API Security
API security addresses the unique vulnerabilities that arise when applications expose functionality through programmatic interfaces. As organizations shift to API-first architectures, microservices, and third-party integrations, APIs have become the primary attack surface for modern applications. The OWASP API Security Top 10 identifies critical risks including Broken Object Level Authorization (BOLA), mass assignment, excessive data exposure, and lack of rate limiting. APIs often inadvertently expose more data than their UI counterparts, accept parameters that bypass frontend validation, and may lack the authentication and authorization checks that browser-based interfaces enforce. REST, GraphQL, gRPC, and WebSocket APIs each present distinct security challenges. Effective API security requires authentication hardening, input validation, output filtering, rate limiting, proper error handling, and comprehensive logging across every endpoint.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-31 NEW 2026 | Anthropic AI Vulnerability Scanner in Enterprise Beta: IBM Joins Glasswing After 10000 Flaws Found news | Tool for AI-powered application security scanning, Claude Security, now in public beta for enterprise customers, identifies vulnerabilities by reasoning over code behavior and data flows, moving beyond traditional signature matching. This approach has surfaced over 10,000 critical software flaws through Anthropic's Project Glasswing consortium, which includes IBM, and has also revealed specific vulnerabilities like CVE-2026-5194 in wolfSSL. The tool aims to compress the find-fix cycle, though patching remains a bottleneck for maintainers. |
| 2026-05-30 NEW 2026 | Vibe Coding Security: Why 62% Of AI-Generated Code Ships With Vulnerabilities news | Library analyzing security flaws in AI-generated code, including Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). Research indicates AI code exhibits significantly higher vulnerability rates than human-written code, with studies highlighting failures in XSS defenses, exposed secrets, PII, and lack of CSRF protection and security headers across platforms like Cursor and Claude Code. → ox.security |
| 2026-05-29 NEW 2026 | Security Researcher: WordPress 7.0 Could Trigger Rush To Steal AI API Keys news | Library discussing the security implications of AI API keys in WordPress 7.0, highlighting a specific bug where Anthropic API keys are exposed via browser autofill. This vulnerability, along with broader concerns about WordPress's architecture and secrets management, makes WordPress sites attractive targets for attackers aiming to steal valuable AI credentials for activities like bot networks, scaled phishing, and unauthorized AI usage, potentially leading to significant financial loss. |
| 2026-05-29 NEW 2026 | Anthropic Launches Free Claude Code Terminal Plugin to Detect Security Vulnerabilities beginner | Plugin for Claude Code that continuously scans AI-generated code for vulnerabilities like injection flaws and insecure deserialization. It employs a three-layer review process: fast pattern matching on edits, an end-of-turn Claude security review for higher-level issues such as IDORs and SSRF, and an agentic review on commits. The plugin can be extended with custom rules and patterns. → gbhackers.com |
| 2026-05-28 NEW 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework intermediate | Library update addressing CVE-2026-48710 in Starlette, the framework powering FastAPI, which allows authentication bypass via malformed Host headers. This flaw, rated as High by researchers at X41 D-Sec, can lead to SSRF and RCE in AI tools, model-serving infrastructure, and API gateways. A patch is available in Starlette 1.0.1 and later. → csoonline.com |
| 2026-05-28 NEW 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework intermediate | Tool for detecting authentication bypass vulnerabilities in applications built with the Starlette framework, which powers FastAPI. The flaw, CVE-2026-48710, allows unauthenticated attackers to bypass host-validation protections by sending malformed Host headers containing special characters like slashes or question marks. This can lead to authentication bypass, SSRF, and potentially remote code execution, impacting LLM gateways, MCP servers, and agent infrastructure. A website, badhost.org, is available to test for the vulnerability. |
| 2026-05-27 NEW 2026 | Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints intermediate | Vulnerability, CVE-2026-48710, named BadHost, allows attackers to bypass authentication in AI agent servers by manipulating HTTP Host headers. This critical flaw affects Starlette versions before 1.0.1, a framework underpinning many FastAPI applications used for LLM inference, agent frameworks, and MCP gateways. Attackers can exploit this to access sensitive AI models, internal tools, and API keys by causing the application to misinterpret request paths. Upgrading Starlette, using more robust authentication mechanisms in FastAPI, or employing reverse proxies can mitigate this risk. → cybersecuritynews.com |
| 2026-05-27 NEW 2026 | Vulnerability in open-source component puts AI platforms at risk news | Library affecting Starlette, a foundational framework for AI platforms like FastAPI, vLLM, and LiteLLM, is vulnerable due to CVE-2026-48710, dubbed BadHost. This flaw allows attackers to bypass access controls by manipulating HTTP Host headers, potentially exposing internal applications, authentication data, API keys, and sensitive corporate information, especially within AI agents that interact with external data sources. A patch is available in Starlette 1.0.1. → techzine.eu |
| 2026-05-26 NEW 2026 | Ghost CMS vulnerability exploited in large-scale campaign news | Analysis of CVE-2026-26980, a critical SQL injection in Ghost CMS affecting versions 3.24.0 through 6.19.0, details its exploitation in a large-scale campaign. Attackers leverage this vulnerability to steal admin API keys, inject malicious JavaScript, and deploy malware like UtilifySetup.exe via ClickFix attack flows. The campaign impacts numerous domains, including universities and companies, with a fix available in Ghost CMS 6.19.1. → scworld.com |
| 2026-05-25 NEW 2026 | What Actually Matters For Web Application Security In The AI Era? beginner | Analysis of web application security in the AI era highlights the evolving threat landscape, with AI-driven attacks projected to reach 28 million globally in 2025. Traditional perimeter-based security is insufficient as modern applications rely heavily on APIs, cloud services, and AI-driven features, significantly expanding the attack surface. API security incidents are prevalent, affecting 87% of organizations, and AI-generated code exhibits a 2.7x higher vulnerability density, frequently including SQL injection and cross-site scripting. Effective security is now a design decision, requiring proactive architectural planning for authentication, API authorization, and session management, rather than reactive remediation. |
| 2026-05-23 2026 | CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog news | Vulnerability CVE-2025-34291 is an origin validation flaw in Langflow, a tool for AI workflows, caused by an overly permissive CORS configuration combined with SameSite=None cookies. This allows malicious websites to execute authenticated cross-origin requests, enabling attackers to steal refresh tokens, call backend authentication endpoints, potentially execute code, and achieve system compromise. CISA has added it to the Known Exploited Vulnerabilities catalog, urging immediate patching and review of CORS configurations. → cybersecuritynews.com |
| 2026-05-22 2026 | Cisco patches critical 10.0 flaw in Secure Workload APIs news | Analysis of CVE-2026-20223, a critical CVSS 10.0 authentication failure vulnerability in Cisco Secure Workload APIs, highlights systemic issues in access validation for management APIs and control planes. This critical flaw, alongside other recent authentication bypass bugs in Cisco products like SD-WAN controllers, emphasizes the escalating threat posed by AI-driven vulnerability discovery tools targeting large codebases. The situation underscores the necessity for immediate patching, robust "assume breach" design principles, and identity-based microsegmentation to mitigate risks from compromised security platforms and prevent lateral movement. → scworld.com |
| 2026-05-22 2026 | WordPress 7.0 Exposes AI API Keys news | Analysis of **WordPress 7.0** details a client-side vulnerability where browser autofill can expose AI API keys within the AI integration setup form. Patchstack founder Oliver Sild warns of increased hacker interest in these keys, which can be worth tens of thousands of dollars and are used for bot networks, scaled phishing, and malware generation. This issue highlights the elevated risk associated with integrating paid AI services and emphasizes the importance of credential hygiene and secure client-side form handling for WordPress users and plugin developers. → letsdatascience.com |
| 2026-05-22 2026 | Cisco Fixes CVE-2026-20223 Secure Workload API Flaw news | Advisory for CVE-2026-20223, a critical flaw in Cisco Secure Workload's internal REST API functions, rated CVSS 10.0 and categorized under CWE-306. This vulnerability allows unauthenticated remote attackers to access sensitive information and modify configurations across tenant boundaries with Site Admin privileges. Cisco has released patched versions for on-premises deployments, while SaaS versions are already secured. No workarounds exist, necessitating immediate upgrades. → thecyberexpress.com |
| 2026-05-22 2026 | Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access news | Analysis of CVE-2026-20223, a critical CVSS 10.0 flaw in Cisco Secure Workload, details how insufficient REST API validation and authentication allow unauthenticated attackers to access sensitive data and make configuration changes across tenant boundaries. The vulnerability impacts both SaaS and on-prem deployments and is addressed in Cisco Secure Workload Releases 3.10.8.3 and 4.0.3.17. → thehackernews.com |
| 2026-05-21 2026 | Cisco Patches Critical Vulnerability in Secure Workload news | Advisory for CVE-2026-20223, a critical vulnerability in Cisco Secure Workload affecting cluster software. Insufficient validation in REST API endpoints allows attackers with crafted requests to gain Site Admin privileges, read sensitive information, and modify configurations across tenant boundaries. Patched in Secure Workload versions 3.10.8.3 and 4.0.3.17. → securityweek.com |
| 2026-05-21 2026 | Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API Security news | Writeup of CVE-2026-20223, a critical vulnerability in Cisco Secure Workload allowing unauthenticated administrative access via internal REST API endpoints. This flaw, with a CVSS score of 10.0 and classified as CWE-306, enables attackers to gain Site Admin privileges, access sensitive cross-tenant data, modify configurations, and disrupt operations. Patches are available for on-premises deployments (versions 3.10.8.3 for 3.10, 4.0.3.17 for 4.0, and migration for earlier versions), while SaaS environments are already remediated. Immediate upgrades are strongly advised as there are no workarounds. → gbhackers.com |
| 2026-05-21 2026 | Claude Code's Network Sandbox Vulnerability Exposes User Credentials and Source Code news | Writeup of Claude Code's SOCKS5 hostname null-byte injection vulnerability, which affected releases v2.0.24 through v2.1.89. This critical bypass, stemming from a parser differential between JavaScript and libc, allowed attackers to exfiltrate credentials, source code, and environment variables by crafting hostnames that tricked the JavaScript `endsWith()` check while resolving to a different, blocked host via `getaddrinfo()`. The issue, silently patched in v2.1.90, is a second consistent implementation failure following CVE-2025-66479, and was not publicly disclosed by Anthropic with a specific CVE. → cybersecuritynews.com |
| 2026-05-21 2026 | Cisco Secure Workload vulnerability can be exploited via API call news | Writeup of CVE-2026-20223, a critical unauthenticated vulnerability in Cisco Secure Workload granting full Site Admin privileges via internal REST API calls. This flaw, scoring 10.0 CVSS, allows attackers to read sensitive data and alter configurations across tenant boundaries. Cisco reports no workarounds exist, requiring immediate installation of fixed releases for affected versions (3.10.8.3 for 3.10, 4.0.3.17 for 4.0) or migration to supported versions. The vulnerability was discovered internally with no current signs of active exploitation. → techzine.eu |
| 2026-05-21 2026 | Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw news | Writeup detailing Cisco Secure Workload's CVÉ-2026-3155, a perfect 10 vulnerability enabling remote unauthenticated administrative access. This flaw allows attackers to gain complete control of the system without any prior authentication, posing a significant risk to organizations utilizing the software. → theregister.com |
| 2026-05-21 2026 | Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access news | Writeup of CVE-2026-20223, a critical Cisco Secure Workload vulnerability allowing unauthenticated API access. Exploiting CWE-306 (Missing Authentication for Critical Function) via crafted REST API requests can grant Site Admin privileges, impacting tenant data and configurations across SaaS and on-premises deployments. Cisco has released patches for versions 3.10 and 4.0, with earlier versions requiring migration. → cybersecuritynews.com |
| 2026-05-21 2026 | Cisco Secure Workload Flaw Enables Unauthorized API Access news | Writeup of CVE-2026-20223 in Cisco Secure Workload, a critical flaw (CVSS 10.0) allowing unauthenticated remote attackers to gain Site Admin privileges via unprotected internal REST API endpoints. Exploitation bypasses all access controls, enabling cross-tenant exposure and configuration changes. Affecting both SaaS and on-premises deployments, remediation requires immediate patching to fixed releases (3.10.8.3 or 4.0.3.17) as no workarounds exist. → cyberpress.org |
| 2026-05-19 2026 | Drupal warns admins to brace for highly critical core patch news | Library for securing Drupal, warning administrators about a highly critical core patch to address vulnerabilities. This resource also touches upon AI-assisted API attacks, supply chain turbulence, data sovereignty, and identity resilience in cybersecurity. → theregister.com |
| 2026-05-18 2026 | Langflow Flaw Exploited to Steal AWS Keys and Deploy Botnet news | A critical vulnerability in Langflow, an open-source tool for building LLM applications, has been actively exploited. Attackers leveraged this flaw to gain unauthorized access to AWS keys. Following this compromise, the affected systems were used to deploy a botnet. The specifics of the exploit and the full extent of the damage are still under investigation. This incident highlights the security risks associated with open-source software and the importance of prompt patching and secure configuration. → sqmagazine.co.uk |
| 2026-05-16 2026 | PraisonAI Vulnerability Exploited Within Hours of Public Disclosure news | Writeup on CVE-2026-44338, a severe PraisonAI vulnerability in its legacy API server. This flaw, stemming from authentication being disabled by default in the Flask API, allows unauthenticated enumeration of agents via the `/agents` endpoint and task execution through `/chat` by targeting the `agents.yaml` workflow. Attackers can hijack agent operations, drain API quotas, and extract sensitive data. PraisonAI version 4.6.34 patches this issue, and users are advised to update or migrate to the secure "serve agents" command. → cybersecuritynews.com |
| 2026-05-15 2026 | Critical Next.js Flaw Exposes Cloud Credentials API Keys and Admin Panels news | Library patch addresses CVE-2026-44578, a critical Next.js vulnerability allowing server-side request forgery (SSRF) through malicious WebSocket upgrade requests. Attackers can exploit this unauthenticated flaw to steal cloud credentials, API keys, and access admin panels by targeting internal infrastructure and cloud metadata services. The vulnerability affects Next.js versions 13.4.13 through 16.2.4. Patched versions 15.5.16 and 16.2.5 implement stricter validation for WebSocket requests. Mitigations include avoiding direct internet exposure of origin servers and blocking unnecessary WebSocket requests at reverse proxies. → cyberpress.org |
| 2026-05-15 2026 | Anthropic faces scrutiny over Claude's architectural flaws after multiple security disclosures in May 2026 news | Analysis of Anthropic's Claude reveals architectural flaws leading to security disclosures in May 2026. Independent research identified issues with trust boundaries across multiple surfaces, enabling remote code execution and credential theft. CVE-2026-21852, patched in Claude Code version 2.0.65, allowed API key leakage from malicious repositories. Further incidents included an accidental leak of 512,000 lines of Claude Code's internal source code via an npm package, and concerns surrounding the use of Mythos-class vulnerability scanning tools. |
