API Security Needs Bot Management: Addressing the OWASP Top Ten API Vulnerabilities

Enterprise cybersecurity teams have turned their focus to API security, and rightly so. In the digital economy, APIs are the front door to the business, an entry point for IoT devices, web and mobile apps, and, increasingly, to AI-driven applications that are transforming how we do business. Unfortunately, APIs are also the front door for criminals, many of whom rely on bots to carry out attacks. It is therefore critical for security teams to protect APIs and mitigate the bots used to attack them.

The OWASP top ten API security vulnerabilities list clearly identifies the central role bots play in attacks on APIs. Three of the top ten API vulnerabilities are directly related to bots:

• Broken Authentication: Bots break authentication through brute-force, dictionary, and credential stuffing attacks that result in account takeovers, fraud, financial losses, and angry customers.
• Unrestricted Resource Consumption: Bots take advantage of unrestricted resource consumption, exhausting the memory and processing capacity of APIs. When bots target APIs designed for consumption by interactive applications (web and mobile applications used by humans), the impact on performance and costs can be catastrophic.
• Unrestricted Access to Sensitive Business Flows: Excessive access to certain business flows may harm the business. Unauthorized resellers can deplete product inventory and resell at a significantly higher price. Spammers can exploit a comment/post flow. Attackers can use a reservation system to reserve all available time slots. In these instances, bots are deployed to exploit these business flows.

In his book Hacking APIs: Breaking Web Application Programming Interfaces, renowned cybersecurity and API expert Corey J. Ball explains how automated tools for API discovery (OWASP ZAP, Gobuster, Kiterunner) and fuzzing (Postman, Wfuzz, and Burp Suite) can be used by attackers to send thousands of requests to APIs to ferret out vulnerabilities. Bot management needs to be in place to identify snooping and reduce its effectiveness.

Bots do not impact all APIs in the same way. APIs are typically protected by mutual TLS, so the risk of broken authentication is low and rate limiting can be enforced per authenticated client. APIs that expect traffic only from interactive web and mobile apps are most vulnerable to bots.

Defending against bots has become increasingly difficult for APIs that expect human-initiated traffic. Open-source libraries make it easy to avoid detection through header fingerprinting, and services to defeat CAPTCHAs and proxy requests through networks containing tens of millions of residential IP addresses are widely available to bot operators. Old techniques of header analysis, IP deny lists, and CAPTCHA are no longer effective, which means application security teams seeking to mitigate bots must rely on rich client-side signal collection, utilizing JavaScript and mobile SDKs, and sophisticated machine learning to distinguish attack tools and bot behaviors.

As AI applications become more widely deployed, securing APIs and these endpoints against automated attacks will be critical. In response, OWASP has released its 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps. See my recent post, How Bots Attack Large Language Models, to learn more.

Which of your organization’s APIs are vulnerable to bots? What is the likelihood of attack and the cost of impact? How can you design security controls to ensure necessary protections against bots? These are good questions to address in threat modeling. To learn more about the business impact of bots, read the F5 whitepaper on the topic or sign up for a free consultation