI that strips sensitive data (PII, API keys, credentials) from code before it's sent to any AI model. It runs inline in your development workflow with zero perceptible latency.</p> <h2> How is Precogs different from GitHub's built-in secret scanning? </h2> <p>GitHub's native secret scanning covers common credential formats using regex patterns. Precogs uses three detection layers — regex, ML-based NER, and Shannon entropy analysis — covering 50+ secret types including non-standard formats that regex alone misses. It also adds PII detection and Pre-LLM Sanitization, which GitHub does not offer.</p> <h2> Can I try this on my existing codebase? </h2> <p>Yes. Precogs AI has a free tier that scans up to 150,000 tokens per month with no credit card required. Most teams see their first scan results within 5 minutes of connecting their GitHub repository. <a href="https://www.precogs.ai" rel="noopener noreferrer">Try Precogs AI free here.</a></p> codesecurity appsec coding productivity Natasha Joshi Tue, 31 Mar 2026 10:41:01 +0000 https://dev.to/natasha_joshi_/a-complete-guide-to-securing-ai-generated-code-from-pre-llm-sanitization-to-ai-native-sast-2026-2ago https://dev.to/natasha_joshi_/a-complete-guide-to-securing-ai-generated-code-from-pre-llm-sanitization-to-ai-native-sast-2026-2ago <p>AI coding tools like Copilot and Cursor create two-directional security risks — insecure generated code AND silent data leaks. Here's what your security team is missing.<br> tags: security, ai, webdev, programming</p> <h2> cover_image: </h2> <p>AI coding assistants like GitHub Copilot, Cursor, Codeium, and Amazon CodeWhisperer now power a significant portion of modern software development and continue to see rapid adoption across enterprises. If your team uses any of these tools, you may already have a security risk you haven't fully considered.</p> <p>The challenges are more subtle than they appear, and they occur in <strong>two directions simultaneously</strong>:</p> <ul> <li> <strong>Direction 1:</strong> AI assistants generate code that <em>looks</em> correct but contains security flaws — SQL injections, broken authentication, insecure API calls — because they were trained on millions of lines of public code, including the bad ones.</li> <li> <strong>Direction 2:</strong> To get suggestions from these AI tools, developers paste their code in. That code sometimes contains API keys, customer PII, database credentials, and proprietary logic. Once pasted, <strong>it leaves your environment entirely.</strong> </li> </ul> <p>Most security teams have a plan for Direction 1. Almost nobody has a plan for Direction 2.</p> <p>This article walks through both problems, why traditional security tools don't solve either of them, and what a complete solution looks like.</p> <h2> The Scale of the Problem </h2> <p>AI coding assistants are no longer optional for competitive engineering teams. As of 2026:</p> <ul> <li>Over <strong>60% of new code</strong> at many organisations is AI-assisted or AI-generated</li> <li>GitHub Copilot alone has over <strong>1.3 million paid subscribers</strong> </li> <li>Cursor, Codeium, Amazon CodeWhisperer, and others are rapidly growing</li> </ul> <p>This means that in any given pull request, a significant portion of the code was never directly written by a human — it was suggested by a model trained on public data, accepted by a developer, and pushed into production. The security implications of this are still catching up to the adoption curve.</p> <h2> Problem 1: What AI-Generated Code Gets Wrong </h2> <p>AI models generate code by predicting what comes next based on training data. They are extremely good at producing code that <strong>looks right and runs correctly</strong>.</p> <p>But security is not about whether code runs — it's about whether it's safe under <strong>adversarial conditions</strong>. And AI models have no concept of adversarial intent.</p> <h3> Common Vulnerabilities in AI-Generated Code </h3> <h4> SQL Injection </h4> <p>AI models frequently generate database queries using string concatenation because that pattern appears frequently in training data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Copilot-generated — looks fine, is dangerous </span><span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE email = </span><span class="sh">'"</span> <span class="o">+</span> <span class="n">user_input</span> <span class="o">+</span> <span class="sh">"'"</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> </code></pre> </div> <p>An attacker can break out of the string and execute arbitrary database commands. The fix requires parameterised queries — which AI models sometimes generate correctly and sometimes don't, depending on context.