| 2026-05-14 2026 | Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker news | Library for securing Langflow, addressing CVE-2026-33017, an unauthenticated remote code execution flaw that allows attackers to steal AWS keys and deploy NATS workers. This vulnerability, added to the CISA KEV catalog, enables attackers to run commands within the Langflow container, dump sensitive environment variables, and pivot into cloud accounts for reconnaissance and abuse, including LLM jacking. Recommendations include patching Langflow and rotating affected cloud credentials. → cybersecuritynews.com |
| 2026-05-14 2026 | Critical WordPress Plugin Flaw Enables Authentication Bypass Attacks news | Writeup of CVE-2026-8181, a critical authentication bypass in Burst Statistics WordPress plugin affecting versions 3.4.0-3.4.1.1, allowing unauthenticated attackers to take administrator control with a single HTTP request by exploiting a flawed return-value check in the `is_mainwp_authenticated()` function. The vulnerability, patched in version 3.4.2, carries a CVSS score of 9.8 and requires only a known administrator username. → cyberpress.org |
| 2026-05-14 2026 | Innovation at the speed of AI" is the goal - but for most security teams it's a visibility nightmare. When AWS Bedrock agents are granted the power to execute API calls and modify data the | The Cyber Security Hub news | The article "Innovation at the speed of AI" highlights a significant challenge for security teams: lack of visibility. This issue intensifies when AWS Bedrock agents are empowered to execute API calls and modify data, creating potential security risks. The core problem lies in the difficulty for security teams to monitor and control the actions of these AI agents, hindering their ability to ensure robust security practices amidst rapid AI adoption. |
| 2026-05-14 2026 | Langflow CVE-2026-33017 Exploited to Steal AWS Keys Deploy NATS Worker news | Writeup detailing the exploitation of Langflow CVE-2026-33017, enabling attackers to steal AWS keys and deploy NATS workers. The vulnerability grants unauthenticated arbitrary Python execution, allowing access to environment variables and secrets. Attackers leverage this to compromise AWS environments, perform reconnaissance across various services like Bedrock and S3, and then deploy specialized Python and Go workers for credential harvesting. These workers communicate via a hardened NATS server, acting as covert command-and-control infrastructure for the "KeyHunter" project, which targets online code sandboxes and commercial LLM APIs. → gbhackers.com |
| 2026-05-14 2026 | PraisonAI vulnerability gets scanned within 4 hours of disclosure news | Writeup of CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server, details how internet scanners began probing vulnerable instances within four hours of disclosure. The flaw, affecting versions 2.5.6 to 4.6.33, stems from default authentication being disabled in `api_server.py`, allowing unauthenticated access to agent workflows. Researchers identified the "CVE-Detector/1.0" user-agent as a sign of early reconnaissance targeting specific PraisonAI endpoints. → csoonline.com |
| 2026-05-14 2026 | New MCP Security Flaws: Kubectl-mcp-server Archon OS and MarkItDown Vulnerabilities news | Library detailing vulnerabilities in widely used MCP tools, including CVE-2025-65719 and CVE-2025-69443 affecting Kubectl-mcp-server and Archon OS. These flaws expose over 140,000 GitHub stars to data exfiltration, credential theft, and lateral movement. The findings highlight systemic risks in AI supply chains due to unauthenticated and sandboxed MCP protocols, emphasizing the critical need for security at the integration layer rather than shifting responsibility to users. → ox.security |
| 2026-05-13 2026 | DDoS Protection for Insurance: Always-On Defense for Claims Quotes & APIs beginner | This article highlights the critical need for Always-On DDoS protection for insurance companies, specifically for their claims, quotes, and API services. It emphasizes that continuous availability is paramount to maintain customer trust and operational integrity. The proposed solution focuses on robust defense mechanisms to prevent service disruptions, ensuring that policyholders can access essential services like submitting claims or getting quotes without interruption, even under attack. → securityboulevard.com |
| 2026-05-12 2026 | JetBrains TeamCity vulnerability allows privilege escalation API exposure (CVE-2026-44413) news | Writeup of CVE-2026-44413, a critical vulnerability in JetBrains TeamCity, allowing privilege escalation and exposure of sensitive information like API tokens and build secrets. Attackers could leverage these credentials to compromise cloud infrastructure or source code repositories, impacting software delivery pipelines. Exploitation requires TeamCity account access, attainable through brute force or credential stuffing, or via enabled guest access. Affected versions include TeamCity On-Premises 2025.11.4 and earlier, with fixes available in 2026.1 or a security patch plugin. → helpnetsecurity.com |
| 2026-05-12 2026 | OpenAI Introduces Daybreak: A Cybersecurity Initiative That Puts Codex Security at the Center of Vulnerability Detection and Patch Validation beginner | Initiative utilizing OpenAI's Codex Security and frontier AI models to shift vulnerability detection and patch validation earlier into the development cycle. Daybreak assists with code review, dependency analysis, threat modeling, and patch validation, aiming to reduce analysis time from hours to minutes by reasoning across entire codebases, validating issues in isolated environments, and proposing patches for human review. It employs a tiered model structure (GPT-5.5, GPT-5.5 with Trusted Access, GPT-5.5-Cyber) and partners with over 20 security vendors across the stack, including Cloudflare, Cisco, CrowdStrike, Snyk, and Trail of Bits, to integrate into existing security toolchains. |
| 2026-05-11 2026 | Ollama Vulnerability Exposes Remote Process Memory news | Writeup of CVE-2026-7482, "Bleeding Llama," a critical heap out-of-bounds read in Ollama's GGUF model loader. This vulnerability allows for the leakage of process memory, including API keys and user conversation data, through the `/api/create` and `/api/push` endpoints, especially when Ollama is configured to bind to `0.0.0.0`. Versions prior to 0.17.1 are affected, with remediation involving an immediate upgrade and auditing of network-exposed instances. → letsdatascience.com |
| 2026-05-10 2026 | Ollama contains critical GGUF out-of-bounds read news | Writeup on CVE-2026-7482 details a critical heap out-of-bounds read in Ollama's GGUF model loader, affecting versions before 0.17.1. Exploitable via the unauthenticated /api/create endpoint with a crafted GGUF file, the vulnerability allows reading past allocated heap buffers, potentially leaking environment variables, API keys, and user data. This leaked data can be exfiltrated using the /api/push endpoint. Roughly 300,000 Ollama deployments are estimated to be publicly reachable, increasing the attack surface. → letsdatascience.com |
| 2026-05-10 2026 | Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak news | Library detailing CVE-2026-7482, a critical out-of-bounds read vulnerability in Ollama's GGUF model loader that allows remote attackers to leak process memory, potentially exposing API keys and user data. It also covers two unpatched Windows vulnerabilities, CVE-2026-42248 (missing signature verification) and CVE-2026-42249 (path traversal), which can be chained for persistent code execution by influencing update responses. → thehackernews.com |
| 2026-05-09 2026 | Critical Ollama Memory Leak Vulnerability Exposes 300000 Servers Globally news | Writeup of CVE-2026-7482, dubbed "Bleeding Llama," a critical vulnerability affecting Ollama deployments before version 0.17.1. This flaw allows unauthenticated attackers to trigger an out-of-bounds heap read via a crafted GGUF file, exfiltrating sensitive data like prompts, system instructions, and environment variables by preserving leaked memory during model conversion. Approximately 300,000 servers are at risk, with potential exposure of API keys and proprietary code. → cybersecuritynews.com |
| 2026-05-09 2026 | New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server news | Library for detecting the ZiChatBot malware, which exploits Zulip REST APIs for command and control. This cross-platform malware, identified by Securelist and linked to the OceanLotus APT group (APT32), was distributed via malicious Python packages on PyPI, including fake libraries like uuid32-utils, colorinal, and termncolor. ZiChatBot uses two channel-topic pairs within Zulip to exfiltrate system information and receive shellcode commands, with execution confirmed by a heart emoji response. The dropper employs AES encryption and self-deletion for stealth. |
| 2026-05-07 2026 | Ollama vulnerability highlights danger of AI frameworks with unrestricted access news | Library for running AI models on local hardware, Ollama, suffers from CVE-2026-7482, dubbed Bleeding Llama. This vulnerability, an out-of-bounds heap read in the model quantization pipeline, allows unauthenticated attackers to craft malicious GGUF files. Uploading these files via the API endpoint triggers a leak of sensitive process memory, including system prompts, user messages, environment variables, API keys, and proprietary code. Exploitation requires only three API requests to exfiltrate this data. Mitigation involves updating to Ollama version 0.17.1, using authentication proxies, and implementing IP access filters and firewalls. → csoonline.com |
| 2026-05-07 2026 | API Security Operations: How to Move from Visibility to Measurable Risk Reduction beginner | This article, "API Security Operations: How to Move from Visibility to Measurable Risk Reduction," discusses the transition from simply identifying API security vulnerabilities to actively reducing measurable risk. It likely outlines strategies and best practices for organizations to enhance their API security posture. The core message centers on moving beyond basic detection to implementing proactive measures that demonstrably improve security and minimize potential threats. The provided link points to further details on this topic. No specific bounty payout amount is mentioned. → securityboulevard.com |
| 2026-05-07 2026 | Critical Argo CD Vulnerability Enables Kubernetes Secret Extraction news | Vulnerability in Argo CD (CVE-2026-42880) allows low-privileged users to extract Kubernetes Secrets from etcd by bypassing data-masking in the ServerSideDiff endpoint, especially when compare-options with mutation webhooks are enabled. Exploitation requires minimal skill, with a proof-of-concept script automating the extraction of credentials like service account tokens and API keys. Patched versions 3.3.9 and 3.2.11 are available, and organizations should audit configurations and consider interim mitigations like restricting endpoint access. → cyberpress.org |
| 2026-05-06 2026 | Major AI platform Ollama critically leaking: 300000 servers exposed to hackers news | Ollama, a popular AI platform, is critically vulnerable, exposing approximately 300,000 servers to potential hacking. This significant security lapse could allow unauthorized access to sensitive data and systems running on these servers. The extent of the breach and the specific nature of the leak are still under investigation, but the large number of affected servers highlights a major security concern within the AI infrastructure. Further details on remediation and the exact impact are expected as the situation develops. → cybernews.com |
| 2026-05-06 2026 | Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction news | Library with CVE-2026-43824 allows low-privileged users to extract plaintext Kubernetes Secrets from Argo CD environments. This critical flaw, discovered by Alexmt and Hoang-Prod, bypasses data-masking in the ServerSideDiff endpoint when `IncludeMutationWebhook=true` is set. Attackers with read-only access can exploit this to steal sensitive operational data like passwords and tokens. Users are urged to upgrade to patched versions 3.3.9 or 3.2.11, or apply mitigations such as removing the annotation and tightening RBAC. → cybersecuritynews.com |
| 2026-05-06 2026 | Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access news AuthZ | Writeup of a zero-authorization vulnerability in Schemata's API, a platform with DoD contracts, which exposed sensitive military training materials and service member records. Discovered by the Strix agent, the flaw lacked tenant isolation and authorization boundaries, allowing low-privileged accounts to access cross-tenant data and potentially modify or delete training courses. The exposed information included user lists, AWS S3 links to confidential training manuals, and Army field manuals. Schemata acknowledged and patched the vulnerability after 150 days, following private disclosure. → cybersecuritynews.com |
| 2026-05-06 2026 | Palo Alto Networks PAN-OS flaw exploited for remote code execution news RCE | Writeup of CVE-2026-0030, a critical PAN-OS buffer overflow vulnerability exploited for unauthenticated remote code execution with root privileges. The flaw primarily targets PA-Series and VM-Series firewalls where the User-ID Authentication Portal is exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate this risk, noting limited exploitation has been observed. Fixes are anticipated by May 13, 2026. → securityaffairs.com |
| 2026-05-06 2026 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution news RCE | Writeup on CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, enabling unauthenticated remote code execution with root privileges. This flaw, exploitable via specially crafted packets and impacting specific versions of PAN-OS, has seen limited exploitation in the wild, primarily targeting publicly accessible User-ID Authentication Portals on PA-Series and VM-Series firewalls. Fixes are planned, with interim mitigation strategies including restricting or disabling the User-ID Authentication Portal. → thehackernews.com |
| 2026-05-06 2026 | n8n: From Parsing Bug to Remote Code Execution aka CVE-2026-42231 news RCE | Writeup detailing CVE-2026-42231 in n8n, a node-based workflow automation tool. This vulnerability chain exploits a prototype pollution primitive within the xml2js XML parsing library, stemming from semantic quirks in its CoffeeScript origins. The research demonstrates how this seemingly low-severity bug, when combined with specific gadget chains in n8n's internal modules like `@n8n/node-cli`, can escalate to unauthenticated remote code execution, bypassing previous mitigations against `spawn` exploitation. |
| 2026-05-05 2026 | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API news RCE | Weaver E-cology RCE Flaw CVE-2026-22679 is being actively exploited through its debug API. This vulnerability allows for remote code execution, meaning attackers can potentially run arbitrary code on affected systems. The exploit leverages a weakness in the debug functionality, making it a critical security concern for organizations using Weaver E-cology. Further details on the exploit and mitigation strategies are available via the provided link. → thehackernews.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news RCE Secrets | Library for securing AI-powered development tools, addressing critical flaws in Cursor AI that allow attackers to steal API keys and session tokens via unencrypted SQLite databases. Vulnerabilities, including CursorJacking, stem from poor credential storage and weak extension isolation, enabling malicious extensions to exfiltrate sensitive data silently. Additionally, CVE-2026-26268 details how the AI agent can execute code through Git hooks in untrusted repositories, bypassing user awareness. → sqmagazine.co.uk |
| 2026-05-01 2026 | CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Exposes API Credentials news SQLi | A critical pre-authentication SQL injection vulnerability, CVE-2026-42208, has been discovered in LiteLLM. This flaw allows attackers to bypass authentication and execute arbitrary SQL commands. The vulnerability can be exploited to steal sensitive information, including API credentials, potentially leading to unauthorized access and misuse of services. The impact is significant as it affects the security of systems relying on LiteLLM for API management. Further details and mitigation strategies are available via the provided link. → securityboulevard.com |
| 2026-04-30 2026 | Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems news RCE | Library patches address critical remote code execution vulnerabilities in the Google Gemini CLI and its associated GitHub Action, allowing attackers to execute commands on host systems by exploiting the CLI's automatic workspace trust in non-interactive environments. Attackers could inject malicious agent configurations via pull requests, triggering code execution before the AI sandbox initializes and granting access to sensitive credentials and source code, posing significant supply-chain risks similar to incidents involving Axios, Shai-Hulud, and XZ Utils. → cybersecuritynews.com |
