API6:2023 Unrestricted Access to Sensitive Business Flows

Business flows (ticket purchase, signup, password reset, money transfer) accept automation without throttle, captcha, or behavioural challenge. The bot-abuse category.

What Vulkro detects

Heuristic: handler names matching purchase|checkout|signup|reset_password|transfer without rate-limiting or captcha middleware in the route pipeline.

Non-compliant code (examples)

FastAPI — password reset with no throttle

@app.post('/auth/reset')
async def reset(email: str):
    user = await User.get_by_email(email)
    if user:
        await send_reset_email(user)
    return {'ok': True}  # bots can iterate the user table

Compliant code (examples)

FastAPI — slowapi throttle + captcha

@app.post('/auth/reset')
@limiter.limit('3/hour')
async def reset(email: str, captcha: str = Depends(verify_captcha)):
    user = await User.get_by_email(email)
    if user:
        await send_reset_email(user)
    return {'ok': True}

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-840
• OWASP API6:2023

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.