</p> <h4> Hardcoded Credentials </h4> <p>AI models often suggest code with placeholder credentials that developers forget to replace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Copilot-suggested — left in production</span> <span class="kd">const</span> <span class="nx">dbConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prod-db.company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin123</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <h4> Broken Authentication Logic </h4> <p>AI-generated authentication flows sometimes contain subtle logic errors — checking the wrong condition, skipping a validation step — that aren't obvious in code review but are immediately exploitable.</p> <h4> Insecure Deserialization </h4> <p>When generating code to parse JSON, XML, or serialised objects, AI tools often miss the validation steps that prevent attackers from injecting malicious payloads.</p> <p>The challenge is that these vulnerabilities are <strong>not obvious</strong>. The code passes syntax checks, passes basic testing, and often passes manual code review because it looks correct.</p> <h2> Problem 2: The Invisible Data Leak Nobody Talks About </h2> <p>Here is the scenario playing out at companies globally, right now:</p> <blockquote> <ol> <li>Developer is building a feature that handles customer payment data</li> <li>They hit a tricky edge case and open Cursor or Copilot</li> <li>They paste their current code file into the AI prompt to get context-aware suggestions</li> <li>That file contains a real Stripe API key they haven't yet moved to environment variables</li> <li>The key is now in the AI tool's input — and depending on the tool and configuration, potentially in training data, logs, or cloud storage</li> </ol> </blockquote> <p>This is called <strong>pre-LLM data exposure</strong> and it's not theoretical. It's happening silently, at scale, across every engineering team that uses AI coding tools.</p> <p><strong>What's being exposed:</strong></p> <ul> <li>API keys and service credentials</li> <li>Customer PII (names, emails, credit card numbers)</li> <li>Internal infrastructure details (database hostnames, internal URLs)</li> <li>Proprietary business logic</li> </ul> <p>Traditional security tools scan your code <em>after it's written</em>. None of them sit between your developer and the AI tool they're querying.</p> <h2> Why Traditional SAST Tools Don't Solve Either Problem </h2> <p>Static Application Security Testing (SAST) tools like SonarQube, Semgrep, and Snyk were built for human-written code. They work by matching code against a library of known vulnerability patterns.</p> <p>This creates three specific gaps when applied to AI-generated code:</p> <h3> Gap 1: Pattern libraries don't cover AI-generated patterns </h3> <p>AI models produce code structures that differ subtly from how humans write. A rule written to catch a human-written SQL injection may not catch the slightly different form an AI model generates.</p> <h3> Gap 2: False positive rates make alerts meaningless </h3> <p>Traditional SAST tools produce false positive rates of <strong>10–35%</strong>. When developers are already moving fast with AI assistance, they ignore alerts they don't trust. A tool with a 35% false alarm rate trains developers to dismiss warnings — including the real ones.</p> <h3> Gap 3: They can't see what leaves your environment </h3> <p>No traditional SAST tool intercepts what gets pasted into an AI coding assistant. They scan repositories — not the data flowing to and from AI APIs.</p> <h2> What a Complete Solution Looks Like </h2> <p>Securing AI-assisted development requires addressing the <strong>entire workflow</strong>, not just the output:</p> <h3> Step 1: Pre-LLM Sanitization </h3> <p>Before any code reaches an AI model, strip it of PII, credentials, and secrets. This should happen automatically, inline, without requiring the developer to do anything differently.</p> <p>The technical approach: a scanner that combines regex pattern matching, ML-based Named Entity Recognition (NER), and Shannon entropy analysis to identify and redact sensitive content in real time at <strong>0.002 seconds per KB</strong> — so there's zero perceptible latency in the developer's workflow.