LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is API6 Unrestricted Access to Sensitive Business Flows?

A business workflow works exactly as designed, but lets a bot abuse it at scale — e.g. scripting the "buy ticket" flow to scalp every concert seat in seconds. There's no broken auth or injection; the harm is automation of a legitimate flow.

This risk is unusual because nothing is technically "broken" — the attacker uses the API as intended, just faster and at volume than a human ever could. Classic examples: scalper bots buying out limited-edition sneakers or event tickets to resell, or credential-stuffing the login flow. Because there's no malformed input to filter, defenses target who/what is calling: CAPTCHA and behavioral analysis to detect humans, device fingerprinting, bot signatures, blocking anonymizing proxies, and rate-limiting the business action (not just raw requests).

Issues:

  • Loss of business - bots buying all inventory
  • Business-specific attack scenarios (ticket scalping, credential stuffing)

Countermeasures:

  • Device fingerprinting - deny unexpected devices
  • Human detection - CAPTCHA, behavioral analysis
  • Non-human detection - bot signatures
  • Block known proxies and anonymizers
  • Business logic rate limiting

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026