CWE-400, also referred to as resource exhaustion, occurs when a system fails to properly manage or limit the use of resources such as CPU, memory, disk space, or network bandwidth. Attackers exploit this weakness to degrade system performance or cause a complete denial of service (DoS).
Authentication is the process of verifying a user’s identity before granting access to resources. In APIs, authentication mechanisms ensure that only authorised clients or users can interact with the system. Broken authentication compromises this trust, potentially leading to data breaches, identity theft, or unauthorised access to sensitive information. As APIs often handle vast amounts of personal and corporate data, even minor authentication flaws can have catastrophic consequences for businesses.
Broken authentication manifests in various forms, each posing unique challenges to developers and penetration testers.
Broken Object Level Authorisation (BOLA) arises when APIs expose endpoints handling object identifiers without adequate access control measures. This vulnerability allows attackers to manipulate object IDs to gain unauthorised access to data.