| 2026-04-30 2026 | Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild news RCE | Writeup detailing CVE-2026-3965 and CVE-2026-4047, two authentication bypass vulnerabilities in Qinglong task scheduler versions 2.20.1 and earlier. These flaws, exploited in early 2026, allowed unauthenticated attackers to achieve remote code execution for cryptomining operations, specifically installing the `.fullgc` malware. The vulnerabilities stem from a URL rewrite rule mishandling `/open/*` requests and case-insensitive URL handling on `/api/*` endpoints, leading to credential reset and direct RCE. → cybersecuritynews.com |
| 2026-04-30 2026 | CVE MCP Server Turns Claude Into a Full-Spectrum Security Analyst With 27 Tools Across 21 APIs news AI | Library for integrating Anthropic's Claude AI with 27 security tools across 21 APIs, enabling natural-language vulnerability triage. It consolidates data from NVD, EPSS, CISA KEV, VirusTotal, Shodan, and GitHub, incorporating MITRE ATT&CK and CAPEC techniques. The system features a weighted risk scoring formula, considers exploitability and network intelligence, and includes DevSecOps tools like dependency scanning for OSV.dev and GitHub advisories. → cybersecuritynews.com |
| 2026-04-29 2026 | Cursor Vulnerability Exposes Developer API Tokens news | A security vulnerability in Cursor has been disclosed, potentially exposing developer API tokens. The vulnerability, detailed in a linked article, raises concerns about the security of sensitive credentials used by developers on the platform. Specific details on the vulnerability's nature and impact, or any associated bug bounty payout, are not provided in the given content. → letsdatascience.com |
| 2026-04-29 2026 | SLOTAGENT Malware Hides API Calls and Strings to Thwart Analysis intermediate | Library provides an IDA Python script to decrypt strings obfuscated with a TEA-like algorithm within the SLOTAGENT RAT. This malware, discovered in early 2026, employs advanced evasion techniques including dynamic API resolution via XOR and ROR11 hashing, RC4 decryption of its `db.config` file, and reflective loading of XOR-encoded payloads. SLOTAGENT communicates with its C2 server at 43.156.59[.]110:699 using a proprietary HTTP-like protocol and offers extensive post-exploitation capabilities like screenshotting, file operations, remote shell, BOF execution, and time stomping. → gbhackers.com |
| 2026-04-28 2026 | ClickUp is leaking customer data via hardcoded API key researcher claims news Secrets | A security researcher claims that ClickUp is leaking customer data due to a hardcoded API key. This vulnerability could potentially expose sensitive information belonging to ClickUp users. The specifics of the data leak and its extent are not detailed in the provided content. → cybernews.com |
| 2026-04-28 2026 | ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants news Secrets | Writeup detailing a hardcoded Split.io SDK token within ClickUp's JavaScript bundle, which allowed an attacker to access 959 employee email addresses from Fortune 500 companies and government organizations. The incident also uncovered a Server-Side Request Forgery (SSRF) vulnerability in ClickUp's webhook functionality, enabling unauthorized internal requests to services like AWS metadata, potentially leading to cloud infrastructure compromise. → cyberpress.org |
| 2026-04-28 2026 | LiteLLM Contains Critical SQL Injection Vulnerability intermediate SQLi | LiteLLM, a library simplifying API calls to LLMs, has a critical SQL injection vulnerability. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to data breaches, unauthorized access, or system compromise. The vulnerability arises from improper sanitization of user-supplied input within the library's database interaction logic. Users are strongly advised to update LiteLLM to the latest version to patch this critical security flaw and protect their systems. No specific bounty payout amount was mentioned. → letsdatascience.com |
| 2026-04-28 2026 | ClickUp Security Flaw Exposes 959 Emails Linked to Major Fortune 500 Firms news | Writeup on a ClickUp security flaw that exposed 959 emails from Fortune 500 firms and government agencies due to a hardcoded Split.io SDK token. The vulnerability, unaddressed for over 15 months, allowed attackers to extract sensitive backend data and government worker emails. A separate Server-Side Request Forgery (SSRF) vulnerability in the webhook API also enabled attackers to retrieve internal AWS IAM credentials. Despite ClickUp's multiple security certifications like SOC 2 and ISO 27001, these critical flaws went unnoticed by automated checks and audits. → gbhackers.com |
| 2026-04-27 2026 | Multiple OpenClaw Vulnerabilities Enable Policy Bypass and Host Override Attacks intermediate | Library updates address three moderate-severity vulnerabilities in OpenClaw, an AI agent framework, impacting npm package versions prior to 2026.4.20. Exploits could allow policy bypass via prompt injection to override sandbox policies and filesystem protections, tool bypass by bundled MCP and LSP components despite deny lists, and credential exposure through a malicious .env file that overrides MINIMAX_API_HOST, leading to API key leakage. Administrators must upgrade to version 2026.4.20. → cyberpress.org |
| 2026-04-23 2026 | New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory news | Writeup of CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, which was weaponized in the wild just 12 hours after its GitHub advisory. The flaw in the `load_image()` function allows attackers to coerce LMDeploy servers to make HTTP requests to internal networks, cloud metadata services, or other protected endpoints, as demonstrated by attempts to exfiltrate AWS IAM credentials and probe internal services like Redis and MySQL. Exploitation occurred rapidly without public proof-of-concept code, highlighting a growing trend in AI infrastructure attacks. → cyberpress.org |
| 2026-04-23 2026 | wapiti-scanner/wapiti: Web vulnerability scanner written in Python3 beginner Python | Library for black-box web vulnerability scanning. Wapiti works by fuzzing web applications, sending payloads, and analyzing responses for vulnerabilities such as SQL Injection, XSS, File Disclosure, XXE, CRLF Injection, Shellshock, SSRF, Open Redirects, and Log4Shell (CVE-2021-44228) and Spring4Shell (CVE-2020-5398) detection. It supports proxy configuration, HTTP authentication, session management, and generates reports in HTML, XML, JSON, TXT, and CSV formats. The library can also fingerprint web technologies using Wappalyzer and enumerate CMS modules for platforms like WordPress. |
| 2026-04-23 2026 | Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core news | Library update CVE-2026-40372 introduces a critical flaw in ASP.NET Core's Data Protection Library on Linux, macOS, and Windows. A bug in the .NET 10.0.6 package causes incorrect HMAC validation, allowing attackers to forge payloads and decrypt protected tokens and cookies. This requires rebuilding embedded applications, expiring affected tokens, and rotating credentials. → csoonline.com |
| 2026-04-22 2026 | Microsoft releases emergency patches for critical ASP.NET flaw news | Library updates address critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in Data Protection cryptographic APIs. This flaw allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges, disclosing files, and modifying data. The regression impacts Microsoft.AspNetCore.DataProtection NuGet packages from 10.0.0-10.0.6. Updates to 10.0.7 are recommended, followed by key ring rotation for full remediation. Previously, Microsoft patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server. → bleepingcomputer.com |
| 2026-04-22 2026 | A Deep Dive on the Most Critical API Vulnerability: BOLA intermediate | A Deep Dive on the Most Critical API Vulnerability: BOLA |
| 2026-04-22 2026 | What Is Broken Object Property Level Authorization? beginner | Guide to Broken Object Property Level Authorization, ranked third on OWASP's API Security Top 10 for 2023, details how APIs often fail to restrict access to individual data fields within objects. It covers how this vulnerability manifests in REST and GraphQL APIs, its business impact, and methods for implementing granular property-level access controls to prevent unauthorized reading and modification of sensitive data like internal identifiers or account status. → paloaltonetworks.com |
| 2026-04-22 2026 | What Is Broken Object Level Authorization? beginner | Reference detailing Broken Object Level Authorization (BOLA), the top API security risk according to OWASP. This vulnerability arises when APIs fail to properly validate object permissions after function-level access is granted, allowing attackers to manipulate object identifiers within requests, such as direct object references in RESTful APIs, to access unauthorized data. The resource contrasts BOLA with Broken Function Level Authorization (BFLA), emphasizing that BOLA exploits parameter manipulation within authorized endpoints, not privilege escalation. → paloaltonetworks.com |
| 2026-04-22 2026 | This Is How I Hacked an API Using Mass Assignment Vulnerability intermediate | Writeup detailing a silent privilege escalation via mass assignment in a REST API. The author demonstrates how trusting client-supplied JSON in profile update endpoints, where the backend blindly maps request fields to models without an allowlist, can lead to attackers silently gaining administrative privileges. This is achieved by "over-posting" extra fields like "role" or boolean flags, such as "is_admin", which the API then updates, effectively bypassing authorization. The writeup highlights common locations for this vulnerability, including profile updates, registration, and admin edit endpoints, and stresses the importance of explicit field allowlisting and using separate DTOs to prevent such flaws. |
| 2026-04-22 2026 | CVE-2026-34839: CORS Vulnerability in Glances REST API news | CVE-2026-34839: CORS Vulnerability in Glances REST API |
| 2026-04-22 2026 | API ThreatStats Report 2026 news | API ThreatStats Report 2026 |
| 2026-04-22 2026 | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities beginner | Library implementing OWASP Top 10 API vulnerabilities, including SQLi, unauthorized password change, broken object level authorization, mass assignment, excessive data exposure, user and password enumeration, RegexDOS, lack of resources and rate limiting, and JWT authentication bypass. VAmPI is built with Flask, offers a global switch to enable or disable vulnerabilities, and includes OpenAPI 3 specs and a Postman collection for testing and learning purposes. It can be run locally via Python or Docker. |
| 2026-04-22 2026 | API4:2023 Unrestricted Resource Consumption beginner | API4:2023 Unrestricted Resource Consumption |
| 2026-04-22 2026 | 1H 2026 State of AI and API Security Report (Salt) news | 1H 2026 State of AI and API Security Report (Salt) |
| 2026-04-22 2026 | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability intermediate | Lab walkthrough demonstrating exploitation of a mass assignment vulnerability to purchase a product. The lab involves logging in with `wiener:peter`, adding an item to the basket, and then identifying and manipulating a `chosen_discount` parameter within the `/api/checkout` POST request. By adding this hidden parameter and altering its value, users can bypass credit limitations and solve the exercise. → portswigger.net |
| 2026-04-21 2026 | Lovable left thousands of projects exposed for 48 days and the vibe coding security crisis is only getting worse news | Library for detecting vulnerabilities in AI-generated code, specifically addressing issues found in "vibe coding" platforms like Lovable. It highlights common flaws such as broken object-level authorization, exposed database credentials, and AI hallucination-related vulnerabilities, noting that 40-62% of AI-generated code contains security flaws and that market incentives often prioritize growth over security in this rapidly expanding field. |
| 2026-04-21 2026 | Lovable AI App Builder Reportedly Exposes Thousands of Project Data via API Flaw news | Analysis of an API flaw in the Lovable AI app builder reveals potential exposure of sensitive project data, including source code, credentials, and user information. The vulnerability, reportedly exploitable by free account users, stems from inconsistent API security implementation that fails to protect projects created before November 2025. Researchers demonstrated that older projects return "200 OK" responses for unauthorized access attempts, whereas newer projects correctly return "403 Forbidden." Exposed data can include AI conversation histories containing technical details and customer information, potentially impacting employees from major technology companies like Nvidia, Microsoft, Uber, and Spotify. → cyberpress.org |
| 2026-04-21 2026 | Vibe coding upstart Lovable denies data leak cites 'intentional behavior' then throws HackerOne under the bus news | Writeup detailing a Broken Object Level Authorization (BOLA) vulnerability exploited by an OSINT researcher against Vibe coding platform Lovable. The vulnerability allowed unauthorized access to sensitive user data, including credentials, chat history, and source code, via publicly accessible projects. Lovable's initial response attributed the exposure to "intentional behavior" and unclear documentation before blaming bug bounty platform HackerOne for mishandling the researcher's report. → theregister.com |
| 2026-04-21 2026 | Lovables API flaw exposed private project data from the $6.6 billion AI app builder used by Nvidia and Microsoft teams news | Analysis of a Lovable API vulnerability that exposed chat histories, source code, and Supabase API keys from projects created before November 2025. The flaw, reported via HackerOne in March 2026, stemmed from missing ownership checks on API endpoints, allowing any authenticated user to access data from older projects, impacting users at companies like Nvidia and Microsoft. Affected users are advised to rotate all credentials used within the platform. |
| 2026-04-21 2026 | Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of Projects news | Writeup on an API flaw in the Lovable AI app builder, allowing unauthorized access to thousands of older projects. Disclosed 48 days ago by @weezerOSINT on X, the vulnerability grants free account holders access to source code, database credentials, customer information, and AI chat histories, potentially exposing data from users at companies like Nvidia, Microsoft, Uber, and Spotify. The bug stems from inconsistent patching, where projects created before November 2025 return a 200 OK status, while newer ones are protected. → gbhackers.com |
| 2026-04-21 2026 | Lovable Left Thousands of Projects Exposed for 48 Days And Still Hasn't Fixed It news | Writeup of BOLA vulnerability in Lovable.dev API exposing source code, database credentials, and AI chat histories. The flaw, affecting projects created before November 2025, allows free account users to access sensitive data from other users. This vulnerability, reported on HackerOne, highlights systemic security issues in AI-assisted development platforms, similar to the recent Vercel incident linked to Context.ai. Lovable has addressed chat history exposure but maintains source code visibility on public projects is intentional. |
| 2026-04-21 2026 | API Security Risks Rise as AI Adoption Accelerates beginner | Survey of API security risks stemming from AI adoption, revealing that 49% of organizations struggle to monitor machine-to-machine traffic and 48% cannot distinguish AI agents from bots. The report highlights amplified vulnerabilities like broken object-level authorization (BOLA) and challenges with AI-generated code security, noting traditional SAST and DAST tools are insufficient. Attackers increasingly target authenticated access, with 99% of attempts originating from such entities, underscoring the need for continuous verification and behavioral monitoring. → esecurityplanet.com |
| 2026-04-20 2026 | Lovable AI App Builder Reportedly Exposes Customer Data From Projects via Unpatched API Flaw news | Writeup on a Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI app builder, allowing unauthorized access to project data including source code, database credentials, and customer information. The flaw, unpatched for projects created before November 2025, enables free-tier users to make unauthenticated API calls to retrieve sensitive data via endpoints like `api.lovable.dev/GetProjectMessagesOutputBody`. Researchers found exposed Supabase credentials and data from individuals at Accenture Denmark and Copenhagen Business School, along with potential risks for employees at Nvidia, Microsoft, Uber, and Spotify. This issue was previously reported on HackerOne as duplicate report #3583821. → cybersecuritynews.com |
