api-security
Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.
100 articles
Broken Object Level Authorization (BOLA/IDOR) in APIs
BOLA/IDOR has topped the OWASP API Security Top 10 since 2019. Here's how USPS, Peloton, and Parler got breached by it—and how to catch it before you do.
Broken Object Property Level Authorization (BOPLA)
BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.
Broken Function Level Authorization (BFLA) in APIs
BFLA lets a regular user call admin-only API functions. Here's how the USPS, Peloton, and Coinbase incidents happened — and how to catch it before attackers do.
Unrestricted Resource Consumption in APIs
API4:2023 shows how a single unbounded request—GraphQL depth, a ReDoS regex, an unthrottled upload—can take down an API or run up a cloud bill.
Unrestricted Access to Sensitive Business Flows
OWASP's API10:2023 category covers a threat scanners can't see: bots abusing legitimate business flows like checkout and ticketing at scale. Here's how it works.
Unsafe Consumption of Third-Party APIs
Third-party APIs get trusted more than user input ever would — and attackers know it. Real breaches from Polyfill.io to 3CX show why that trust is misplaced.
Security Misconfiguration in APIs
Optus, T-Mobile, Peloton, and USPS were all breached through misconfigured APIs, not exploits. Here's what causes it, what it costs, and how to catch it first.
Improper Inventory Management: Shadow and Zombie APIs
Undocumented shadow APIs and forgotten zombie endpoints are quietly expanding attack surface. Here's why inventory gaps cause breaches like T-Mobile and Optus.
Broken Authentication in API Endpoints
Broken authentication in API endpoints drove breaches at T-Mobile, Optus, and Peloton. Here's why it keeps happening and how to catch it before attackers do.
Hidden Functionality and Undocumented API Endpoints
Undocumented API endpoints and hidden functionality sit outside vendor documentation entirely — here's where they come from, why attackers find them first, and how to detect them.
Missing Rate Limiting on APIs and Login Endpoints
Missing rate limiting turned single APIs into 37-million-record breaches at T-Mobile and Optus. Here's why it happens, how attackers exploit it, and how to catch it first.
CORS Misconfiguration Vulnerabilities
CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.