Unauthenticated route use expensive APIs

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

An exposed API allows unauthenticated users to make use of paid third-party services, which may not be intended.

A malicious user could abuse this endpoint to incur significant costs, exceed your quota, and potentially disrupt your application.

Rationale

This finding works by:

  • Identifying an API that lacks an authentication mechanism
  • Is processing traffic from the internet.
  • It was detected using a third-party paid service as a part of its operations. See the list of services that fall in this category.

Remediation

  • Implement authentication to prevent non-intended users’ interaction with the API