API Security: The Top 10 That Actually Matter
OWASP API Top 10 isn't theory — it's the cheat sheet that maps to almost every critical finding I ship. Here are the five categories that pay rent and how to hunt them.
BOLA / IDOR is still king
Swap object IDs across tenants, sessions and roles. Numeric IDs, UUIDs, slugs — all fail when the server forgets to authorize.
Broken authentication
JWT none-alg, weak signing keys, refresh-token replay, OAuth state confusion. Test the auth surface like a state machine, not a checkbox.
Mass assignment
Send `role:admin`, `isVerified:true`, `tenantId:other` in the body. ORMs that blindly hydrate models leak privileges in one POST.
- Diff request body against documented schema
- Fuzz hidden parameters with Param Miner
- Always test PATCH, not just POST
Rate limit & resource abuse
GraphQL aliasing, batched mutations, expensive sorts. Cost-of-query is the new attack surface.
SSRF via webhooks & integrations
Outbound URL fields are SSRF goldmines. Block link-local metadata endpoints at the egress, not just the app.
Tools mentioned
APIs fail at authorization and trust boundaries far more than at the protocol layer. Test the verbs and the IDs.