All articles
GUIDE · 6 min read

API Security: The Top 10 That Actually Matter

OWASP API Top 10 isn't theory — it's the cheat sheet that maps to almost every critical finding I ship. Here are the five categories that pay rent and how to hunt them.

BOLA / IDOR is still king

Swap object IDs across tenants, sessions and roles. Numeric IDs, UUIDs, slugs — all fail when the server forgets to authorize.

Broken authentication

JWT none-alg, weak signing keys, refresh-token replay, OAuth state confusion. Test the auth surface like a state machine, not a checkbox.

Mass assignment

Send `role:admin`, `isVerified:true`, `tenantId:other` in the body. ORMs that blindly hydrate models leak privileges in one POST.

  • Diff request body against documented schema
  • Fuzz hidden parameters with Param Miner
  • Always test PATCH, not just POST

Rate limit & resource abuse

GraphQL aliasing, batched mutations, expensive sorts. Cost-of-query is the new attack surface.

SSRF via webhooks & integrations

Outbound URL fields are SSRF goldmines. Block link-local metadata endpoints at the egress, not just the app.

Tools mentioned

Burp Suite ProPostmanParam MinerAutorizeGraphQL Voyagerffuf
⟩ takeaway

APIs fail at authorization and trust boundaries far more than at the protocol layer. Test the verbs and the IDs.

⟩ keep reading

Related articles