Fixing OWASP API6:2023 — Unrestricted Access to Sensitive Business Flows in Symfony 7

Keep scalpers and bots away

Generated with DALL-E

Introduction

Your Symfony 7 API is running smoothly, handling requests, and serving data. But have you considered how the logic of your business processes could be abused?

This brings us to API6:2023 — Unrestricted Access to Sensitive Business Flows from the OWASP API Security Top 10.

This vulnerability isn’t typically about bypassing authentication (API2) or accessing unauthorized data (API1, API3, API5). Instead, it’s about exploiting the intended functionality of an API in a way that harms the business or other users, often through automation.

This step-by-step guide will cover:

• Building a simple Symfony 7 JSON API for claiming discount codes that’s vulnerable to API6 exploitation.
• Understanding the risks of unrestricted business flows.
• Implementing a fix using Symfony’s Rate Limiter component.

Let’s prevent automated abuse of our API’s business logic!

What is API6:2023 — Unrestricted Access to Sensitive Business Flows?