| 2026-04-19 2026 | BOLA API Attack & Prevention — StackHawk intermediate AuthZ | Library detailing Broken Object Level Authorization (BOLA) vulnerabilities, the #1 API security risk. BOLA occurs when APIs fail to verify user permissions for specific data objects, allowing unauthorized access to sensitive information like financial or medical records by manipulating predictable identifiers or bypassing ownership checks. The resource explains BOLA's prevalence, the distinction from IDOR, root causes like over-reliance on object identifiers and insufficient authorization focus, and provides examples of attacks against social media profiles and medical records. |
| 2026-04-19 2026 | Broken Object-Level Authorization (BOLA): What It Is and How to Prevent It beginner | Reference explaining Broken Object-Level Authorization (BOLA), the most common API vulnerability, where unchecked object identifiers expose sensitive data. It details how attackers exploit BOLA by manipulating identifiers, the risks in microservices, and secure coding practices involving server-side authorization checks on every request. The article highlights compliance implications under GDPR and HIPAA, and prevention strategies including robust authorization logic, opaque identifiers, and automated API security testing to detect variants like insecure direct object references (IDOR). → invicti.com |
| 2026-04-19 2026 | OWASP Top 10 API Security Risks and How to Mitigate Them — Pynt beginner | Library of techniques and examples for mitigating the OWASP API Security Top 10 risks, including Broken Object Level Authorization (BOLA), Broken Authentication, and Server-Side Request Forgery (SSRF). It details practical defenses like fine-grained authorization, secure authentication protocols, and rate limiting. The resource also highlights how tools can automate detection of these vulnerabilities during development, addressing common weaknesses such as misconfigurations and improper inventory management. |
| 2026-04-19 2026 | OWASP API Security Top 10 Vulnerabilities — 2025 beginner | Reference detailing the OWASP API Security Top 10 Vulnerabilities for 2025, including risks like Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, and Unrestricted Resource Consumption. It outlines how these vulnerabilities are exploited through mechanisms like ID manipulation, weak credential handling, excessive data exposure, and resource overuse, and provides prevention strategies such as enforcing authorization, implementing standardized token practices, using short-lived access tokens, restricting data exposure, preventing mass assignment, and employing rate limiting. |
| 2026-04-16 2026 | MCP Access Control: OPA vs Cedar - Natoma advanced | Reference comparing Open Policy Agent (OPA) and AWS Cedar for MCP access control. Independent research indicates Cedar offers stronger security guarantees, deterministic behavior, and formal verification, excelling in safety-critical or AWS-centric environments with simpler policies. OPA, with its Rego language, provides greater expressiveness and integration capabilities, making it suitable for complex logic and mature operational scenarios. The choice depends on prioritizing security and performance (Cedar) versus flexibility and extensive integrations (OPA). |
| 2026-04-16 2026 | Stateful REST API Fuzzing with RESTler intermediate | Tool for stateful REST API fuzzing, RESTler utilizes Swagger/OpenAPI specifications to automatically generate fuzzing grammars. It executes sequences of requests, where resources created by earlier requests are consumed by subsequent ones, enabling the discovery of input validation flaws, authentication issues, and resource management bugs. RESTler's extensible design allows for custom security checkers to be plugged into its fuzzing loop, and it can help validate API specifications for consistency and completeness. |
| 2026-04-16 2026 | Inside Modern API Attacks: 2026 API ThreatStats Report - Wallarm news | Report analyzing 2025 API attack trends from Wallarm's 2026 API ThreatStats Report, highlighting APIs as the primary attack surface due to compounding failures in identity, exposure, and abuse. It details that 43% of CISA KEVs and 36% of AI vulnerabilities are API-related. Attack vectors like Cross-Site Issues, Injection, and Broken Access Control are prevalent, with 97% of vulnerabilities exploitable by a single request and 98% being easy or trivial to exploit. |
| 2026-04-16 2026 | OWASP API Security Testing Framework beginner | Library for automated API security validation, the OWASP API Security Testing Framework (ASTF) identifies vulnerabilities based on the OWASP API Security Top 10. It supports REST, GraphQL, and gRPC, offers a comprehensive test suite, CI/CD integration, customizable rules, and detailed reporting with remediation guidance, incorporating real-world attack patterns. → owasp.org |
| 2026-04-16 2026 | Kong API Gateway Misconfigurations Case Study - Trend Micro news | Library for securing Kong API Gateway deployments, detailing common misconfigurations such as exposing the administration API and missing firewall rules. It highlights the risk of storing secrets like API keys in plain text within the database, especially in the community version lacking robust encryption and vault support. The entry emphasizes the importance of secure access controls and proper network segmentation to prevent unauthorized access and potential back-end compromise. → trendmicro.com |
| 2026-04-16 2026 | API Security Testing: Tools and Techniques - API7.ai beginner | Library for comprehensive API security testing, detailing static analysis with tools like Semgrep and Gosec, dynamic testing using OWASP ZAP and StackHawk, and penetration testing with Burp Suite. It emphasizes business logic testing for BOLA and IDOR vulnerabilities, highlighting specialized tools such as Escape and Cequence. The resource also covers AI-powered protection, API gateway enforcement, and open-source developer tools, stressing discovery and inventory mapping with Akto and Noname. |
| 2026-04-16 2026 | BOLA and BFLA: The API Vulnerabilities That Silently Expose Data beginner | Library for identifying and mitigating Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) vulnerabilities in APIs. These OWASP API Security Top 10 risks, often missed by automated scanners, allow unauthorized access to user data or administrative functions by failing to enforce object ownership and role-based access controls server-side. The library's approach mirrors penetration testing methodologies, emphasizing multi-account testing and endpoint function enumeration to uncover these critical business-logic flaws. |
| 2026-04-16 2026 | API Penetration Testing: Complete Guide beginner | Reference covering API penetration testing methodology, focusing on techniques to identify and exploit vulnerabilities in programmatic interfaces. It details threats from the OWASP API Security Top 10, including Broken Object Level Authorization (BOLA), Broken Authentication, and Server Side Request Forgery (SSRF). The guide also discusses security differences and testing approaches for REST, GraphQL, and gRPC architectures. |
| 2026-04-16 2026 | How to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA and BFLA - 42Crunch intermediate | Guide to defending against OWASP API authorization risks, focusing on Broken Object Level Authorization (BOLA), Broken Object Property Level Authorization (BOPLA), and Broken Function Level Authorization (BFLA). It emphasizes making authorization auditable, defining rules in OpenAPI contracts, and integrating API audit and scan testing tools into IDEs and CI/CD pipelines for early detection and remediation of vulnerabilities. |
| 2026-04-16 2026 | Securing the Gates: Mastering BOLA and BFLA in API Security intermediate | Writeup detailing Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) vulnerabilities in API security. The resource demonstrates how BOLA allows unauthorized access to sensitive data by exploiting improper authorization checks on specific objects, using OWASP crAPI and Firefox Containers to illustrate intercepting and altering requests. It then explores BFLA, where users can execute functions beyond their permitted scope, showcasing how changing endpoint parameters from "user" to "admin" can lead to unauthorized actions like deleting other users' videos. |
| 2026-04-16 2026 | DAST Tools: Complete Buyer's Guide & 10 Solutions to know in 2026 beginner | Guide to Dynamic Application Security Testing (DAST) tools focusing on critical features for modern applications. It details common frustrations with legacy scanners, such as excessive configuration, high false positive rates, poor API testing capabilities (specifically for GraphQL and REST), and weak CI/CD integration. The guide highlights essential criteria for evaluating new DAST solutions, including business logic vulnerability detection (BOLA, IDOR), low false positive rates with proof-based scanning, native API protocol support for REST and GraphQL, and deep CI/CD integration. It contrasts these with the limitations of older tools, emphasizing the need for DAST solutions that can keep pace with rapid development cycles and complex application architectures. → securityboulevard.com |
| 2026-04-15 2026 | Top 10 Best API Security Providers Protecting Web Apps in 2026 beginner | Tool for API security, evaluating providers for 2026, highlighting Salt Security for its AI-driven business logic protection and automated discovery, and Akamai for its comprehensive lifecycle coverage and global threat intelligence. The entry emphasizes the critical need for API security in modern web applications due to evolving threats like Broken Object Level Authorization (BOLA), shadow APIs, and business logic abuse, recommending solutions that offer API discovery, runtime protection, and DevSecOps integration. → gbhackers.com |
| 2026-04-14 2026 | Critical etcd Vulnerability Allows Unauthorized Access to Sensitive Cluster APIs news | Writeup of CVE-2026-33413, an authentication bypass in etcd allowing unauthorized access to sensitive cluster APIs like Maintenance.Alarm, KV.Compact, and Lease.LeaseGrant. Discovered autonomously by Strix, this critical vulnerability (CVSS 8.8) exploits a flaw in the applier chain, where specific methods are not checked by the authApplierV3 wrapper, enabling unauthenticated or under-privileged users to perform disruptive operations. A patch was released in March 2026. → gbhackers.com |
| 2026-04-11 2026 | Exploiting API4: 8 Real-World Unrestricted Resource Consumption Attack Scenarios intermediate | Library of resources detailing 8 real-world Unrestricted Resource Consumption (API4:2023) attack scenarios, including large file uploads, high-latency responses, financially impactful API abuse (e.g., SMS gateways, LLM APIs), GraphQL batching and query abuse, data bombs, and buffer overflows like CVE-2025-22457. These scenarios illustrate how attackers can cause denial of service, performance degradation, and financial losses through various API vulnerabilities. → securityboulevard.com |
| 2026-04-11 2026 | Exploiting Server-Side Request Forgery in an API intermediate | Library for identifying and exploiting Server-Side Request Forgery (SSRF) vulnerabilities in APIs. This resource details how SSRF, a dangerous OWASP API Security Top 10 vulnerability, allows attackers to trick servers into making unauthorized requests, potentially leading to data leaks or remote code execution. It covers techniques for identifying SSRF through common parameter names, webhooks, file imports, and PDF generators, and explores exploitation methods like local/remote port scanning and local file reads. → danaepp.com |
| 2026-04-11 2026 | API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests intermediate | API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests |
| 2026-04-11 2026 | Exploiting JWT Vulnerabilities: Advanced Exploitation Guide advanced Bug Bounty JWT | Library detailing advanced JWT exploitation techniques, covering flaws stemming from misconfigurations and improper input validation. It analyzes vulnerabilities such as the 'none' algorithm allowance, missing signature validation, algorithm confusion attacks, and JWK spoofing, referencing CVE-2018-0114. The guide breaks down JWT structure and common attack vectors like authentication bypass and injection. → intigriti.com |
| 2026-04-11 2026 | openapi-fuzzer: Black-box Fuzzer for OpenAPI Specifications intermediate | Tool for black-box fuzzing APIs based on OpenAPI specifications (v3). This Rust-based fuzzer, `openapi-fuzzer`, identifies parsing bugs and invalid formats by generating and sending payloads. It stores findings in JSON and can replay triggering seeds using the `resend` subcommand. Configuration options include ignoring specific status codes, adding custom headers, and adjusting request counts. |
| 2026-04-11 2026 | CATS: REST API Fuzzer and Negative Testing Tool intermediate | Library for REST API negative testing, CATS automatically generates and runs thousands of tests based on data types and structural constraints, moving beyond typical random input fuzzing. It offers rapid execution with no coding required and extensive configurability, allowing users to match or ignore response codes, bodies, API paths, and more, while fine-tuning reporting. |
| 2026-04-11 2026 | RESTler: Stateful REST API Fuzzing Tool intermediate | Library for stateful REST API fuzzing that analyzes OpenAPI specifications to generate and execute tests, discovering security and reliability bugs. RESTler intelligently infers producer-consumer dependencies and dynamically learns service behavior from responses to explore deeper service states and find issues like internal server errors and logic bugs. It offers compile, test, fuzz-lean, and fuzz modes for comprehensive bug hunting. |
| 2026-04-11 2026 | BFLA: Broken Function Level Authorization beginner | Library: BFLA is a resource that delves into Broken Function Level Authorization vulnerabilities. This document, crafted by TCM Security, is part of their broader offerings in cybersecurity services and education, including penetration testing, vulnerability scanning, and training. The content implicitly supports their mission of revealing risk, meeting requirements, and strengthening security for organizations by exposing exploitable gaps. |
| 2026-04-11 2026 | API Gateway Authorizers: Vulnerable By Design intermediate | Library discussing how API Gateway authorizer caching can lead to authorization vulnerabilities. When caching is keyed solely by the JWT, subsequent requests to different resources can incorrectly inherit permissions from previous requests. This is especially problematic when using services like AWS Verified Permissions to grant granular access, as the cache may not reflect specific resource authorizations, leading to potential over-permissioning. The solution involves configuring the API Gateway cache key to include the HTTP method and path, ensuring that authorization checks are specific to the requested resource. |
| 2026-04-11 2026 | HTTP Request Smuggling in API Gateways intermediate | Library for detecting and preventing HTTP request smuggling attacks targeting API gateways. This technique exploits discrepancies in how gateways and backends interpret request boundaries, allowing attackers to bypass security controls like authentication and rate limiting. The library details common attack types such as CL.TE, TE.CL, and H2.CL, and provides mitigation strategies like enforcing HTTP/2 end-to-end, disabling backend connection reuse, and normalizing ambiguous requests. It also references specific vulnerabilities like CVE-2024-53008 and CVE-2023-40225 affecting HAProxy, and CVE-2024-33452 impacting Kong Gateway. |
| 2026-04-11 2026 | Kong API Gateway Misconfigurations: A Security Case Study intermediate | Library detailing Kong API Gateway misconfigurations, including exposing the Administration API on public interfaces, missing firewall rules, and insecure storage of secrets like API keys in plain text. It highlights how default configurations and examples found in container image repositories can lead to these vulnerabilities, emphasizing the need for proper access controls and secure credential management. → trendmicro.com |
| 2026-04-11 2026 | Swagger-EZ: Pentesting APIs Using OpenAPI Definitions intermediate | Tool for pentesting APIs using OpenAPI (Swagger) definitions. Swagger-EZ parses Swagger 2.0 JSON files, either by URL or pasted blob, to populate API endpoints and parameters within a browser UI. Users configure their proxy, like Burp Suite, to intercept requests. After loading the API definition, parameters can be populated with test data and sent, facilitating API security testing. |
| 2026-04-11 2026 | APIDetector: Scan for Exposed Swagger Endpoints intermediate | Library for scanning exposed Swagger and OpenAPI endpoints. APIDetector v3 features a modern web interface and command-line options for discovering API documentation like `/swagger-ui.html` and `/openapi.json`. It supports multi-threaded scanning over HTTP/HTTPS, automatically captures screenshots of vulnerable endpoints, and performs XSS detection on vulnerable Swagger versions. The tool is built with Python 3.x and requires Flask, Requests, and Playwright for browser automation. |
