Your APIs are your product's attack surface. This guide covers the top vulnerabilities, real-world breaches, and the hardening playbook every NZ SaaS company needs — before attackers find what your scanners missed.
APIs are no longer behind the scenes — they are the product. Every endpoint you expose is a door. In 2025, APIs accounted for 17% of all published vulnerabilities. Attackers aren't scanning ports anymore — they're reading your API docs.
Wallarm's 2026 analysis of 60 API breaches found Software (15%), AI platforms (15%), cybersecurity vendors (13%), and SaaS (8%) are the most-targeted sectors. The pattern is clear: if your product has APIs, you're in the crosshairs. Real-world examples include Postman workspaces leaking 30,000 production secrets, and Spoutible's API exposing bcrypt password hashes via simple ID enumeration.
Sources: Wallarm 2026, APISecurity.io, Equixly 2025
Based on OWASP's 2023 API Security Top 10 and mapped to real-world incidents from 2024–2026. These five alone account for the vast majority of API-related data breaches.
The attacker changes an object ID in the request (user_id, order_id, file_id) and gets another user's data. This is the #1 API vulnerability because most frameworks don't enforce object-level permissions by default — developers have to implement it manually on every single endpoint.
Weak JWTs, missing token expiry, predictable API keys, or authentication that's only enforced on some endpoints. In 2025, "Missing Authentication" was the single most frequent API vulnerability at 17% of all incidents. Many SaaS apps protect the frontend but leave internal/admin APIs wide open.
Your API returns more data than the frontend needs (exposing internal fields, tokens, PII), or accepts fields it shouldn't (letting users set their own role or permissions). This merged two former OWASP entries because the root cause is the same: the API trusts whatever comes in and sends everything back out.
Without rate limiting, attackers can brute-force credentials, enumerate users, scrape your entire database, or run up your cloud bill. This replaced "Lack of Resources and Rate Limiting" in the 2023 update because the impact goes beyond availability — it enables data theft at scale.
/api/users/{id} for IDs 1 through 10,000,000. Without rate limits, they dump your entire user table in hours. Your cloud bill spikes. Your users get breached.
A regular user can access admin endpoints by guessing or discovering them. Often the frontend hides admin buttons — but the API endpoints still exist and respond to any authenticated user. This is especially dangerous in SaaS with tiered pricing: free users accessing premium API features, or users escalating to admin.
DELETE /api/admin/users/123 works for any authenticated user because authorisation only exists in the UI, not the API.
Three risks were added: Unrestricted Access to Sensitive Business Flows (API6 — automated abuse of legitimate functions like ticket scalping or credential stuffing), Server-Side Request Forgery (API7 — SSRF via API parameters), and Unsafe Consumption of APIs (API10 — trusting data from third-party APIs without validation). The last one is critical for SaaS: if your app integrates with Stripe, Twilio, or any external API, you need to validate their responses too.
APIs aren't your only surface. Your web frontend, authentication flows, client-side code, and deployment infrastructure are all targets. Here's what attackers look for in SaaS applications.
Cross-site issues became the #1 API weakness by attack volume in 2025. In SaaS, XSS is especially dangerous because your app handles multi-tenant data. A stored XSS in a shared workspace feature (comments, file names, custom fields) can steal session tokens from every user who views that content — across different tenant accounts.
OAuth misconfiguration, weak session management, and insecure password reset flows. Common SaaS patterns: open redirect after login (used for phishing), JWT with "none" algorithm accepted, refresh tokens that never expire, password reset tokens sent in URL query strings. If you offer SSO, your SAML/OIDC implementation is an attack surface.
The #1 SaaS-specific risk. If your multi-tenancy relies on application-level filtering (WHERE tenant_id = X) rather than infrastructure isolation, a single bug can expose every customer's data. This includes: shared database queries missing tenant filters, cached responses served to wrong tenants, file storage paths without tenant scoping, and background jobs processing cross-tenant data.
If your SaaS lets users provide URLs (webhooks, import from URL, profile picture from URL), attackers can make your server request internal resources — cloud metadata endpoints, internal services, admin panels. In AWS, http://169.254.169.254 returns instance credentials. SSRF is now in the OWASP API Top 10 because API-driven architectures expose more URL-accepting endpoints.
Supply-chain breaches accounted for 20% of all incidents in 2025. Your SaaS depends on hundreds of npm/pip packages, third-party APIs, and cloud services. Each one is a potential entry point. The Postman workspace breach exposed 30,000 production secrets because developers saved API keys in public workspaces without realising they were accessible.
Prioritised by impact. Controls 1–4 address the vulnerabilities behind the majority of SaaS breaches. Based on OWASP guidelines, real-world incident data, and what we find during penetration tests.
