One shit example:
Unfortunately, while the developers at MyLocalWeatherForecast.com
were diligent about restricting access to the administration page
(admin.php), they neglected to restrict access to the server API that
provides the actual data to that page. While an attacker would be blocked
from accessing admin.php, there is nothing to prevent him from calling
the GetUsageStatistics function directly.
Unfortunately, while the developers at MyLocalWeatherForecast.com
were diligent about restricting access to the administration page
(admin.php), they neglected to restrict access to the server API that
provides the actual data to that page. While an attacker would be blocked
from accessing admin.php, there is nothing to prevent him from calling
the GetUsageStatistics function directly.