| 2026-04-11 2026 | Autoswagger: Automated Discovery and Testing of OpenAPI and Swagger Endpoints intermediate | Tool for automated discovery and testing of OpenAPI and Swagger endpoints, Autoswagger identifies unauthenticated API endpoints and data exposure risks. It locates spec files, extracts paths and methods, and concurrently tests endpoints, flagging outputs containing personally identifiable information or secrets using Presidio and regex heuristics. The tool supports multi-phase discovery, optional brute-force parameter testing, and flexible JSON or table output for actionable results. |
| 2026-04-11 2026 | Swagger Jacker: Auditing OpenAPI Definition Files intermediate | Tool for auditing OpenAPI definition files. Swagger Jacker automates the analysis of API routes defined in specification documents, identifying potential vulnerabilities like IDOR and SQL injection. It parses fields such as "Info" for API metadata and "security" for authentication mechanisms, then generates requests to test endpoint accessibility and authentication requirements, significantly reducing manual testing time for publicly exposed or unintentionally leaked definition files. |
| 2026-04-11 2026 | PayloadsAllTheThings: API Key Leaks intermediate | Library of resources for identifying and managing API key leaks, including tools like aquasecurity/trivy, blacklanternsecurity/badsecrets, irsdl/crapsecrets, d0ge/sign-saboteur, mazen160/secrets-patterns-db, momenbasel/KeyFinder, streaak/keyhacks, trufflesecurity/truffleHog, and projectdiscovery/nuclei-templates. It covers common leak vectors such as hardcoding in source code, public repositories, Docker images, logs, and configuration files, offering techniques to detect and verify leaked credentials. |
| 2026-04-11 2026 | State of Secrets: 28 Million Credentials Leaked on GitHub in 2025 news Secrets | Library for detecting and preventing hardcoded secrets in code, addressing accidental commits, the .env file problem, supply chain attacks via compromised NPM packages like tinyColor and ngx-bootstrap, leaks from non-code surfaces such as Slack and Jira, and the increasing risks associated with AI-assisted development and MCP server configurations. → snyk.io |
| 2026-04-11 2026 | Bypassing Rate Limits: All Known Techniques intermediate | Bypassing Rate Limits: All Known Techniques |
| 2026-04-11 2026 | Rate Limit Bypass - HackTricks intermediate | Library detailing rate limit bypass techniques. This resource explores methods including brute-forcing variations of endpoints like `/api/v3/sign-up`, inserting blank bytes, and modifying headers such as `X-Forwarded-For` to evade IP-based rate limiting. It also covers bypassing limits by altering user-agent and cookie headers, adding non-significant parameters, and leveraging HTTP/2 multiplexing and GraphQL batching. Advanced techniques like using WebSocket or gRPC streaming, sharding counters across multiple regions, and utilizing tools like PortSwigger's Turbo Intruder and `websocat` are also discussed. → book.hacktricks.xyz |
| 2026-04-11 2026 | Hacking APIs: Bypassing Rate Limiting intermediate | Hacking APIs: Bypassing Rate Limiting |
| 2026-04-11 2026 | What is Mass Assignment? Attacks and Security Tips beginner | Guide to Mass Assignment vulnerabilities, also known as autobinding or object injection, detailing how attackers can manipulate HTTP request parameters to modify or create unintended object variables. It illustrates attacks, including privilege escalation via user profile modification on platforms like GitHub (2012) and GraphQL API exploitation, and provides prevention techniques such as implementing strict field whitelisting on the server-side, referencing OWASP for framework-specific solutions. → vaadata.com |
| 2026-04-11 2026 | API Security 101: Mass Assignment and Exploitation in the Wild beginner | Guide to exploiting mass assignment vulnerabilities in APIs, covering its impact on privilege escalation and financial abuse. This guide details how mass assignment functions in frameworks like Ruby on Rails, NodeJS, Spring MVC, ASP NET MVC, and PHP, and demonstrates exploitation techniques using examples and the crAPI demo lab. It also outlines remediation strategies such as disabling automatic property mapping and implementing read-only fields. → cobalt.io |
| 2026-04-11 2026 | What is BOLA? 3-digit bounty from Topcoder beginner | What is BOLA? 3-digit bounty from Topcoder → infosecwriteups.com |
| 2026-04-11 2026 | API1:2023 Broken Object Level Authorization beginner | Analysis of API1:2023 Broken Object Level Authorization examines how applications fail to validate permissions for every API call to every object. Attackers manipulate object IDs in API requests to access unauthorized data or functionality, leading to potential data breaches, account takeovers, or permission escalation. Detecting and mitigating BOLA vulnerabilities through code changes and inline API security tools like Wallarm is crucial for preventing these impacts. |
| 2026-04-11 2026 | Exposing a New BOLA Vulnerability in Grafana intermediate | Writeup on CVE-2024-1313, a Broken Object Level Authorization (BOLA) vulnerability in Grafana, allows low-privileged users to delete dashboard snapshots from other organizations using snapshot keys. Versions 9.5.0 before 9.5.18, 10.0.0 before 10.0.13, 10.1.0 before 10.1.9, 10.2.0 before 10.2.6, and 10.3.0 before 10.3.5 are affected. The vulnerability, with a CVSS score of 6.5, arises from the dashboard snapshot APIs and could lead to data loss or integrity issues. Additionally, an endpoint allows any user to create snapshots with weak self-assigned keys, potentially enabling denial-of-service or brute-force attacks. → unit42.paloaltonetworks.com |
| 2026-04-10 2026 | Doyensec: Common OAuth Vulnerabilities intermediate AuthN | Checklist of common OAuth vulnerabilities, this resource details attacks against the protocol's implementations. It explains the Implicit Flow, Authorization Code Flow, Authorization Code Flow with PKCE, Client Credentials Flow, Device Authorization Flow, and the Resource Owner Password Credentials Flow. Common attack vectors like XSS and flawed redirect_uri validation are highlighted, particularly in the Implicit Flow. → blog.doyensec.com |
| 2026-04-10 2026 | GitLab Fixes Critical Bugs Allowing DoS and Code Injection Attacks news | Library updates from GitLab address critical vulnerabilities, including CVE-2026-5173 enabling code injection by bypassing WebSocket access controls, and denial-of-service flaws like CVE-2026-1092 in the Terraform state lock API and CVE-2025-12664 in the GraphQL API. Additional fixes target CVE-2026-1516 for code injection in Code Quality reports, CVE-2026-4332 for XSS in analytics, and information disclosure issues, urging immediate patching of self-managed instances. → cyberpress.org |
| 2026-04-10 2026 | API Exploitation For Bug Bounty intermediate | API Exploitation For Bug Bounty |
| 2026-04-10 2026 | API Penetration Testing Roadmap (2025) beginner | Roadmap for API penetration testing covering REST, SOAP, and GraphQL, detailing techniques for identifying Broken Authentication, Rate Limiting Bypasses, Injection Attacks (SQLi, XSS, SSTI), and Business Logic Vulnerabilities. It emphasizes hands-on practice with tools like Burp Suite, Postman, and OWASP ZAP, alongside learning from platforms such as PortSwigger's Web Security Academy, APIsec University, and bug bounty reports from HackerOne. The roadmap stresses practical application on live systems and understanding OWASP API Security Top 10 principles. |
| 2026-04-10 2026 | API Security Testing Tool Checklist (2026) beginner | Library for API security testing, this resource outlines essential features for modern application security. It emphasizes robust authentication support, including OAuth2, JWT, and multi-step workflows, alongside schema import capabilities for OpenAPI, Swagger, and Postman collections to ensure comprehensive coverage of REST, GraphQL, and Async APIs. The checklist highlights the importance of rate limiting and safe scan controls to prevent operational disruption, continuous environment support across CI/CD and staging, and noise reduction through proof of exploitability. Key vulnerabilities addressed include Broken Object Level Authorization (BOLA) and business logic abuse, stressing workflow-level testing over basic scanning for effective API security. |
| 2026-04-10 2026 | GraphQL Security Best Practices: A Developer's Guide beginner | Guide to GraphQL security best practices detailing risks like query depth and complexity attacks, introspection abuse, batching exploits, and field-level authorization challenges. It explains how GraphQL's flexible query language and single endpoint architecture differ from REST, creating unique attack surfaces. The guide covers mitigations for these issues, crucial for developers securing GraphQL services. |
| 2026-04-10 2026 | OWASP API Security Top 10 Risks beginner | Reference detailing the OWASP API Security Top 10 Risks, updated in 2023 to reflect evolving threats. This includes risks like Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization (BOPLA), Unrestricted Resource Consumption, Broken Function Level Authorization (BFLA), Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery (SSRF), and Security Misconfiguration. The document offers mitigation strategies for these vulnerabilities, citing examples like Uber and Trello breaches. → wiz.io |
| 2026-04-10 2026 | API Security Reality Check: Q2 2025 API ThreatStats Report news | Report detailing Q2 2025 API security trends, highlighting a 9.8% increase in API CVEs and a significant rise in AI-specific API vulnerabilities, with 34 new CVEs. The report addresses the hidden risks of GraphQL, where despite no reported breaches, vulnerabilities like excessive data exposure and denial of service from nested queries are prevalent due to poor visibility and traditional tool limitations. Most exploited flaws include unauthenticated access, Broken Object Level Authorization (BOLA), token abuse, and injection risks, emphasizing the need for complete API visibility, securing AI stacks, strengthening authorization, and comprehensive lifecycle testing beyond schema validation. |
| 2026-04-10 2026 | GraphQL Security Testing: Complete Guide intermediate | Library for securing GraphQL APIs, addressing unique vulnerabilities like schema exposure via introspection and Apollo suggestions, deeply nested query attacks, missing field-level authorization (BOLA) and IDOR via argument manipulation, SQL injection through variables, and batch query attacks. It highlights how these differ from REST APIs and provides actionable insights for mitigation, emphasizing the need for per-object authorization and query complexity limits. |
| 2026-04-10 2026 | Common API Security Vulnerabilities & Solutions (2026 Guide) beginner | Guide on common API security vulnerabilities, covering the OWASP API Top 10 including BOLA, BFLA, Mass Assignment, and Excessive Data Exposure. It details real-world exploits like JWT misuse and GraphQL abuse, emphasizing the need for active testing beyond static scans. Solutions discussed include strong access controls (RBAC/ABAC), secure authentication with MFA and OAuth 2.0, limiting data exposure, implementing rate limiting, and secure configurations to mitigate breaches and financial losses. |
| 2026-04-10 2026 | Common Attacks on REST APIs and GraphQL APIs beginner GraphQL | Common Attacks on REST APIs and GraphQL APIs |
| 2026-04-10 2026 | GraphQL API Security: Common Vulnerabilities and Exploits intermediate GraphQL | GraphQL API Security: Common Vulnerabilities and Exploits |
| 2026-04-10 2026 | API Security Risks: The 10 Most Exploited in 2026 news | Library cataloging the top 10 API security risks for 2026, detailing threats like AI-powered attacks, injection attacks (SQL, XSS), supply chain compromise, shadow APIs, Broken Object-Level Authorization (BOLA), and GraphQL vulnerabilities. The entry highlights real-world breaches including Azure AD user data exposure, Facebook account data theft via API authentication bypass, Stripe API hijacking for Magecart attacks, Intel employee data exfiltration, and OpenAI customer data exposure through Mixpanel. It emphasizes emerging vectors and the critical need for API posture governance strategies. |
| 2026-04-10 2026 | What Are the OWASP Top 10 API Security Risks? - Akamai beginner | What Are the OWASP Top 10 API Security Risks? - Akamai → akamai.com |
| 2026-04-10 2026 | OWASP API Security Top 10 (2025) Guide with Tests beginner | Reference detailing the OWASP API Security Top 10 (2023) standard, including explanations and testing strategies for vulnerabilities such as Broken Object Level Authorization (BOLA), Broken Object Property Level Authorization (BOPLA), Broken Authentication, Excessive Data Exposure, and Security Misconfiguration. It highlights shifts in the OWASP framework, provides examples like the T-Mobile breach and the Peloton API flaw, and offers remediation advice including server-side permission checks, allowlisting fields, and proper configuration management. |
| 2026-04-10 2026 | OWASP Top 10 2025: What's Changed and Why beginner | Library summarizing the OWASP Top 10 2025 list, detailing the significant changes from the 2021 edition. It highlights two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). The entry also notes shifts in existing categories, with Security Misconfiguration rising to #2, Server-Side Request Forgery (SSRF) consolidated into Broken Access Control (A01), Cryptographic Failures dropping to #4, Injection to #5, and Insecure Design to #6. This resource reflects an updated understanding of modern attack vectors, encompassing a broader analysis of CVEs and community insights. |
| 2026-04-10 2026 | Top 10 OWASP API Security in 2026 beginner | Reference detailing the OWASP API Security Top 10 risks for 2025, including Broken Object Level Authorization (BOLA), Broken Authentication, Unrestricted Resource Consumption, Broken Function Level Authorization, Server Side Request Forgery (SSRF), and Security Misconfiguration, with strategies for mitigation and prevention. |
| 2026-04-10 2026 | OWASP Top Ten 2025: Key Security Risks for APIs beginner | OWASP Top Ten 2025: Key Security Risks for APIs |
| 2026-04-10 2026 | OWASP API Security: Top 10 Risks & Remedies for 2026 beginner | Reference discussing OWASP's Top 10 API Security Risks, highlighting evolving threats particularly due to AI integration and agentic applications. It details vulnerabilities such as third-party API exploitation, forgotten and shadow APIs, and security misconfigurations in API management solutions. Recommendations include implementing rigorous input validation, API inventory, secure communication channels, and automated security testing, with mentions of Axway's Amplify Platform for API cataloging and management. |
| 2026-04-09 2026 | API Security Breach Statistics 2026: Hidden Threats beginner | Statistics detail a massive surge in API attack traffic (600%+) and near-universal organizational exposure (99% hit in the past year), with only 21% reporting strong detection capabilities and 13% preventing over half of attacks. Path Traversal (27.3%), SQL Injection (20.0%), and SSRF (14.5%) are leading vulnerabilities, while AI-driven attacks accelerate exploitation to as little as 1.2 hours. Major breaches like T-Mobile and Optus underscore the risk of authentication flaws and broken object authorization, with 80,000+ incidents projected by end of 2025 if trends continue. → sqmagazine.co.uk |
| 2026-04-06 2026 | Anthropic Patches Claude Code Bypass Vulnerability news | Anthropic Patches Claude Code Bypass Vulnerability https://ift.tt/MXrTcEF → letsdatascience.com |
| 2026-04-06 2026 | Protecting Payment, Cart, and Login Endpoints at the Edge intermediate | Library for edge-based API security that protects critical e-commerce endpoints like payment, cart, and login from OWASP API Security Top 10 attacks. It utilizes API schema definition and real-time request validation at the network edge to block threats such as Broken Object Level Authorization, Broken Authentication, and Injection attacks without introducing latency or requiring manual rule management. |
| 2026-04-06 2026 | Open Banking API Security: The Complete Guide in 2026 beginner | Open Banking API Security: The Complete Guide in 2026 |
| 2026-04-06 2026 | Enhancing REST API Fuzzing with Access Policy Violation Detection intermediate Fuzzing | Library extension for EvoMaster that adds novel automated oracles to detect access policy violations, specifically Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA), alongside traditional SQL Injection and XSS attacks. This approach integrates seamlessly into existing REST API fuzzing workflows, enabling the generation of executable test cases in multiple programming languages to identify security issues missed by other methods. → arxiv.org |
| 2026-04-06 2026 | 6 Ways to Protect Your Spring Boot APIs from Common Attacks intermediate | 6 Ways to Protect Your Spring Boot APIs from Common Attacks |
