保護DataHogo
Security Encyclopedia/OWASP API Top 10
mediumCWE-799API6:2023

Unrestricted Sensitive Flows

Business-critical flows like registration, password reset, or purchase lack bot protection such as CAPTCHA, rate limiting, or device fingerprinting.

How It Works

Sensitive business flows like account creation, coupon redemption, or checkout can be abused at scale when no anti-automation controls exist. Attackers write scripts to create thousands of fake accounts, brute-force coupon codes, or hoard limited inventory. Without CAPTCHA, rate limiting, or behavioral analysis, the API cannot distinguish legitimate users from automated abuse. This leads to financial loss, platform manipulation, and degraded service for real users.

Vulnerable Code
app.post('/api/register', async (req, res) => {
  const { email, password } = req.body;
  const user = await db.users.create({ email, password });
  res.json({ success: true, userId: user.id });
});
Secure Code
app.post('/api/register', rateLimiter({ max: 5, window: '15m' }),
  async (req, res) => {
    const captchaValid = await verifyCaptcha(req.body.captchaToken);
    if (!captchaValid) return res.status(429).json({ error: 'CAPTCHA failed' });
    const { email, password } = req.body;
    const user = await db.users.create({ email, password });
    res.json({ success: true, userId: user.id });
});

Real-World Example

In 2021, scalper bots exploited retailer APIs without anti-automation controls to buy entire PS5 and GPU inventories within seconds of release. Nike, Walmart, and Best Buy lost millions in customer trust and were forced to implement bot detection systems.

How to Prevent It

  • Add CAPTCHA (reCAPTCHA v3 or hCaptcha) to sensitive flows
  • Implement rate limiting per IP and per user account
  • Use device fingerprinting to detect automated clients
  • Monitor for anomalous patterns like rapid sequential requests

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023