Blog Home  »  OWASP API Top 10   »   API10:2023 Unsafe Consumption of APIs
Managed WAF

API10:2023 Unsafe Consumption of APIs

Posted DateJune 13, 2025
Author Bio
Posted Time 4   min Read

What is Unsafe Consumption of APIs?

APIs are meant to interact with other APIs. But when your API blindly trusts data or behavior from third-party or upstream APIs, you are exposing it to a wide range of threats. This is known as unsafe consumption, a critical security issue listed in OWASP API Security Top 10 (2023).

Unsafe consumption occurs when:

  • Data from external APIs is not validated or sanitized.
  • APIs follow redirections without checks.
  • Communication happens over insecure channels.
  • APIs fail to enforce timeouts or resource limits on responses from third-party services.

Why is Unsafe Consumption of APIs Dangerous?

Unsafe consumption can result in:

  • Data Breaches: Sensitive information can be exposed through redirections or direct API responses.
  • Injection Attacks: Unvalidated input can trigger SQL, command, or code injection.
  • Denial of Service (DoS): APIs can be overwhelmed by unbounded or malicious responses.
  • Cross-Site Scripting (XSS): Rendered malicious data from third-party APIs can compromise users.

How Hackers Exploit Unsafe Consumption of APIs: A Few Scenarios

1. Malicious Redirection via Compromised Third-Party API

Consider a scenario where a healthcare platform integrates with a third-party API to store sensitive patient records. One day, the third-party service is compromised and begins issuing 308 Permanent Redirect responses pointing to an attacker-controlled domain. If the healthcare platform lacks proper redirect validation and blindly follows the redirection, it ends up transmitting sensitive medical data including genome records and personal health details to the attacker’s server. The breach occurs silently and remains undetected until significant data exposure has already taken place.

2. SQL Injection via Metadata in Git Repository

Imagine a developer-facing platform that allows users to link Git repositories to import metadata. An attacker creates a repository named ‘; drop db;–—a classic SQL injection payload If the platform’s backend API integrates the repository name directly into a database query without sanitization, the malicious input executes within the database context, causing data loss or exfiltration. The root cause? Blindly trusting external data from third-party sources.

Key Vulnerabilities That Signal Unsafe Consumption

Unsafe API consumption often manifests in subtle yet dangerous ways. If your API shows any of the following characteristics, it may be vulnerable to exploitation:

1. Interacts Over Unencrypted Channels

Using HTTP instead of HTTPS to communicate with upstream APIs exposes sensitive data such as tokens, user credentials, and personally identifiable information (PII) to interception through man-in-the-middle (MITM) attacks.

  • Example: An attacker on the same network can capture unencrypted traffic and extract session data.
  • Consequence: Compromised confidentiality, leading to unauthorized access or impersonation.

2. Fails to Validate and Sanitize Third-Party Data

External APIs can return unexpected or malicious data. If your system consumes and processes this data without validation or sanitization, it can open the door to injection attacks, XSS or corrupted application logic.

  • Example: A third-party address enrichment service returns a field with embedded JavaScript, which is then rendered in a web UI.
  • Consequence: Execution of malicious code, database manipulation, or control flow alteration.

3. Follows Redirections Without Validation

Following HTTP redirections from upstream APIs without validating the Location header can redirect sensitive data to malicious endpoints.

  • Example: A compromised API issues a redirect to https://attacker.com, and your system follows it, unknowingly transmitting secure data.
  • Consequence: Data leakage, session hijacking, or phishing attacks.

4. Lacks Security Assessments for Upstream Services

Many organizations integrate with third-party APIs without thoroughly evaluating their security posture, coding standards, or incident history. This blind trust introduces supply chain risks.

  • Example: An upstream API introduces a vulnerability that propagates to your system through a dependency chain.
  • Consequence: Indirect exploitation of your application through a compromised vendor.

How to Prevent Unsafe Consumption of APIs

1. Assess and Validate Third-Party APIs

  • View upstream APIs as integral components of your supply chain.
  • Vet their security posture, authentication, and encryption practices.
  • Use contractual enforcement and runtime schema validation.

2. Always Validate and Sanitize Inputs

  • Sanitize and whitelist all data from “trusted” APIs.
  • Protect against injection attacks using input constraints and encoding.

3. Secure Communication

  • Use TLS (HTTPS) for all external API communications.
  • Validate SSL certificates and avoid insecure redirects.

4. Implement Timeouts and Resource Limits

  • Cap response sizes and processing time for third-party data.
  • Use rate limiting and quotas.

5. Avoid Blind Redirection

  • Don’t automatically follow Location headers from upstream responses.
  • Maintain a whitelist of trusted domains for redirection.

6. Continuous Monitoring & Logging

  • Monitor API traffic for anomalies or malicious data patterns.
  • Log all interactions with third-party APIs for audits.

How AppTrana API Protection Prevents Unsafe Consumption of APIs

AppTrana API Protection defends against unsafe API consumption by validating third-party behavior, enforcing policies, and monitoring real-time traffic. For instance, it blocks unauthorized redirections by using a trusted domain allowlist and inspects redirect patterns to prevent data leaks. It detects and blocks SQL injection attempts by applying contextual input validation and virtual patching.

All third-party API calls are forced over HTTPS with certificate checks to prevent data exposure via insecure channels. AppTrana also inspects API responses for malicious scripts, applying sanitization to stop XSS. It enforces timeouts, response size limits, and rate controls to prevent DoS from unbounded responses. Finally, it continuously profiles upstream APIs for anomalies and applies access controls based on trust level, helping mitigate supply chain risks from compromised integrations.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Vinugayathri - Senior Content Writer
Vinugayathri Chinnasamy

Vinugayathri is a dynamic marketing professional specializing in tech content creation and strategy. Her expertise spans cybersecurity, IoT, and AI, where she simplifies complex technical concepts for diverse audiences. At Indusface, she collaborates with cross-functional teams to produce high-quality marketing materials, ensuring clarity and consistency in every piece.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.