| 2026-04-06 2026 | 7 Identity and API Security Tools Modern SaaS Teams Should Evaluate in 2026 beginner | Library for assessing application security in modern SaaS environments. It highlights tools addressing enterprise SSO provisioning, API runtime protection, AI agent security, and passwordless authentication. Key solutions include SSOJet for SSO integration, Gopher Security for quantum-resistant MCP protection, Salt Security for API threat detection, 42Crunch for OpenAPI-driven security, Akto for API discovery, StackHawk for CI/CD-native DAST, and MojoAuth for passwordless CIAM. These tools aim to mitigate risks from increased API attacks, broken authentication (52% of API incidents per Wallarm), and growing AI agent adoption. → securityboulevard.com |
| 2026-04-05 2026 | 'Each vulnerability exposes a different class of enterprise data': LangChain framework hit by several worrying security issues here's what we know news | Library patches address critical vulnerabilities in LangChain and LangGraph, including path traversal (CVE-2026-34070), deserialization of untrusted data exposing secrets (CVE-2025-68664), and SQL injection in SQLite checkpoints (CVE-2025-67644). These flaws allowed exfiltration of files, API keys, and conversation histories, with risks potentially impacting downstream dependencies. Developers are urged to upgrade to the latest versions and audit configurations, treating LLM outputs as untrusted input. |
| 2026-04-03 2026 | API management: Fundamentals for cloud security teams beginner | Library for API management, a crucial component of cloud security, offering standardized authentication and policy enforcement via edge gateways. It enhances API security by combining agentless cloud scanning with API discovery, mapping APIs to cloud resources and data sensitivity. This approach reduces incident response times, minimizes audit findings, and enables zero trust architectures by addressing vulnerabilities like broken object-level authorization, broken authentication, and shadow APIs. Key capabilities include gateway traffic management, centralized authentication/authorization, and comprehensive monitoring and observability. → wiz.io |
| 2026-04-03 2026 | InQL - GraphQL Scanner | PortSwigger BApp Store intermediate | Library for GraphQL security testing that simplifies vulnerability identification through schema analysis, query generation, and custom scanning. It auto-generates queries, mutations, and subscriptions, with features like circular reference detection and batch query support for rate limit bypasses and DoS vectors. Results integrate with Burp Repeater and Intruder, and schemas can be visualized with GraphiQL or GraphQL Voyager. → portswigger.net |
| 2026-04-03 2026 | OWASP API Security Top 10 Explained | Salt Security beginner | OWASP API Security Top 10 Explained | Salt Security |
| 2026-04-03 2026 | How To Prepare For An API Penetration Test beginner | Guide for preparing API penetration tests, detailing common vulnerabilities and the importance of scope definition. It advises providing documentation, Postman collections, and Swagger files to testers for grey-box or source code-assisted assessments, and outlines the use of tools like Postman and Swagger UI in the testing process. |
| 2026-04-03 2026 | Awesome GraphQL Security - Curated List of Resources beginner GraphQL | Library of curated resources for GraphQL security, encompassing frameworks like GraphQL Shield and GraphQL Armor, testing tools such as Escape, GraphCrawler, and InQL, and educational materials covering vulnerabilities like aliasing attacks, CSRF, cyclic queries, and IDOR. It also lists clients like Postman and Insomnia, and schema visualization tools like Voyager. |
| 2026-04-03 2026 | API Testing with Burp Suite: A Practical Guide intermediate | Library for intercepting, modifying, and analyzing API traffic with Burp Suite, detailing techniques for REST APIs like parameter tampering and SQL injection detection in Repeater, and for GraphQL APIs, including schema introspection queries and modifying requests via dedicated GraphQL tabs. The library also highlights Burp Intruder for fuzzing and Pynt as an alternative tool. |
| 2026-04-03 2026 | Top 6 API Pentesting Tools | Cobalt beginner | Library of top API penetration testing tools including Postman for managing requests and proxied through tools like Burp Suite for in-depth analysis, vulnerability discovery via Repeater and Intruder, and automated scanning. Swagger aids testers by providing standardized API documentation, while SoapUI assists with SOAP-based APIs. GraphQL, a query language, presents unique challenges requiring schema understanding and targeted query crafting for vulnerabilities like DoS and authorization bypasses. ZAP, an OWASP DAST tool, offers proxying, scanning for vulnerabilities like XSS and SQL injection, and supports formats like JSON and XML, with add-ons for OpenAPI, GraphQL, and SOAP. → cobalt.io |
| 2026-04-03 2026 | API Attack Awareness: BOLA - Why It Tops the OWASP API Top 10 beginner | Analysis of Broken Object Level Authorization (BOLA) vulnerabilities, a top OWASP API Top 10 risk, detailing how unauthenticated access to objects can lead to data leakage, account compromise, and business impact. The entry highlights common exploitation methods, the difficulty in detecting these stateful flaws with traditional tools, and emphasizes the need for robust backend authorization checks, mentioning Wallarm's capabilities in detecting and preventing BOLA attacks through API discovery and custom controls. → securityboulevard.com |
| 2026-04-03 2026 | GraphQL API Vulnerabilities | Web Security Academy intermediate GraphQL | Reference detailing GraphQL API vulnerabilities, focusing on implementation and design flaws like exposed introspection. It covers finding GraphQL endpoints, identifying vulnerabilities through universal queries and unsanitized arguments (leading to issues like IDOR), and leveraging introspection queries to map schema information. The reference highlights how Burp Suite can assist in discovering endpoints and introspection, and discusses best practices for securing GraphQL APIs. → portswigger.net |
| 2026-04-03 2026 | API Testing | Web Security Academy beginner | Library for testing RESTful and JSON APIs, covering techniques to identify endpoints, analyze API documentation, and interact with identified resources using tools like Burp Suite. It details how to discover hidden endpoints and parameters by manipulating HTTP methods and content types, and how to leverage machine-readable documentation such as OpenAPI specifications. This resource also maps common web vulnerabilities to their API equivalents, referencing the OWASP API Security Top 10. → portswigger.net |
| 2026-04-03 2026 | OWASP API Security Top 10 beginner | Project that provides awareness and mitigation strategies for common API security risks. It aims to document the Top 10 API Security Risks, offer best practices for secure API development, and foster community collaboration for evolving security trends. The resources are licensed under Creative Commons. → owasp.org |
| 2026-04-03 2026 | OWASP API Security Project | OWASP Foundation beginner | Project detailing API security strategies and solutions, focusing on mitigating unique vulnerabilities. It highlights the API Security Top 10 2023 list, including Object Level Access Control issues, faulty authentication, excessive data exposure, denial of service, authorization flaws, business logic abuse, Server-Side Request Forgery (SSRF), insecure configurations, lack of proper documentation, and reliance on third-party APIs. The project is licensed under Creative Commons Attribution-ShareAlike 4.0 and is freely available, with contributions maintained on GitHub. → owasp.org |
| 2026-02-06 2026 | SOAPwnwatchtowr soappwn research whitepaper advanced | SOAPwnwatchtowr soappwn research whitepaper |
| 2026-01-19 2026 | Hackmanit/Web-Cache-Vulnerability-Scanner: Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/). beginner | Library for testing web cache poisoning and deception. It supports ten cache poisoning techniques, including unkeyed header poisoning and HTTP response splitting, and multiple cache deception techniques like path traversal. The tool features an adaptive crawler, customizable options for headers, cookies, and parameters, and can generate JSON reports. WCVS can be integrated into CI/CD pipelines and is available as pre-built binaries or via Go installation. |
| 2026-01-17 2026 | pwviptbl/ProxyHunter: Aplicação Python com interface gráfica que permite configurar regras de interceptação para modificar parâmetros de requisições HTTP. Quando o navegador envia uma requisição para uma rota configurada, o proxy intercepta, modifica apenas os parâmetros especificados e encaminha a requisição mantendo todos os outros parâmetros originais. intermediate Burp Python | Tool that intercepts HTTP requests, modifies specific parameters based on configurable rules, and forwards them. It features a graphical interface, WebSocket support, an advanced Intruder for automated attacks, and scanners for SQL Injection, XSS, CSRF, Path Traversal, and more. Additional functionalities include a passive and active scanner, spider/crawler, request comparator, and CLI management. |
| 2026-01-07 2026 | GitHub - pranav-cs-1/nexus: A terminal-based HTTP client for API testing intermediate | Tool for terminal-based API testing, Nexus streamlines request management with a keyboard-driven interface and persistent storage via the sled embedded database. It supports full HTTP method functionality, request organization into collections, response viewing with status codes and headers, and complete request editing. Nexus can import Postman Collections (v2.1) with support for authentication and nested folders, and export collections as JSON or individual requests as curl commands. |
| 2025-12-30 2025 | Teycir/BurpAPISecuritySuite: Burp Suite extension for API security testing with 15 attack types, 108+ payloads, intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance. Supports REST/GraphQL/SOAP APIs with Nuclei, Turbo Intruder, and external tool integration. OWASP API Top 10 coverage. intermediate Burp Fuzzing GraphQL | Library for comprehensive API security testing within Burp Suite. This extension consolidates 15 attack types, over 108 payloads, and integrates external tools like Nuclei, Turbo Intruder, and ApiHunter. It features intelligent fuzzing, automated reconnaissance, and detection of vulnerabilities such as BOLA and IDOR, with support for REST, GraphQL, and SOAP APIs, covering OWASP API Top 10 and offering AI integration for payload generation. |
| 2025-11-27 2025 | How Hackers Are Exploiting Salesforce and Why Architects Must Act | Salesforce Ben news | Analysis of Salesforce security exploits highlights a critical knowledge gap between security and Salesforce teams. Hackers exploit undocumented features like public links, Chatter groups, and Lightning APIs, as well as content ingestion and third-party risks such as phishing links and malicious images, which native Salesforce tooling and audits often miss. The article emphasizes the need for individuals with hybrid skillsets to bridge this divide and properly architect secure, usable Salesforce organizations, noting that expensive native tools like Event Monitoring and Data Detect require additional implementation and expertise to be effective. |
| 2025-10-19 2025 | GitHub - fosrl/pangolin: Identity-Aware Tunneled Reverse Proxy Server with Dashboard UI intermediate | Library implementing an identity-aware tunneled reverse proxy server with a dashboard UI. Pangolin enables secure remote access to private and public resources via browser-based or client-based connections, combining reverse proxy and VPN capabilities. It facilitates access through restrictive firewalls using outbound tunnels and NAT traversal, offering granular access controls, role-based access control (RBAC) via integrated users or external identity providers, and supports automatic SSL certificates and load balancing, adhering to a zero-trust model. |
| 2025-10-05 2025 | API Hacking - Just Hacking Training (JHT) beginner Bug Bounty | Workshop slides from DEF CON 32 covering hardware fault injection on specific targets. |
| 2025-08-14 2025 | Detect SSRF Attacks in Cloud Applications and APIs | Datadog intermediate SSRF | Library for detecting server-side request forgery (SSRF) attacks against cloud applications and APIs. It highlights prevalent vulnerabilities in Java services, like those in Jackson and Apache libraries, and details how attackers exploit them to access cloud metadata services and credentials. The library aids in identifying malicious traffic by monitoring API response timing and patterns, such as requests to sensitive domains like metadata.google.internal or malformed URLs. It integrates with Datadog Application and API Protection (AAP) for automated detection and blocking via its WAF. |
| 2025-08-06 2025 | ByteByteGo | How does HTTPS work? beginner | Guide detailing HTTPS functionality, explaining its role in securing internet communication through Transport Layer Security (TLS). It breaks down the handshake process, including TCP connection establishment, client and server hellos, SSL certificate validation, and the secure exchange of a session key using asymmetric and symmetric encryption to protect data from interception. |
| 2025-05-07 2025 | Using JWTs in Python Flask REST Framework | AppSignal Blog intermediate AuthN Python | Library for implementing JWT-based authentication in Python Flask REST Framework applications. This resource details the structure of JWTs (header, payload, signature), their benefits like stateless sessions and security, and demonstrates their practical application. It covers setting up a Flask environment, creating user registration and login endpoints that issue JWTs using Flask-JWT-Extended, securing API routes with `@jwt_required()`, and managing task creation, retrieval, updates, and deletion for authenticated users. The guide also explains how to implement token refreshes for longer-lived sessions. |
| 2025-03-01 2025 | CORS Finally Explained — Simply - Level Up Coding beginner | There are millions of articles explaining how to fix the error above, but what exactly is this “Cross-Origin Resource Sharing” (CORS) thing, and why does it even exist? Let's begin by first answering… → levelup.gitconnected.com |
| 2025-02-10 2025 | GitHub - usebruno/bruno: Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia) intermediate | Library for API exploration and testing, Bruno offers a privacy-focused, offline-first alternative to Postman and Insomnia. It stores API collections in local filesystem folders using the Bru markup language, facilitating collaboration via Git or other version control systems. Bruno is available for Mac, Windows, and Linux, with installation options including binary downloads and package managers like Homebrew, Chocolatey, Scoop, Snap, Flatpak, and Apt. |
| 2025-02-10 2025 | GitHub - samwafgo/SamWaf: SamWaf开源轻量级网站防火墙,完全私有化部署 SamWaf is a lightweight, open-source web application firewall for small companies, studios, and personal websites. It supports fully private deployment, encrypts data stored locally, is easy to start, and supports Linux and Windows 64-bit. beginner | Library for lightweight, open-source web application security, SamWaf offers fully private deployment with encrypted local data storage. It supports custom rule creation, IP and URL blacklisting, CC frequency limiting, and OWASP CRS rule sets. SamWaf is designed for small companies and personal websites, easily deployable on Linux and Windows, and includes features like automatic SSL certificate management and IPv6 support. |
| 2025-01-28 2025 | GitHub - traefik/whoami: Tiny Go server that prints os information and HTTP request to output beginner | Tool is a tiny Go webserver that prints OS information, HTTP request details, environment variables, and network information. It supports custom wait times via the `wait` query parameter, allows modification of GET response status codes with POST requests to `/health`, and can serve HTTPS with provided certificates. The tool also features WebSocket echo, health checks, and can be configured to listen on different ports. It can be used to test network configurations, debug HTTP requests, and integrate with containerized environments. |
| 2025-01-22 2025 | GitHub - c0dejump/HExHTTP: Header Exploitation HTTP intermediate | Tool for testing HTTP headers to identify vulnerabilities such as web cache poisoning and Cache Poisoning DoS (CPDoS). HExHTTP supports flexible proxy configuration, integration with Burp Suite for issue reporting, and human-like request behavior to bypass WAFs. It analyzes various header types, including hop-by-hop headers, and tests CDN/proxy responses. |
| 2025-01-20 2025 | GitHub - chaitin/SafeLine: SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits. beginner | Library for a self-hosted Web Application Firewall (WAF) and reverse proxy, SafeLine protects web applications from attacks including SQL injection, XSS, code injection, OS command injection, CRLF injection, XXE, SSRF, path traversal, bruteforce, and HTTP floods. It offers proactive bot defense, HTML/JS code encryption, IP-based rate limiting, and web access control lists, defending against DoS attacks and traffic surges. SafeLine implements anti-bot and authentication challenges, with dynamic protection that encrypts code on each visit. |
