API Security Fundamentals: Analyzing the 2025 Top 5 API Vulnerabilities
Learning new things is always better with concrete examples, and when we are talking about technology it is even better, as some concepts are more difficult to understand for those in and outside this area. I embarked on a learning journey in API Security Training Cohort 2.0 of CyberSafe, which will last for the next months, and we started with API Security fundamentals, a fascinating subject with a vast universe inside of it, full of terms, acronyms, and methodologies to learn more about.
As I said, the best way to understand hard concepts is through examples, so I searched for texts that could help me to understand API Security and its fundamentals in an applicable way, so I found an excellent article on Equixly blog, regarding the “2025 Top 5 API Incidents”, and (Oh, boy!) it helped me a lot to understand the core of API Security, how the basic works, and the crucial importance of OWASP Top 10 API Security Risks.
For those who don’t know the API OWASP Top 10, it brings the main threats for APIs:
API1:2023 - Broken Object Level Authorization (BOLA)
API2:2023 - Broken Authentication
API3:2023 - Broken Object Property Level Authorization (BOPLA)
API4:2023 - Unrestricted Resource Consumption
API5:2023 - Broken Function Level Authorization (BFLA)
API6:2023 - Unrestricted Access to Sensitive Business Flows
API7:2023 - Server Side Request Forgery
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
API10:2023 - Unsafe Consumption of APIs
Some are self-descriptives, but others, like the number one “Broken Object Level Authorization” as known as “BOLA”, are harder to understand at first. So, reading the article, some of its concepts helped me to understand how an attacker could (and would) use them against an API to perform all sorts of bad actions, such as data exfiltration, data compromise and disclosure, social engineering, and so on.
Let’s see the cases commented on in the article:
Case 1: Stripe
The first case is about the abuse of deprecated API legacy, which allowed treating actors’ stolen card lists with bots after they attempted to perform small transaction requests. Due to the lack of authentication and improper asset management, a combination of deprecated API, unsecured endpoint, and no rate limiting caused a massive data theft.
As forms of solutions, we have API endpoint security and management, application of rate limits within WAF (Web Application Firewall), application of API life cycle policies with proper decommission, along with continuous testing and penetration tests.
API OWASP Top 10 issues
API2:2023 - Broken Authentication
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
Case 2: McDonald's / Paradox.AI
Due to a weak password (123456), the McHire account administrator was accessed by bad actors, and due to vulnerabilities in the Paradox.AI chatbot (connected to the McHire platform), data of job applicants were discovered. The account should have been decommissioned long ago, but it was forgotten.
One additional problem was the sequential ID number request, which allowed the Broken Object Level Authorization (BOLA) by incrementing the ID number to access more records that had no authorization checks.
This was a massive security horror show, and the lessons learned were hard, but important.
API OWASP Top 10 issues
API1:2023 - Broken Object Level Authorization (BOLA)
API8:2023 - Security Misconfiguration
API10:2023 - Unsafe Consumption of APIs
Case 3: Intel
This case was discovered by a researcher applying MITRE ATT&CK steps, where he got initial access, mapped the application behavior, and found an undocumented API endpoint. As the API purpose was to retrieve user profile information, returning a JSON object with a myriad of details, it was a great danger for Intel.
In addition, the researcher discovered that the unauthenticated API allowed exploitation of the getAllAccounts function of Microsoft Authentication Library, bypassing the Microsoft Active Directory (!!!).
Critical security, trusted environment, misconfiguration, and excessive data exposure were just some of the many vulnerability problems in this particular case. The JSON object retrieval permitted verbose metadata recovery, including role permissions and (even) token sessions. The lesson here is that Cybersecurity is not a thing you can ignore, or 270,000 employees’ data will be exposed!
API OWASP Top 10 issues
API2:2023 - Broken Authentication
API5:2023 - Broken Function Level Authorization (BFLA)
API6:2023 - Unrestricted Access to Sensitive Business Flows
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
Case 4: Volkswagen
A car API case here. The car system uses an OTP to be sent to the car owners, and the API endpoint responsible for the OTP validation had no rate limiting applied, not even anomaly detection.
The result? A multithread Python script was used for brute force and, once inside, the endpoints returned the entire object in JSON with sensitive values.
With the “Broken Object Level Authorization”, by substituting the Vehicle Identification Number (VIN) in requests, it was possible to enumerate random vehicles and receive data as owners’ PII, vehicle data, telemetry, real location data, and so on.
This case was particularly interesting, as not only was the API security concerned, but it also led to real-life consequences such as kidnapping and even information supply for stalkers.
Automated tests on CI/CD pipeline, and pentests would helped a lot.
API OWASP Top 10 issues
API1:2023 - Broken Object Level Authorization (BOLA)
API2:2023 - Broken Authentication
API8:2023 - Security Misconfiguration
Case 5: Azure ID Users
The last case was an interesting one, due to its highlights. An API called in JavaScript fetched user data with no authentication, generating an OAuth 2.0 app-only access token for Microsoft Graph via client credentials flow. The problem is that the token had high privilege and retired user.Read.All and accessReview.Read.All, with directory user enumeration and access to governance reviews, respectively.
As it has no authentication or caller restrictions, anyone could access the data through the Internet! The result? 50,000 Azure AD Users are exposed, with the possibility of resulting in phishing, social engineering actions, and privilege escalation.
API OWASP Top 10 issues
API2:2023 - Broken Authentication
API5:2023 - Broken Function Level Authorization (BFLA)
API6:2023 - Unrestricted Access to Sensitive Business Flows
API10:2023 - Unsafe Consumption of APIs
As we can see, testing the security guardrails in different environments and the various phases of the architecture and development is vital to avoid informational disasters. Every member of the production cycle must be aware of vulnerabilities and security by design, even with business pressure.
With good practices applied from the beginning, the probability of financial distress and reputation problems will drop substantially.
I highly recommend this Equixly article for those learning more about API security.
Resources
EQUIXLY. 2025 top 5 API incidents, August 2025. [cited 2025 Nov 24]. Available from: https://equixly.com/blog/2025/09/08/2025-top-5-api-incidents/.
OWASP. OWASP top 10 API security risks – 2023, [cited 2025 Nov 24]. Available from: https://owasp.org/API-Security/editions/2023/en/0x11-t10/.
