What is API6 Unrestricted Access to Sensitive Business Flows?
A business workflow works exactly as designed, but lets a bot abuse it at scale — e.g. scripting the "buy ticket" flow to scalp every concert seat in seconds. There's no broken auth or injection; the harm is automation of a legitimate flow.
This risk is unusual because nothing is technically "broken" — the attacker uses the API as intended, just faster and at volume than a human ever could. Classic examples: scalper bots buying out limited-edition sneakers or event tickets to resell, or credential-stuffing the login flow. Because there's no malformed input to filter, defenses target who/what is calling: CAPTCHA and behavioral analysis to detect humans, device fingerprinting, bot signatures, blocking anonymizing proxies, and rate-limiting the business action (not just raw requests).
Issues:
- Loss of business - bots buying all inventory
- Business-specific attack scenarios (ticket scalping, credential stuffing)
Countermeasures:
- Device fingerprinting - deny unexpected devices
- Human detection - CAPTCHA, behavioral analysis
- Non-human detection - bot signatures
- Block known proxies and anonymizers
- Business logic rate limiting