| 2024-12-22 2024 | GitHub - fabriziosalmi/patterns: Automated OWASP CRS and Bad Bot Detection for Caddy, Nginx, Apache, Traefik and HaProxy intermediate | Library automates OWASP CRS and bad bot detection for Caddy, Nginx, Apache, Traefik, and HAProxy. It scrapes OWASP Core Rule Set patterns daily, converting them into WAF configurations for various web servers to defend against SQL Injection, XSS, RCE, and LFI. Additionally, it integrates bad bot blocking using public lists to thwart malicious crawlers and scrapers, offering pre-generated configurations and automated updates via GitHub Actions. |
| 2024-12-20 2024 | GitHub - xnl-h4ck3r/knoxnl: This is a python wrapper around the amazing KNOXSS API by Brute Logic intermediate Python | Library for Python that wraps the KNOXSS API, enabling automated scanning for Cross-Site Scripting (XSS) and Open Redirect vulnerabilities. It supports various input methods, including single URLs and files, and allows for detailed configuration, including Discord webhook notifications, API key management, and Flash Mode for quick tests. The library also integrates with Burp Suite via the Piper extension for proxy-based testing, handling both GET and POST requests with optional headers and post data. |
| 2024-12-14 2024 | postMessage Braindump intermediate | Writeup on postMessage security vulnerabilities, detailing how to identify and exploit them. It highlights `postMessage` as a cross-origin communication mechanism akin to an API, discoverable via Frans Rosen's postMessage Tracker and browser DevTools. The writeup explains debugging techniques using breakpoints to trace `postMessage` execution paths, demonstrating an XSS vulnerability achieved by setting event attributes via malicious `postMessage` payloads. It also warns about common regex errors when validating `event.origin` for securing `postMessage` listeners. |
| 2024-12-13 2024 | Server SSL certificate verification - HTTPie 3.2.4 (latest) docs beginner | Library for interacting with HTTP services from the command line, designed for human-friendly testing and debugging. It supports intuitive syntax, formatted output, JSON, forms, uploads, HTTPS, proxies, authentication, custom headers, persistent sessions, downloads, and a plugin system. Installation instructions are provided for various package managers and operating systems, including standalone executables. The documentation details usage for custom methods, headers, JSON data, form submissions, offline requests, authentication, file uploads/downloads, sessions, and URL parameters. |
| 2024-12-12 2024 | API Testing with Insomnia and Burp Suite: An Alternative to Postman intermediate Burp | Library for API testing using Insomnia and Burp Suite, offering an alternative to Postman. This resource details capturing API requests with mitmproxy, converting them to OpenAPI 3.0 format using mitmproxy2swagger, and importing into Insomnia. It covers Insomnia's variable management, integration with Burp Suite for request interception and modification, and testing for outdated API versions. |
| 2024-12-03 2024 | Hacking API discovery with a custom Burp extension intermediate Burp | Library for enhanced API discovery within Burp Suite, employing a brute-force methodology to locate API documentation artifacts. It dynamically generates a wordlist exceeding 4,000 combinations, combining various prefix directories, doc endpoints, UI endpoints, and extensions. The library also implements resilient request handling with exponential backoff and adjusted connection timeouts, alongside parallel processing for increased efficiency. → danaepp.com |
| 2024-11-28 2024 | GitHub - cc1a2b/jshunter: JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers and security researchers. intermediate | Tool for analyzing JavaScript files, JSHunter extracts endpoints, identifies sensitive data like API keys and JWT tokens, and detects vulnerabilities. It supports comprehensive endpoint discovery, advanced code analysis, multiple input methods, and high-performance processing with stealth features such as proxy support and user-agent rotation. Features include deobfuscation, source map parsing, GraphQL analysis, and WAF bypass detection, with professional output formats like JSON and CSV, and direct integration with Burp Suite. |
| 2024-11-26 2024 | The OAuth Oversight: When Configuration Errors Turn into Account Hijacks intermediate AuthN | Hey folks I hope you are doing well. I am back with another writeup on OAuth misconfiguration leads to account takeover. The PoC is… |
| 2024-11-05 2024 | What is Azure Web Application Firewall on Azure Front Door? beginner | Library for Azure Web Application Firewall on Azure Front Door, offering centralized protection against web exploits and vulnerabilities. It inspects incoming requests globally at network edge locations, preventing attacks before they reach your virtual network. Features include custom rules for IP allow/block lists, geographic access control, HTTP parameter matching, rate limiting, and Azure-managed rule sets for SQL injection, cross-site scripting, and more. WAF policies can operate in detection or prevention modes, with actions like ALLOW, BLOCK, LOG, and REDIRECT. |
| 2024-11-05 2024 | HTTP Security Headers: A complete guide to HTTP headers beginner | Reference on HTTP security headers detailing their functions in protecting against vulnerabilities like Cross-Site Scripting (XSS) and Clickjacking. It explains key headers such as Access-Control-Allow-Origin for CORS, Content-Type for data interpretation, and Content-Security-Policy (CSP) for controlling resource loading and execution. The guide emphasizes the importance of properly configuring these headers to enhance web application security. |
| 2024-10-03 2024 | Automate your API hacking with Autorize intermediate AuthN AuthZ | Library for automating API security testing, Autorize is a Burp Suite extension that detects broken object level authorization (BOLA) by repeatedly sending requests with different user privileges. It analyzes response changes to identify authorization and authentication issues, supporting active scans and offering configuration for interception filters and enforcement detectors. Autorize can be integrated with Repeater and customized to filter results for potential bypasses and 401 status codes, aiding in the discovery of vulnerabilities like unauthorized access to administrative functions. → danaepp.com |
| 2024-10-01 2024 | Exploiting trust: Weaponizing permissive CORS configurations advanced | Writeup on exploiting permissive CORS configurations, detailing how misconfigurations can lead to severe vulnerabilities. It explains the same-origin policy and how Cross-Origin Resource Sharing (CORS) relaxes it. The writeup highlights common mistakes like reflecting the "Origin" header without validation, trusting the "null" origin, and flawed subdomain validation in trusted origins. Case studies, including those from a bank and a travel booking application, demonstrate how these weaknesses can be weaponized to steal API keys, session tokens, and achieve account takeovers through techniques like those discovered using Burp Suite's CORS scan check. |
| 2024-09-23 2024 | Sec_Mind_Maps/OWASP API TOP 10.pdf at main · h0tak88r/Sec_Mind_Maps beginner | cyber security mind maps collection. Contribute to h0tak88r/Sec_Mind_Maps development by creating an account on GitHub. |
| 2024-09-21 2024 | Proving API exploitability with Burp Collaborator intermediate Burp | Tool for proving API exploitability using Burp Collaborator, an out-of-band application security testing (OAST) feature. This method allows demonstration of vulnerabilities like RCE, SSRF, and blind XXE by capturing interactions with mock network services (DNS, HTTP, SMTP) without needing to establish reverse shells. Examples include its use in testing CVE-2023-4044, an insecure deserialization flaw in WS_FTP, and against crAPI for blind SSRF detection. Users can leverage hosted services or set up private Burp Collaborator servers. → danaepp.com |
| 2024-09-16 2024 | Automating the CORS Vulnerability Scan intermediate AuthZ Bug Bounty | When conducting a bug bounty, automating your scanning process not only saves time but ensures you don’t miss common vulnerabilities. One… |
| 2024-09-14 2024 | Unlocking OAuth Security intermediate AuthN | In this blog, we will uncover the different oauth security implications on both the client applications and the oauth server. → infosecwriteups.com |
| 2024-09-05 2024 | JWT vs PASETO: New Era of Token-Based Authentication beginner AuthN JWT | This article delves into a comprehensive comparison of Paseto and JWT, dissecting their core functionalities, security features, and… |
| 2024-08-16 2024 | Securing OAuth 2.0 Token Exchange Flow with Keycloak intermediate AuthN JWT | RFC 8693: Token Exchange describes a mechanism for exchanging an existing token (JWT) for a new token with different issuing client id… |
| 2024-08-12 2024 | GitHub - Brum3ns/firefly: Black box fuzzer for web applications beginner Fuzzing | Library for black-box web application fuzzing, Firefly utilizes goroutines for high performance and an inductive engine to analyze responses. It offers customizable payloads, tampering, encoding, and detailed filtering options for request verification and result refinement. Firefly supports various input methods including raw HTTP requests and integrates with tools like `jq` for advanced result analysis. |
| 2024-08-03 2024 | Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit advanced Fuzzing | Technique for expanding single-packet race conditions by overcoming the 1,500-byte request limit. This method leverages IP fragmentation to split large TCP packets across multiple IP packets, allowing for the full utilization of the TCP window size, up to 65,535 bytes. It then employs TCP sequence number reordering, specifically a "First Sequence Sync," to delay server packet processing until the final packet with the initial sequence number is received, enabling the synchronization and simultaneous processing of numerous large requests. |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover beginner AuthN XSS | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. → darkreading.com |
| 2023-10-12 2023 | Web AppSec Interview Questions beginner Bug Bounty | Reference for web application security interview questions, this resource delves into topics such as Web Cache Deception vs. Poisoning, Session Fixation exploitation, Base64 vs. Base64URL, various XSS types, Blind SQL Injection, Same-Origin Policy, HTTP Request Smuggling (TE.TE variant), DOM Clobbering, HTTP Parameter Pollution, IDOR, JWKs/JKUs, Business Logic vulnerabilities, Server-Side Template Injection payloads, Sec-WebSocket-Key header, CSP's "unsafe-inline", stateless authentication weaknesses, CSRF mitigation techniques, XML parameter entities in XXE, DOM-based XSS fixes, CORS Preflight request prevention, Insecure Deserialization exploitation, secure file upload practices, Mass Assignment, GraphQL batching for rate limiting bypass, type juggling with JSON, sensitive data exposure techniques, and CSRF immune requests. |
| 2023-10-09 2023 | What is OAuth (The Modern Guide) beginner AuthN | Guide to OAuth 2.0 detailing eight common real-world modes: local login/registration, third-party/first-party/enterprise login/registration (federated identity), third-party/first-party service authorization, machine-to-machine authentication/authorization, and device login/registration. It clarifies the distinction between OAuth and SAML, explaining OAuth as an authorization system with authentication layered on top, contrasting it with SAML's primary authentication focus. The guide helps developers choose the appropriate OAuth mode based on specific use cases, such as outsourcing authentication, avoiding credential storage, or enabling service-to-service communication. |
| 2023-09-03 2023 | ffuf advanced tricks - ACCEIS intermediate Fuzzing | Library for advanced `ffuf` techniques, focusing on fuzzing capabilities beyond simple directory enumeration. This resource details using configuration files for persistent settings like colorization, custom headers (e.g., `X-SOC-Tag`), and proxy integration. It also covers reading from standard input, employing external payload mutators like Radamsa, and avoiding false negatives with advanced filtering. The content assumes familiarity with basic `ffuf` usage, including fuzzing parameters and identifying virtual hosts. |
| 2023-09-02 2023 | Web AppSec Interview Questions beginner | Reference of web application security interview questions and answers covering topics like Web Cache Poisoning, Session Fixation, SQL Injection variants (Boolean Error Inferential), DOM Clobbering, HTTP Request Smuggling (TE.TE), Cross-Site Scripting (XSS), HTTP Parameter Pollution, Insecure Deserialization, Mass Assignment, GraphQL batching, type juggling, and Cross-Site Request Forgery (CSRF) mitigation techniques. |
| 2023-08-30 2023 | NosyMonkey: API hooking and code injection made easy! advanced Mobile | Library for API hooking and code injection, NosyMonkey simplifies complex tasks for security researchers. It automates the process of making compiled binaries perform unintended actions or alter their behavior without requiring source code modification. NosyMonkey handles the intricate details of creating DLLs, injecting code, and establishing hooks, allowing researchers to easily modify API calls, conceal processes from tools like Task Manager, or dump sensitive information like LSASS credentials, as demonstrated in examples involving API microservicing and direct system calling. |
| 2023-08-22 2023 | (Research) Exploiting HTTP Parsers Inconsistencies advanced Bug Bounty | (Research) Exploiting HTTP Parsers Inconsistencies https://ift.tt/EfMHcVm |
| 2023-07-26 2023 | Web Application Black-Box testing intermediate Bug Bounty Recon | Web Application Black-Box testing https://ift.tt/d1Mrqn4 |
| 2023-07-19 2023 | Web App Hacking with Caido.io intermediate Burp | Web App Hacking with Caido.io https://www.youtube.com/watch?v=lW-u_2EByT4 |
| 2023-06-15 2023 | DetectCrossOriginMessaging intermediate | Library for detecting cross-origin messaging vulnerabilities, specifically those stemming from insecure use of `postMessage` in JavaScript. It helps identify tainted data sources and common sinks like `document.write` and `element.innerHTML`, as well as common origin validation bypasses involving unescaped dots or incomplete regex patterns. This Burp extension aids in investigating `postMessage` implementations to prevent DOM XSS and information leaks. |
| 2023-06-14 2023 | hisxo/JSpector beginner | Extension for Burp Suite, JSpector passively crawls JavaScript files, identifying URLs, endpoints, and dangerous methods. Upon successful loading (requiring Jython), it automatically generates issues in the Dashboard tab, allowing for export of discovered information to the clipboard. |
| 2023-05-27 2023 | open-appsec ML-based WAF protects against modern SQLi AutoSpear evasion techniques news SQLi | Library that uses machine learning to defend against advanced SQL injection evasion techniques, including those demonstrated by the AutoSpear project. It focuses on identifying "non-legitimate" payloads rather than classifying specific attack types, allowing it to block zero-day attacks and bypasses involving complex encoding, case swapping, whitespace substitution, and DML substitution without requiring constant rule updates. |
| 2023-04-13 2023 | OWASP Proactive Controls 2023/2024 v1 beginner AuthN AuthZ | OWASP Proactive Controls 2023/2024 v1 https://ift.tt/xVAnFY5 → docs.google.com |
| 2023-04-13 2023 | WebSockets are a Pain - A Journey in Learning and Leveraging intermediate | Library detailing WebSocket communication, its advantages for attackers like real-time data transfer and bypassing proxies, and its handshake process. The entry includes practical applications for Command and Control (C2) infrastructure using tools like Caddy, PowerShell, and native Linux tooling such as websocat, demonstrating how to leverage WebSockets for covert communication and data exfiltration. → blog.zsec.uk |
| 2023-04-10 2023 | How to Implement OAuth 2.0 Login for Python Flask Web Server Applications intermediate AuthN Python | Tutorial on implementing OAuth 2.0 login for Python Flask web server applications. This guide details enabling Google APIs, creating OAuth client IDs, securely storing credentials, and writing Python code for the login flow. It covers redirect URIs, environment variables, and front-end HTML templates, with complete code available on GitHub. |
