OWASP Top 10 API Security Risks – 2023: API6:2023 – Unrestricted Access to Sensitive Business Flows
APIs enable various business flows, such as purchasing tickets, booking reservations, or posting comments. However, these flows can become liabilities if they are exposed without sufficient protections. *Unrestricted Access to Sensitive Business Flows* refers to a scenario where APIs fail to:
1. Limit access to sensitive operations.
2. Implement controls to prevent abuse, particularly by automated systems (e.g., bots).
3. Consider the broader business implications of such unrestricted access.
For instance, an API for purchasing event tickets might allow unlimited purchases by the same user or bot, leading to scalping and significant financial losses for legitimate customers.