APIs are increasingly being used by other APIs too.

A public facing API may call internal APIs to get the data required to form a response. User-supplied data may be used in the paths for those internal API requests, and without proper sanitation of that data, path traversals can cause private data to be leaked. For example, a public API may accept a user ID as an input, like ‘1234’ and use that as the part of the request to an internal API, e.g. internalapi.example.net/users/1234 . An attacker might pass ‘ 1234 /../2345’ as the user ID

Back to Main