Don't rely on framework-level auth alone. Every API endpoint that accesses a resource must verify that the authenticated user owns or has permission to access that specific object. Centralise this in middleware or a policy engine — don't trust individual developers to add checks on every route. This single control prevents BOLA, the #1 API vulnerability.
Pattern: middleware.authorize(req.user, resource.owner_id)
Short-lived access tokens (15 min), secure refresh token rotation, proper audience and issuer validation, and never use "none" algorithm. Store tokens in httpOnly secure cookies, not localStorage. Implement token revocation for logout and password changes. 52% of API breaches involve broken authentication — this is where most SaaS products fail.
Tools: Auth0, Clerk, Supabase Auth, or custom with jose/jsonwebtoken
Apply rate limits at multiple layers: per-user, per-IP, per-endpoint, and globally. Authentication endpoints need aggressive limits (5 attempts/min). Public APIs need quota enforcement. Without rate limiting, BOLA becomes mass data exfiltration, brute-force becomes trivial, and your cloud bill becomes a weapon (denial-of-wallet).
Tools: express-rate-limit, Kong, AWS WAF, Cloudflare Rate Limiting
Never rely solely on application-level WHERE clauses for multi-tenancy. Use Row-Level Security (RLS) in PostgreSQL, separate schemas per tenant, or dedicated databases for high-value customers. Every database query, cache key, file path, and background job must be tenant-scoped. Test this: can Tenant A's admin ever see Tenant B's data?
Pattern: PostgreSQL RLS + tenant_id enforced at connection level
Use schema validation (Zod, Joi, Pydantic) on every API input. Reject unexpected fields. Encode all output to prevent XSS. Parameterise all database queries — no string concatenation. Validate file uploads by content, not just extension. With cross-site issues now the #1 API attack by volume, input/output hygiene is non-negotiable.
Pattern: Zod schema per endpoint + DOMPurify for user-generated HTML
Only return the fields the client needs. Never expose internal IDs, server paths, stack traces, or metadata. Use separate response DTOs — don't serialise your database models directly. The Intel breach happened because APIs returned full JSON objects with fields the frontend never used, including plaintext credentials for other services.
Pattern: ResponseDTO layer between database models and API responses
Don't expose Swagger UI, OpenAPI specs, or GraphQL introspection in production. If you must have public API docs, ensure they don't reveal internal endpoints, admin routes, or deprecated endpoints that still work. Attackers use your API docs as a roadmap — every endpoint documented is an endpoint tested.
Check: /swagger, /api-docs, /graphql (with introspection query)
Log who (user_id, tenant_id, IP), what (endpoint, method, params), when (timestamp), and outcome (status, error). Structured logging (JSON) with correlation IDs. Store logs for at least 180 days. Without logs, you can't investigate breaches, prove NZ Privacy Act compliance, or support cyber insurance claims.
Tools: Datadog, Sentry, AWS CloudWatch, ELK Stack
Alert on unusual patterns: sudden spikes in requests, sequential ID enumeration, requests from unexpected geolocations, or a user accessing far more resources than normal. Most SaaS breaches involve automated scraping that's trivially detectable — if you're watching. The average breach takes 277 days to detect without monitoring.
Tools: AWS GuardDuty, Cloudflare Bot Management, custom alerts
Run Dependabot/Snyk on every PR. Never hardcode API keys, database credentials, or secrets in code. Use a secrets manager (AWS Secrets Manager, Vault, Doppler). Rotate keys regularly. Scan git history for accidentally committed secrets — the Postman breach exposed 30,000 production secrets sitting in public workspaces.
Tools: GitHub Advanced Security, Snyk, TruffleHog, GitLeaks
Print this page and work through each item. If you can't tick more than half, your SaaS product needs a professional security assessment before an attacker finds what you've missed.
10–12 ticks: Solid foundation — regular pen testing will catch the edge cases.
6–9 ticks: Significant gaps — you're exposed to the most common attack patterns.
0–5 ticks: Critical risk — an automated scanner would find issues. A manual pen test would find far more.
These are the exact patterns we find during SaaS penetration tests. Copy-paste the secure versions into your codebase. Each example maps to an OWASP API risk and shows the fix in under 10 lines.
Search your codebase right now for these vulnerable patterns:
findById(req.params — without ownership check = BOLAjwt.verify(token, 'secret' — hardcoded JWT secret = auth bypassres.json(user) or res.json(model) — raw model in response = data exposure.findOne({email: req.body — without rate limiting = enumerationSELECT * FROM without RLS — tenant isolation depends on every developerRun this curl against your production API and check for missing headers:
If your SaaS handles personal information of New Zealanders, the Privacy Act 2020 applies — regardless of where your company is based. API vulnerabilities don't just cause breaches; they trigger mandatory legal obligations.
If a privacy breach has caused, or is likely to cause, serious harm to affected individuals, you must notify the Privacy Commissioner and affected individuals "as soon as practicable." For SaaS companies, API breaches that expose customer PII — names, emails, billing data, usage data — almost always meet this threshold. Failure to notify is an interference with privacy and can result in investigation, compliance orders, and reputational damage.
