Zero Trust APIs with Python — Jose Haro Peralta

BOLA (Broken Object Level Authorization) is one of the most common API vulnerabilities, allowing unauthorized access to other users’ data

~80% of API attacks come from authenticated users, making proper authorization critical

Key API security principles:

• Don’t trust any request regardless of source
• Validate and sanitize all input/output data
• Use strict data models and explicit access controls
• Implement proper pagination limits
• Parameterize database queries to prevent SQL injection

Common API vulnerabilities:

• Mass assignment attacks
• SQL injection
• Pagination attacks exposing too much data
• Schema enumeration revealing internal properties
• Insufficient input validation

Protection strategies:

• Use tools like Pydantic for data validation
• Implement proper model constraints and enumerations
• Test APIs at both design time and runtime
• Use parameterized queries for database operations
• Limit maximum page sizes and implement proper pagination

Modern APIs face extensive attack surfaces:

• Microservices interactions
• Third-party integrations
• Database operations
• User input/output flows
• Authentication/authorization

Testing tools recommended:

• Schema Thesis for runtime testing
• Spectral for design-time testing
• API Threads for vulnerability discovery