OWASP API6:2023 Unrestricted Access to Sensitive Business Flows

Home
Application Security
OWASP 2023
API6: Unrestricted Access to Sensitive Business Flows

Introduction to API06:2023 Unrestricted Access To Sensitive Business Flows

Unrestricted Access to Sensitive Business Flows occurs when APIs expose critical operations—like checkout, account registration, or financial transactions—without protections against abuse. Attackers can automate these flows to perform fraud, spam, or resource exhaustion. Unlike typical vulnerabilities, this targets business logic, not just security flaws. APIs that lack safeguards like rate limiting, behavioral analysis, or step-by-step validation are especially vulnerable.