Common API Attack Paths Security Teams Should Expect

Many API compromises start with a valid low-privilege account. The attacker does not need to bypass authentication if the API already trusts the user too much once they are inside.

• Broken object-level authorization that exposes another tenant’s records
• Function-level authorization failures on admin or support endpoints
• Mass assignment that lets users change fields the client should never control
• Weak state enforcement in approval, settlement, or workflow transitions
• Shadow endpoints left available for internal tools or old clients

A strong API review does not stop at enumerating endpoints. It looks at roles, ownership, internal-only actions, hidden parameters, and the assumptions embedded in how objects move through the system.

PATCH /api/v1/invoices/84372
Authorization: Bearer user-token

{
  "status": "paid"
}

APIs sit underneath web apps, mobile apps, partner integrations, and internal operations. When authorization is weak here, the impact reaches customer trust, audit posture, and incident response complexity quickly.

• Derive tenant and user context server-side
• Enforce object ownership consistently across read and write paths
• Review hidden endpoints and administrative routes during release cycles
• Test workflow transitions as carefully as create and read operations