</p> <h3> Step 2: AI-Native SAST </h3> <p>Scan AI-generated code with a scanner that understands <strong>code semantics</strong> — not just pattern matching. This requires a multi-model AI ensemble that can trace data flow across files, understand function-level dependencies, and evaluate whether a vulnerability is actually exploitable in context.</p> <p>Key metric: <strong>precision</strong>. A scanner with 98% precision means 98 out of 100 alerts are real. A scanner with 48% precision means more than half your alerts are noise.</p> <h3> Step 3: Agentic Remediation </h3> <p>Detection without remediation just creates a backlog. The next step is automated fix generation — an AI that not only identifies the vulnerability but writes the corrected code and opens a pull request. The developer reviews and merges. No manual research, no hours spent understanding the fix.</p> <h3> Step 4: Secrets Detection at Every Layer </h3> <p>Scan not just your codebase but your commit history, CI/CD pipelines, and container images for exposed credentials. Use multi-layer detection (not just regex) to catch credentials that don't follow standard formats — because attackers know what standard formats look like and deliberately use non-standard ones.</p> <h2> The CASTLE Benchmark: An Objective Measure </h2> <p>When evaluating security tools for AI-generated code, ask vendors for their <strong>CASTLE benchmark score</strong>. CASTLE (Code Analysis Security Testing and Language Evaluation) is an independent benchmark that measures how accurately an application security testing tool detects real vulnerabilities versus generating false alarms.</p> <h3> 2026 CASTLE Benchmark Results </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Precision</th> <th>Recall</th> <th>CASTLE Score</th> </tr> </thead> <tbody> <tr> <td>Precogs AI</td> <td>98%</td> <td>94%</td> <td>1145</td> </tr> <tr> <td>CodeQL</td> <td>48%</td> <td>29%</td> <td>634</td> </tr> <tr> <td>Snyk</td> <td>38%</td> <td>17%</td> <td>552</td> </tr> <tr> <td>Semgrep</td> <td>34%</td> <td>23%</td> <td>541</td> </tr> <tr> <td>SonarQube</td> <td>24%</td> <td>29%</td> <td>511</td> </tr> </tbody> </table></div> <p><em>Sources: precogs.ai/our-ai, Precogs AI CASTLE Benchmark blog post</em></p> <p><strong>Precision</strong> tells you what percentage of alerts are real. <strong>Recall</strong> tells you what percentage of real vulnerabilities the tool finds. Both matter — a tool with 100% precision but 10% recall is useless because it misses 90% of real threats.</p> <h2> A Practical Checklist for Engineering Teams </h2> <p>If your team uses AI coding assistants, run through this checklist:</p> <ul> <li>[ ] <strong>Do you scan AI-generated code before it merges?</strong> If your security scan runs only in production or on a weekly schedule, vulnerabilities generated by Copilot are sitting in your codebase undetected.</li> <li>[ ] <strong>Does your SAST tool understand code context or just match patterns?</strong> Ask your vendor: does your tool do data flow analysis across files? If the answer is unclear, assume it doesn't.</li> <li>[ ] <strong>What is your tool's false positive rate?</strong> If you don't know, pull your last month of alerts and count how many developers marked as "not exploitable." That's your false positive rate.</li> <li>[ ] <strong>Do you scan what gets sent to AI tools?</strong> This is the hardest question because most teams have never thought about it. If the answer is no, you have an unmonitored data egress channel.</li> <li>[ ] <strong>Does your tool generate fixes or just alerts?</strong> Alerts without fixes create backlogs. Backlogs get deprioritised. Deprioritised vulnerabilities get exploited.</li> </ul> <h2> Conclusion </h2> <p>AI coding assistants are not going away. They make developers faster, and that's a genuine competitive advantage that no security policy can — or should — eliminate.</p> <p>But speed without security is borrowed time. The specific security challenges of AI-assisted development — insecure generated code, invisible data egress, pattern-based scanners that miss AI-generated vulnerabilities — are different enough from traditional challenges that they require tools built for this new reality.</p> <p>The checklist above is a starting point. The next step is running a real scan on your AI-generated code and seeing what's actually there.</p> codesecurity appsec coding productivity