| 2023-04-08 2023 | HTTPolice beginner | Library for validating HTTP requests and responses, HTTPolice identifies syntax errors in headers, incorrect status codes, and other common issues. It functions as a command-line tool capable of parsing HAR files and raw HTTP/1.x TCP streams, integrating with mitmproxy for TLS and HTTP/2 traffic, or serving as a Python library. Integrations include a Django package and a Chrome extension. HTTPolice was inspired by REDbot but focuses on analyzing provided traffic rather than active testing. |
| 2023-04-05 2023 | OAuth 2.0 beginner AuthN | Library for implementing OAuth 2.0 authorization flow, specifically for the Google APIs Client Library for Python. It guides users on acquiring client IDs and secrets, managing browser redirects with `Flow` classes like `InstalledAppFlow`, and exchanging authorization codes for `Credentials` objects. The library supports both end-user authorization and service account authentication, deprecating the older `oauth2client` library in favor of `google-auth` and `google-auth-oauthlib`. |
| 2022-06-09 2022 | Favorite tweet by @fardeenahmed411 beginner Bug Bounty | Favorite tweet: API Bug-Bounty Tools Check list (Part - 1) - Postman (It is like Burpsuite for API) - APISec - AppKnox - Synopsis API Scanner - Data Theorem API Secure #cybersecuritytips #bugbountyti... |
| 2022-03-23 2022 | Favorite tweet by @imranparray101 news Bug Bounty | Favorite tweet: We at @snap_sec recently published a bunch of articles on “Attacking modern web apps” , go check them out. 👇 https://t.co/dwzeO7cGl2 https://t.co/8bpZX25CTL https://t.co/WHT1rreRro ht... |
| 2022-01-08 2022 | Damn Vulnerable GraphQL Application beginner GraphQL | Library for practicing GraphQL security, Damn Vulnerable GraphQL Application (DVGA) is an intentionally insecure implementation featuring numerous flaws including injections, code execution, authorization bypasses, denial of service, and SSRF. It offers beginner and expert modes, covering scenarios like GraphQL introspection, batch query attacks, and OS command injection, with a provided Postman collection for challenge solutions. |
| 2022-01-06 2022 | awesome-apisec beginner | Library of open-source API security tools and resources, curated for community benefit. It categorizes offerings into areas like API keys, enumeration, fuzzing, firewalls, and design, along with books, cheat sheets, and presentations. The repository emphasizes community contributions and avoids vendor-specific, commercial, or closed-source materials, focusing strictly on relevance to API security, bug hunting, hardening, and hacking. |
| 2021-12-15 2021 | REST Resources Provided By: Bitbucket Server - REST beginner | Reference for Bitbucket Server's REST API, detailing how to access resources via URIs, utilize HTTP methods like GET and POST, and handle JSON responses. It explains paging mechanisms, authentication methods (HTTP Basic, OAuth, Cookies, Trusted Applications), and common error responses including 40x client errors and 500 server errors. The reference covers accessing personal repositories through both project-centric and user-centric URLs, and includes specific examples for clearing CAPTCHAs and deleting groups. |
| 2021-11-26 2021 | Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client intermediate RCE | Library for building multi-platform HTTP(S) reverse shells, Phantom provides a server and client implemented in Python 3. It facilitates encrypted communication via HTTPS by supporting auto-generated or user-supplied certificates and includes a helper script for generating self-signed certificates. Binaries for Linux and Windows can be built using PyInstaller, with client binaries containing hardcoded server URLs for stealthy connections. Phantom supports dependency management via Poetry or Virtualenv. |
| 2021-11-23 2021 | Hacking OAuth Applications intermediate AuthN | Talk from DEF CON 31 detailing how to hack OAuth applications. It covers vulnerabilities like impersonation by manipulating access tokens and state parameters, authorization code theft via manipulated redirect URIs, and bypassing validation with localhost URIs or duplicate parameters. The talk also discusses stealing implicit grant tokens, exploiting registration flaws for account takeovers, and leaking tokens via Host header injection. |
| 2021-11-13 2021 | Web Attack Cheat Sheet beginner Bug Bounty SQLi XSS | Cheatsheet detailing web attack techniques, including discovery, enumeration, scanning, monitoring, manual payloads, bypasses, and specific vulnerabilities like SSRF, XXE, OAuth, DNS Rebinding, HTTP/SMTP Header Injection, Web Shells, Reverse Shells, SQLi, XSS, XPath Injection, Path Traversal, LFI, SSTI, Information Disclosure, and WebDAV. It also references tools and data sources for reconnaissance, CDN IP range identification, origin IP discovery, and subdomain enumeration. |
| 2021-11-12 2021 | Advanced request smuggling advanced SSRF | Library detailing advanced HTTP request smuggling techniques, building on fundamental concepts to explore potent HTTP/2 vectors. It covers how common HTTP/2 implementations, including H2.CL and H2.TE vulnerabilities stemming from HTTP/2 downgrading, enable new attack opportunities. The library also addresses response queue poisoning, persistent response cache poisoning for site takeover, and constructing high-severity exploits even without connection reuse, with examples referencing Black Hat USA 2021 research. → portswigger.net |
| 2021-11-10 2021 | Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond intermediate | Library for practical HTTP header smuggling, a technique that hides request headers from some servers in a chain while others see them. This method identifies header smuggling by comparing server responses to mutated headers versus regular ones, demonstrating its effectiveness in bypassing AWS API Gateway IP restrictions and AWS Cognito rate limiting. The research also details how header smuggling can lead to exploitable cache poisoning, and presents a black-box methodology for detecting CL.CL request smuggling vulnerabilities. |
| 2021-11-01 2021 | MalAPI.io beginner Mobile | MalAPI.io |
| 2021-10-26 2021 | How to set up Docker for Varnish HTTP/2 request smuggling intermediate | Walkthrough of setting up a Docker environment to test HTTP/2 request smuggling, focusing on CVE-2021-36740. This technique exploits how H2-compatible proxies rewrite HTTP/2 requests to HTTP/1.1, specifically when Varnish cache improperly handles the `Content-Length` header during this conversion, allowing malicious requests to be prepended to subsequent legitimate ones. The setup involves Varnish, Hitch for TLS termination, and origin servers. → labs.detectify.com |
| 2021-10-25 2021 | HTTP Headers beginner | Cheatsheet detailing security-focused HTTP headers like X-Frame-Options, Content Security Policy (CSP) frame-ancestors, X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security (HSTS), and recommendations for their configuration to prevent vulnerabilities such as Cross-Site Scripting and Clickjacking. It also covers other headers including X-XSS-Protection, Content-Type, Cache-Control, Set-Cookie, and Access-Control-Allow-Origin, highlighting their roles in enhancing web application security. → cheatsheetseries.owasp.org |
| 2021-09-21 2021 | HTTPS Cheat Sheet beginner | Cheatsheet for HTTPS configuration, detailing acceptable TLS protocols, cipher suite breakdown (key exchange, authentication, cipher, mode), and recommended Nginx/Apache directives. It covers HSTS, OCSP Stapling, and performance benefits like HTTP/2 and Brotli compression, with links to SSL Labs, securityheaders.io, Mozilla's config generator, and articles on HSTS and migration strategies. |
| 2021-09-15 2021 | HTTP Parameter Pollution intermediate | HTTP Parameter Pollution |
| 2021-09-06 2021 | Exploiting GraphQL intermediate GraphQL | Tool BatchQL aids in exploiting GraphQL by identifying introspection query support, schema suggestions, and potential CSRF vulnerabilities. It performs batching attacks, including JSON list-based and query name-based methods, to bypass rate limiting and uncover sensitive mutations. The tool leverages techniques described in blog posts and integrates with external resources like Clairvoyance and the Altair Chrome Extension for schema recovery. |
| 2021-09-01 2021 | Shopify API versioning intermediate | Reference for Shopify API versioning details its quarterly release schedule for stable API versions (e.g., 2026-04), which are supported for at least 12 months with nine months of overlap. It distinguishes between stable, release candidate, and unstable versions, and outlines deprecation processes for outdated or unsafe features, with potential delisting from the Shopify App Store for non-compliance. |
| 2021-08-30 2021 | api_wordlist beginner Recon | Library of API function names for web application API fuzzing. Includes pre-compiled lists like `api_seen_in_wild.txt`, `actions.txt`, and `objects.txt`, alongside variations for case sensitivity. The resource details how to effectively use these lists within Burp Suite's Intruder, configuring it for "Cluster Bomb" attacks with "Runtime file" payloads to test API endpoints. |
| 2021-08-30 2021 | Cross-Site WebSocket Hijacking (CSWSH) intermediate XSS | Cross-Site WebSocket Hijacking (CSWSH) |
| 2021-08-25 2021 | Inside Figma: securing internal webapps intermediate | Library for securely exposing internal web applications, detailing Figma's system built with AWS Application Load Balancers and Okta. It leverages SAML for authentication, AWS Cognito for identity management, and Terraform for infrastructure-as-code. The system emphasizes zero-trust principles, strong authentication via WebAuthn and MFA, centralized authorization using Okta Groups, and minimizes operational toil for the security team. |
| 2021-08-25 2021 | API Testing with HTTPie beginner Python | API Testing with HTTPie |
| 2021-08-21 2021 | API Security 101: Security Misconfiguration beginner | API Security 101: Security Misconfiguration |
| 2021-08-12 2021 | HTTP/2: The Sequel is Always Worse advanced | Analysis of HTTP/2 vulnerabilities, including H2.CL and H2.TE request desynchronization attacks that target front-end servers downgrading HTTP/2 to HTTP/1.1. Case studies demonstrate exploitation against Amazon's Application Load Balancer and Netty, with one vulnerability leading to CVE-2021-2195 and maximum bug bounties by compromising Netflix accounts through JavaScript hijacking. Novel techniques and tooling for identifying and exploiting these widespread, overlooked request smuggling variants are also presented. → portswigger.net |
| 2021-07-22 2021 | HackerOne Hacker API tools beginner | Library of Hacker API tools for bug bounty reconnaissance and reporting, including BBRF for workflow coordination, bbscope for scope gathering across platforms like HackerOne and Bugcrowd, Depcher for technology stack analysis and Vulners scans, and h1_2_nuclei for scanning programs with Nuclei. It also features tools like HackerBot for report notifications, h1scope for retrieving in-scope items, and reNgine for automated web application reconnaissance. |
| 2021-07-14 2021 | RequestBin Collect inspect and debug HTTP requests and webhooks beginner Burp | Platform for inspecting and debugging HTTP requests and webhooks, offering cloud storage for persistent data access across devices, real-time request monitoring, and detailed analytics. It supports collaboration for distributed teams and remote development, built on SOC 2, GDPR, and CCPA compliant infrastructure, serving as a reliable service since 2018 for developers. |
| 2021-06-30 2021 | Web-Application-Pentest-Checklist beginner Bug Bounty Recon | This document is a comprehensive checklist for web application penetration testing. It outlines the key areas and steps involved in assessing the security of web applications. The checklist covers various testing phases, including information gathering, reconnaissance, vulnerability scanning, manual testing, and reporting. It aims to provide a structured approach for pentesters to ensure thorough coverage of potential security weaknesses. The content focuses on practical methodologies and common attack vectors. |
| 2021-06-28 2021 | Guide To Shopify Webhooks Features And Best Practices beginner | Library for managing Shopify webhooks, detailing their features, configuration via Admin Dashboard, GraphQL Admin API, REST Admin API, or app TOML. It covers webhook payload structures, security best practices including HMAC-SHA256 signature verification and responding within 5 seconds, and implementing idempotency using the X-Shopify-Event-Id header. The guide also touches upon GDPR compliance webhooks like customers/data_request and customers/redact. |
| 2021-06-21 2021 | OAuth 2.0 Token Binding intermediate AuthN | OAuth 2.0 Token Binding enhances security by cryptographically binding access tokens to the underlying TLS connection. This prevents token reuse if a token is intercepted, as the attacker would lack the corresponding TLS session key. It ensures that a token can only be used by the client that originally received it, bolstering protection against various attack vectors like token theft and replay attacks. The implementation focuses on securing the token's lifecycle within a specific secure connection. |
| 2021-05-24 2021 | Sending webhooks securely intermediate | Library for securely sending webhooks, addressing vulnerabilities like SSRF and DNS rebinding. It details mitigation strategies, including proper IP validation after DNS resolution to prevent attacks like those found in PagerDuty and DialogFlow. The library also covers authentication methods such as request signing with HMAC or digital signatures, and mutual TLS, noting potential issues with confused deputy problems in services like Google DialogFlow and PagerDuty. It recommends using languages with robust TLS implementations like Go or Java over those relying on OpenSSL bindings for certificate chain verification. |
| 2021-05-14 2021 | Creating an Authentication API with GolangUsing Gin & Nrok intermediate AuthN | This article outlines the process of building an authentication API using Golang, the Gin web framework, and Nrok for tunneling. It likely covers setting up a Gin server, implementing authentication logic (e.g., user registration, login, token generation), and using Nrok to expose the local development server for testing. The focus is on practical implementation steps for creating a functional authentication system. |
| 2021-05-06 2021 | CWE-598: Information Exposure Through Query Strings in GET Request beginner | CWE-598 describes the vulnerability where sensitive information is exposed through query strings in GET requests. This occurs when confidential data, such as credentials or personal details, is appended directly to the URL. Attackers can easily access this information through browser history, server logs, or by intercepting network traffic. This practice should be avoided, and sensitive data should be transmitted using more secure methods like POST requests or encrypted channels. |
| 2021-05-06 2021 | XSS Through Parameter Pollution intermediate XSS | This content explains how Cross-Site Scripting (XSS) vulnerabilities can be exploited through parameter pollution. This technique involves injecting malicious scripts by manipulating multiple parameters within a single request. Attackers can leverage this to bypass security filters and execute arbitrary code in a user's browser. The article details the methods used for such attacks and emphasizes the importance of robust input validation to prevent them. |
| 2021-05-04 2021 | OAuth 2.0: Security Considerations beginner AuthN | Reference detailing OAuth 2.0 security considerations, including common mistakes in Classic Web Applications, Single Page Applications, and Mobile Applications. It elaborates on design choices, implementation pitfalls, and exploitation techniques, referencing RFCs like 6749 and 7636. The resource utilizes a sample "gallery" application and its integrations like "photoprint" and "mypics" to illustrate secure OAuth 2.0 flows, such as authorization code grant with PKCE, and discusses token introspection and revocation. |
Frequently Asked Questions
- What is the OWASP API Security Top 10?
- The OWASP API Security Top 10 is a list of the most critical API security risks, including Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Server Side Request Forgery, Security Misconfiguration, and Lack of Protection from Automated Threats.
- Why are APIs harder to secure than web applications?
- APIs often expose more data and functionality than web UIs, accept complex input formats, lack the natural access controls of a browser interface, and are harder to monitor. They also tend to grow organically, creating shadow APIs that bypass security controls, and their machine-to-machine nature makes abuse detection more difficult.
- What tools are used for API security testing?
- Common tools include Burp Suite with API-focused extensions, Postman for manual testing, OWASP ZAP for automated scanning, Akto for API inventory and testing, and custom scripts for fuzzing API parameters. For GraphQL APIs, InQL and graphql-cop are essential. API specification files (OpenAPI/Swagger) are valuable for understanding and testing the full attack surface.
Weekly AppSec Digest
Get new resources delivered every Monday.