What is API10 Unsafe Consumption of APIs?
The flaw is over-trusting APIs you call. Developers validate data from end users but treat a third-party API's responses as automatically safe — so if that API is compromised or malicious, its data flows straight into your app and injects, redirects, or floods you.
The mental shift: a response from a partner API is still untrusted input and deserves the same scrutiny as a user form. Scenario: you display product data from a supplier's API without escaping it; the supplier is breached, their API now returns <script> payloads, and you've got stored XSS you never wrote. Same logic applies to blindly following redirects the third party returns (open redirect) or letting a slow third party hang all your threads (DoS). Defenses: validate and encode third-party data, enforce TLS, allowlist redirect targets, and time-out/limit calls.
Vulnerabilities when your application consumes third-party APIs.
Issues:
- Sensitive data exposure - trusting 3rd party too much
- Injection - if 3rd party data is used unsafely
- Open redirect - following untrusted redirects
- DoS - 3rd party can overwhelm your system
Countermeasures:
- Security assessment of third-party APIs
- Ensure encryption (TLS) for all communications
- Perform input validation on data from 3rd parties
- Whitelist redirects - don't follow blindly