owasp-api-top-10
Safeguard articles tagged "owasp-api-top-10" — guides, analysis, and best practices for software supply chain and application security.
18 articles
Broken Object Property Level Authorization (BOPLA)
BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.
Unrestricted Resource Consumption in APIs
API4:2023 shows how a single unbounded request—GraphQL depth, a ReDoS regex, an unthrottled upload—can take down an API or run up a cloud bill.
Security Misconfiguration in APIs
Optus, T-Mobile, Peloton, and USPS were all breached through misconfigured APIs, not exploits. Here's what causes it, what it costs, and how to catch it first.
Missing Rate Limiting on APIs and Login Endpoints
Missing rate limiting turned single APIs into 37-million-record breaches at T-Mobile and Optus. Here's why it happens, how attackers exploit it, and how to catch it first.
API Security Scanning: What Good Tools Actually Catch
API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.
The OWASP API Security Top 10: Each Risk Explained
The OWASP API Top 10 is a ranked list of the most common API-specific vulnerability classes, from broken object level authorization to unsafe consumption of third-party APIs.