Safeguard
Tag

api-security

Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.

100 articles

Industry Analysis

Broken Object Level Authorization (BOLA/IDOR) in APIs

BOLA/IDOR has topped the OWASP API Security Top 10 since 2019. Here's how USPS, Peloton, and Parler got breached by it—and how to catch it before you do.

Nov 7, 20258 min read
Industry Analysis

Broken Object Property Level Authorization (BOPLA)

BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.

Nov 7, 20257 min read
Industry Analysis

Broken Function Level Authorization (BFLA) in APIs

BFLA lets a regular user call admin-only API functions. Here's how the USPS, Peloton, and Coinbase incidents happened — and how to catch it before attackers do.

Nov 7, 20257 min read
Industry Analysis

Unrestricted Resource Consumption in APIs

API4:2023 shows how a single unbounded request—GraphQL depth, a ReDoS regex, an unthrottled upload—can take down an API or run up a cloud bill.

Nov 6, 20257 min read
Industry Analysis

Unrestricted Access to Sensitive Business Flows

OWASP's API10:2023 category covers a threat scanners can't see: bots abusing legitimate business flows like checkout and ticketing at scale. Here's how it works.

Nov 6, 20257 min read
Industry Analysis

Unsafe Consumption of Third-Party APIs

Third-party APIs get trusted more than user input ever would — and attackers know it. Real breaches from Polyfill.io to 3CX show why that trust is misplaced.

Nov 6, 20257 min read
Industry Analysis

Security Misconfiguration in APIs

Optus, T-Mobile, Peloton, and USPS were all breached through misconfigured APIs, not exploits. Here's what causes it, what it costs, and how to catch it first.

Nov 6, 20257 min read
Industry Analysis

Improper Inventory Management: Shadow and Zombie APIs

Undocumented shadow APIs and forgotten zombie endpoints are quietly expanding attack surface. Here's why inventory gaps cause breaches like T-Mobile and Optus.

Nov 5, 20257 min read
Industry Analysis

Broken Authentication in API Endpoints

Broken authentication in API endpoints drove breaches at T-Mobile, Optus, and Peloton. Here's why it keeps happening and how to catch it before attackers do.

Nov 5, 20257 min read
Industry Analysis

Hidden Functionality and Undocumented API Endpoints

Undocumented API endpoints and hidden functionality sit outside vendor documentation entirely — here's where they come from, why attackers find them first, and how to detect them.

Nov 5, 20257 min read
Industry Analysis

Missing Rate Limiting on APIs and Login Endpoints

Missing rate limiting turned single APIs into 37-million-record breaches at T-Mobile and Optus. Here's why it happens, how attackers exploit it, and how to catch it first.

Nov 5, 20257 min read
Industry Analysis

CORS Misconfiguration Vulnerabilities

CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.

Nov 4, 20256 min read
api-security (Page 6) — Safeguard Blog