Mitigating OWASP API Security Risk: Unrestricted Access to Sensitive Business Flows using F5 BIG-IP
Introduction
In today’s digital economy, APIs are no longer just tools that are used for background work. They now drive real-time transactions, automate processes, and power the core business logic behind apps and services. Whether it’s booking a hotel room, purchasing event tickets, or applying a promotional offer, APIs handle critical operations that directly impact users and revenue. But with this convenience comes risk, especially when APIs expose important business operations without proper control.
One such risk is unrestricted access to sensitive business flows, a key concern listed in the OWASP API Security Top 10. This issue doesn’t involve hacking passwords or leaking data. Instead, it targets the way services behave, letting attackers or automated bots misuse key functions like bookings, purchases, or promotions.
What Is Unrestricted Access To Sensitive Business Flows?
This risk occurs when key business actions are made available via APIs without proper restrictions or validation. These actions may include:
- Booking appointments or reservations
- Placing or confirming orders
- Applying discounts or promotional codes
- Starting financial transactions
If these flows lack safeguards like rate-limiting, access controls, or behavioral validation, they can be exploited at scale.
Unlike traditional attacks that try to steal data, this type of abuse targets functionality. It means using the way a system works to get an unfair advantage or disrupt services.
Example Scenario:
Consider an event management platform that allows users to book tickets through an application. The backend API for booking tickets is designed for efficiency, but lacks protections like rate-limiting, bot detection, or purchase limits.
An attacker analyses the application, discovers the API endpoints used for booking, and writes a script to send hundreds of requests per second. In just moments, they reserve all available tickets using fake accounts, leaving legitimate customers frustrated and locked out. Please check example provided in reference section for realistic scenario.
The company suffers not only in revenue loss due to unsold tickets on secondary markets but also in brand reputation as users complain about unfair access. This is a classic case of unrestricted access to a sensitive business
Attack Demonstration:
For this attack demonstration, we are going to use the DVAPI demo application.This application is added as a pool member to BIG-IP and can be accessed via a virtual server. For more information on how to configure a pool, refer to how to add pool member .
From the below screenshot, it’s evident that /api/addTicket endpoint of the DVAPI application has no rate limiting enabled. So attackers can book multiple tickets using automation scripts
Let’s try to intercept this request using Burp Suite and send multiple requests to the endpoint using Burp Suite intruder.
We got a successful response for all the 150 requests that were sent. This raises serious concerns as one can book multiple tickets, resulting in scarcity of tickets for others
Mitigation using BIG-IP Advanced WAF:
Navigate to Security > Bot Defence > Bot defense Profile and create a Bot defense profile with configurations shown in the below screenshot and attach it to the virtual server through which the application accessible
Now let’s regenerate the attack from the below screenshot; BOT defense mechanism in Advanced WAF is able to detect the BOT traffic and block it as well
Conclusion
Unrestricted access to sensitive business flows is a quiet but powerful threat. It’s not about data theft; it’s about attackers taking advantage of how a system is meant to work. It can lead to bots grabbing tickets, people using promo codes unfairly, or systems being overloaded without breaking any security walls. This article covers how we can mitigate such attacks using BIG-IP Advanced WAF.
Additional Resources:
- Mitigating OWASP API Security Risk: Unrestricted Access To Sensitive Business Flows Using F5 Distributed Cloud
- Unrestricted Access To Sensitive Business Flows - OWASP
- https://www.hindustantimes.com/trending/techies-claim-they-used-inspect-element-trick-to-buy-coldplay-tickets-before-general-public-101727069904413.html
- https://www.radware.com/blog/application-protection/coldplay-concert-ticket-scalping/