Agencies must protect personal information "by such security safeguards as it is reasonable in the circumstances to take" against loss, unauthorised access, use, modification, or disclosure. For SaaS, this means: proper API authentication and authorisation, encryption in transit and at rest, access controls, logging, and regular security testing. A BOLA vulnerability exposing customer data would likely be considered a failure of "reasonable safeguards."
Personal information can only be disclosed for the purpose it was collected. An API that over-returns data (Excessive Data Exposure, OWASP API3) technically discloses information beyond its intended purpose. If your API returns a user's full profile (including internal fields) when the request only needed their name, that's an IPP 11 issue — even without an attacker exploiting it.
| SaaS Scenario | OWASP Risk | Privacy Act Impact |
|---|---|---|
| User A accesses User B's data via BOLA | API1 — BOLA | Notifiable breach (Part 6A) |
| API returns internal fields with PII | API3 — Property Auth | IPP 5 + IPP 11 violation |
| No rate limit enables mass scraping | API4 — Resource | Notifiable if PII exposed |
| Unauthenticated endpoint leaks data | API2 — Auth | IPP 5 failure + notification |
| Third-party API integration leaks data | API10 — Unsafe | IPP 5 + IPP 11 (disclosure) |
If you handle data from EU residents, GDPR applies (fines up to 4% of global revenue). If you handle US health data, HIPAA applies. If you're SOC 2 certified (increasingly required by enterprise customers), API security testing is a core control. Getting your API security right isn't just about protecting data — it's about winning enterprise deals and entering regulated markets.
Automated scanners catch the obvious. We find the business logic flaws, the BOLA vulnerabilities, the tenant isolation failures, and the auth bypasses that only manual testing reveals. Here's exactly what you get.
Manual testing for all 10 OWASP API risks: BOLA, broken auth, excessive data exposure, rate limit abuse, BFLA, SSRF, business logic flaws, and unsafe third-party API consumption. Not a checkbox scan — real exploitation attempts.
We create two test accounts in different tenants and systematically try to access each other's data across every endpoint, every cache layer, every background job, and every file path. The test most SaaS companies never run.
JWT validation bypasses, token lifecycle testing, OAuth flow abuse, password reset flaws, session fixation, privilege escalation from free-tier to admin. We test every path to unauthorised access.
One-page overview for founders and board — risk rating, key findings, business impact, and what to fix first. Written in plain English, not CVE numbers.
Every finding includes: the vulnerable endpoint, exact reproduction steps, screenshots/HTTP traces, severity rating, and specific remediation code. Your developers can fix issues the same day.
Prioritised fix plan: critical items first, then high, then medium. Includes estimated developer effort per fix and recommended security architecture improvements for your specific stack.
After you've fixed the critical and high findings, we retest them at no extra cost to verify the fixes are solid. You get a clean report you can share with customers and investors.
2-minute assessment that benchmarks your security posture against NZ industry standards. Get your risk score, priority actions, and see where you stand — before an attacker does.
Take Free Security Scorecard →These are anonymised examples from real WeHack engagements. Every SaaS product we've tested has had at least one critical finding. Here's what they look like.
GET /api/invoices/INV-4521/pdf returned the PDF for invoice 4521 regardless of which user made the request. By incrementing the invoice number, an attacker could download every customer invoice in the system — including billing amounts, company names, and contact details.
WHERE tenant_id = req.user.tenant_id ownership check. Switched invoice IDs from sequential numbers to UUIDs to prevent enumeration.
The /api/admin/users endpoint checked for a valid JWT but didn't verify the user's role. Any authenticated user — including free-tier accounts — could list all users, change permissions, and delete accounts across the entire platform.
requireRole('admin')) to all /api/admin/* routes. Moved admin endpoints behind a separate subdomain with stricter auth.
The user profile endpoint returned the raw database model, which included stripe_customer_id, internal_notes, and password_reset_token. The Stripe ID alone could be used to look up payment methods via Stripe's API if combined with a leaked Stripe key.
id, name, email, and avatar_url returned. Added automated tests that fail if response contains unexpected fields.
Dashboard data was cached by endpoint URL but not by tenant. When Tenant A loaded /api/dashboard/overview, the response was cached. Tenant B requesting the same URL received Tenant A's analytics data — revenue figures, customer counts, and usage metrics.
tenant_id to all cache keys. Implemented cache-busting middleware that includes tenant context. Added automated cross-tenant tests to CI pipeline.
Free • 2 Minutes • No Sales Spam
Take the free security scorecard. Get your risk score benchmarked against NZ industry standards, priority actions, and a radar chart of your security posture.
Free Security Scorecard →Instant results • Industry-adjusted benchmarks • Priority quick wins