LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is API10 Unsafe Consumption of APIs?

The flaw is over-trusting APIs you call. Developers validate data from end users but treat a third-party API's responses as automatically safe — so if that API is compromised or malicious, its data flows straight into your app and injects, redirects, or floods you.

The mental shift: a response from a partner API is still untrusted input and deserves the same scrutiny as a user form. Scenario: you display product data from a supplier's API without escaping it; the supplier is breached, their API now returns <script> payloads, and you've got stored XSS you never wrote. Same logic applies to blindly following redirects the third party returns (open redirect) or letting a slow third party hang all your threads (DoS). Defenses: validate and encode third-party data, enforce TLS, allowlist redirect targets, and time-out/limit calls.

Vulnerabilities when your application consumes third-party APIs.

Issues:

  • Sensitive data exposure - trusting 3rd party too much
  • Injection - if 3rd party data is used unsafely
  • Open redirect - following untrusted redirects
  • DoS - 3rd party can overwhelm your system

Countermeasures:

  • Security assessment of third-party APIs
  • Ensure encryption (TLS) for all communications
  • Perform input validation on data from 3rd parties
  • Whitelist redirects - don't follow blindly

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026