APIs are the backbone of modern software, and therefore a central attack target. Three findings from current primary sources sum up the problem: incidents are widespread, attackers deliberately follow the known API vulnerabilities, and a data breach remains expensive.
Why a Valid Login Isn't Enough
The most common API risk is Broken Object Level Authorization (BOLA): the API doesn't check whether a logged-in user is allowed to access precisely this object. It takes no exploit, just an incremented ID. That fits the finding that, according to Salt Labs, nearly all analyzed attack attempts originate from authenticated sources, meaning the attacker is logged in.
Broken Object Level Authorization: the same valid login, an incremented ID, someone else's data. Classic login and perimeter controls don't catch this.
The Attack Surface Grows Along With It
The more business logic runs over APIs, the more the attack activity shifts there too. As far back as late 2021, API calls made up 54% of Cloudflare's entire request volume and grew roughly twice as fast as classic web traffic. 66% of organizations report that their number of APIs grew by more than 50% in the last year.
And the trend is accelerating through AI-assisted development: tools like Copilot or Cursor, and increasingly autonomous AI agents, generate code, and with it endpoints, faster than reviews and governance can keep up. That produces more and more undocumented or never-reviewed routes (phantom and shadow APIs), and AI agents together with their tool interfaces form an entirely new API attack surface. How to stay on top of it anyway is covered under Implementing API Security.
Authorization Errors Dominate
Three of the five highest OWASP API risks are pure authorization flaws: API1 (BOLA), API3 (BOPLA), and API5 (BFLA). They can't be detected by a signature, only by actually walking through the logic. That's exactly what makes them so dangerous, and at the same time so hard for classic scanners.
API attacks mostly run through valid logins and missing authorization checks, not through classic exploits. Anyone who wants to secure APIs has to test the logic, not just scan for patterns.
Why These Gaps Are So Dangerous
What is actually alarming is not the sheer number of API gaps, but how trivial they are to exploit, often without specialized knowledge and without a valid account.
What that means in practice: it takes no sophisticated exploit. A single, completely normal-looking request with an incremented ID, in other words a BOLA gap like GET /orders/124 instead of your own 123, is enough to grab someone else's records. No malicious code, often no login, and to a pattern-based protection system the request looks entirely legitimate.
Defense is lagging behind: while APIs are becoming the dominant attack surface, according to Salt only 18% of organizations trust themselves to even detect AI-assisted attacks (H1 2026). Anyone who doesn't continuously check their own API inventory and authorization logic often only notices an incident once it's in the news.
Frequently Asked Questions
Why doesn't a classic scanner detect BOLA?
Because a BOLA request is technically completely legitimate, and only the manipulated object ID reveals the abuse. A signature- or pattern-based scanner sees no suspicious pattern. Only the application logic, in the context of the user, knows whether the access is allowed.
Is an annual pentest or a WAF enough?
No. APIs change with every deploy, and a finding from twelve months ago says nothing about the current state. A WAF filters patterns, not logic flaws. What works is continuous, logic-based testing.
Does AI increase the attack surface?
Yes. AI code generators produce more endpoints faster than governance can track, including phantom routes that were never planned. That increases the number of untested interfaces.
Sources
- State of API Security Report 2025 Salt Security, 2025
- H1 2026 State of AI and API Security Report Salt Security, 2026
- OWASP API Security Top 10 (2023) OWASP Foundation, 2023
- Cost of a Data Breach Report 2025 IBM / Ponemon Institute, 2025
- Landscape of API Traffic Cloudflare, 2022
- X-Force Threat Intelligence Index 2026 IBM, 2026
- Inside Modern API Attacks: 2026 API ThreatStats Report Wallarm, 2026
- Phantom APIs Are Eating Your Attack Surface DZone (Framing), 2026