保護DataHogo
Security Encyclopedia/APIs (Advanced)
mediumCWE-272A01:2021

API Key with Excessive Scope

Using admin or full-access API keys for operations that only require read access, meaning a compromised key gives attackers far more access than needed for the intended operation.

How It Works

If your newsletter service only needs to send emails, it shouldn't have an API key with delete-all-contacts permissions. Principle of least privilege: each key should have only the permissions required for its specific task. A leaked over-scoped key causes maximum damage; a properly scoped key limits the blast radius.

Vulnerable Code
// BAD: using admin key for a read-only operation
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!); // full admin access
const prices = await stripe.prices.list(); // only needs read access
// If this key leaks, attacker can delete customers, issue refunds, etc.
Secure Code
// GOOD: use restricted keys per service
// In Stripe Dashboard: create a restricted key with only 'prices:read'
const stripe = new Stripe(process.env.STRIPE_PRICES_READ_KEY!);
// This key can only list prices — nothing else

Real-World Example

When Codecov's bash uploader was compromised in 2021, attackers stole CI/CD environment variables including cloud and service API keys. Companies that used admin keys for CI tasks (which only needed read access) had full infrastructure compromise. Companies using scoped keys had limited blast radius.

How to Prevent It

  • Create separate API keys for each service/use case with minimum required permissions
  • Audit all your API keys quarterly — revoke any that are broader than needed
  • For Stripe, GitHub, AWS: use restricted/scoped keys, not your root/admin credentials
  • Store each key in its own environment variable with a descriptive name indicating its scope

Affected Technologies

nodejsNext.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

API Documentation Exposed in Production

low

Swagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.

CWE-200A05:2021

GraphQL Introspection Enabled in Production

medium

GraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.

CWE-200A05:2021

GraphQL Without Query Depth Limit

medium

GraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.

CWE-770A04:2021

GraphQL Batching Attack

medium

GraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.

CWE-770A04:2021