Month: May 2022

An API is essentially a tool to provide an interface for the client with the software—that’s what they do. Some of the API methods modify application state and some return data to the client. Further, some methods can do both. Once we return data to the client, we need to make sure that we return only what’s necessary and don’t expose any sensitive information. This post will cover excessive data exposure in APIs with examples and prevention methods. The examples will be given in the context of the Java Spring framework. REST …

If a malicious user gains access to functionality that only system administrators should have access to, there can be dire consequences. This post is about a specific type of vulnerability called broken object level authorization, or BOLA. This happens when an attacker gains access to API methods that should be restricted. In addition to talking about what this is, I’ll discuss ways to mitigate this attack in general, and specifically in Java Spring Boot. Broken Object Level Authorization Defined Back-end APIs are basically a set of functions that return answers to requests. …