API Security → OWASP API Risks
OWASP API #10 — the risk that flows the other way. Your service trusts the third-party and upstream APIs it calls as if their resp…
OWASP API #9 — you cannot defend an API you have forgotten you are running. Zombie versions that were deprecated but never unroute…
OWASP API #8 — the unglamorous bug class that wins more engagements than any clever exploit. Verbose stack traces, Spring Actuator…
any endpoint that fetches a URL (image proxy, link preview, webhook, OEmbed, /import) is a tunnel an attacker can point at your in…
the one where every request is individually legitimate, but the pattern across them is the attack. Scalping, fake-account farms, r…
one request, thousands of actions. Rate-limit bypass via header rotation, ?limit=1000000 melting the DB, bulk endpoints fanning ou…
the server copies every key from req.body straight onto the model, so PUT /users/me with {role:"admin"} is instant privilege escal…