API Security

Top 10 API Vulnerabilities We See in Indian SMEs

APIs now carry customer data, payments, internal workflows, mobile app traffic and partner integrations. For many SMEs, the API becomes the real application perimeter, but it is often tested less deeply than the website.

1. Broken object-level authorization

The most damaging API flaw is simple: a user can access another user’s invoice, order, profile, report or ticket by changing an ID. This is common when the backend checks whether a user is logged in, but not whether the requested object belongs to that user.

2. Weak role enforcement

Admin, staff, franchise, customer and vendor roles often share the same endpoints. If authorization logic is inconsistent, lower-privilege users may perform actions meant for higher-privilege accounts.

3. Token misuse

Long-lived tokens, tokens stored insecurely in mobile apps, missing expiry, weak refresh logic and token reuse after logout all increase account takeover risk.

4. Excessive data exposure

APIs frequently return full database objects while the frontend displays only a few fields. Hidden fields can expose phone numbers, internal IDs, margins, payment status, employee data or operational notes.

5. Missing rate limits

Without rate limits, login, OTP, coupon, search and data export endpoints become easier to abuse. Rate limiting should be designed around business risk, not only server load.

6. Poor input validation

APIs should validate type, length, format, ranges and allowed values. Validation must happen server-side even when the frontend already validates input.

7. Unsafe file upload flows

Profile images, KYC documents, tickets and import files can become risky if file type, size, storage path and access permissions are not controlled.

8. Verbose errors

Stack traces, SQL errors, framework messages and cloud metadata help attackers understand internals. Production APIs should return controlled errors and log detail privately.

9. Weak audit trails

If important actions are not logged, incidents become hard to investigate. Login attempts, admin changes, exports, role changes and failed authorization should be traceable.

10. No abuse-case testing

Automated scanners rarely understand business logic. API testing should include manual checks for privilege abuse, workflow bypass, ID tampering, replay and data leakage.

What SMEs should do first

Map every API endpoint, identify sensitive data flows, enforce object-level authorization, reduce response fields, rotate and expire tokens properly, add rate limits, and perform manual API security testing before major releases.