API Security
API security addresses the unique vulnerabilities that arise when applications expose functionality through programmatic interfaces. As organizations shift to API-first architectures, microservices, and third-party integrations, APIs have become the primary attack surface for modern applications. The OWASP API Security Top 10 identifies critical risks including Broken Object Level Authorization (BOLA), mass assignment, excessive data exposure, and lack of rate limiting. APIs often inadvertently expose more data than their UI counterparts, accept parameters that bypass frontend validation, and may lack the authentication and authorization checks that browser-based interfaces enforce. REST, GraphQL, gRPC, and WebSocket APIs each present distinct security challenges. Effective API security requires authentication hardening, input validation, output filtering, rate limiting, proper error handling, and comprehensive logging across every endpoint.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-21 NEW 2026 | WordPress Email Plugin Flaw Triggers 17 Million Attacks: Gravity SMTP Leaks Live API Keys news | A vulnerability in the popular WordPress plugin Gravity SMTP has led to an estimated 17 million attacks. The flaw allows attackers to potentially access live API keys, posing a significant security risk. This widespread exploitation highlights the need for prompt patching and security updates for widely used plugins. → techtimes.com |
| 2026-06-21 NEW 2026 | Hackers Exploit Klue Integration to Steal Salesforce CRM Data Using OAuth Tokens news | Hackers are exploiting a vulnerability in the Klue integration with Salesforce CRM to steal sensitive data. The attackers are leveraging compromised OAuth tokens to gain unauthorized access to Salesforce accounts. This allows them to exfiltrate customer information and other critical business data stored within the CRM. The exploit highlights the risks associated with third-party integrations and the importance of securing OAuth tokens. → gbhackers.com |
| 2026-06-21 NEW 2026 | Hackers Exploit Gravity SMTP WordPress Plugin Vulnerability news | Hackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin. The exploit allows them to send emails from compromised websites without the site owner's knowledge, potentially for phishing or spam campaigns. This poses a significant security risk to websites using the affected plugin. Users are advised to update to the latest version to patch this vulnerability and protect their sites. → securityboulevard.com |
| 2026-06-21 NEW 2026 | Custom runtime rules and runtime response policies: new layers of defense intermediate | Wiz has introduced custom runtime rules and runtime response policies to enhance security. These new features provide additional layers of defense, allowing organizations to implement tailored security measures. The goal is to strengthen a defense-in-depth strategy by offering more granular control over runtime environments and enabling proactive responses to detected threats. → wiz.io |
| 2026-06-21 NEW 2026 | GenAI risks to be aware of — and prepare for — according to Gartner® news AI | Gartner warns that the adoption of Generative AI (GenAI), Large Language Models (LLMs), and chat interfaces significantly broadens the potential attack surface, leading to heightened security risks. Organizations must prepare for these expanded threats as the technology becomes more integrated into their systems. → wiz.io |
| 2026-06-21 NEW 2026 | How Wiz customers are flippin' vulnerabilities this July 4th weekend news | This July 4th weekend, Wiz highlights how 40% of its customers have achieved "Zero Critical Club" status. Three companies successfully eliminated critical vulnerabilities in their cloud environments, demonstrating the effectiveness of Wiz's platform. The content focuses on the achievements of these customers in bolstering their cloud security. → wiz.io |
| 2026-06-21 NEW 2026 | Enhance existing security workflows with high-fidelity cloud security data from Wiz in ServiceNow intermediate | Wiz enhances ServiceNow security by integrating high-fidelity cloud and container security data. This integration enriches the ServiceNow CMDB, vulnerability response, and IT service management solutions with critical context from Wiz. Organizations can thus improve their existing security workflows by leveraging Wiz's comprehensive visibility into cloud environments. → wiz.io |
| 2026-06-21 NEW 2026 | SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts news AI | Wiz Research has discovered critical vulnerabilities in SAP AI Core, dubbed "SAPwned," that enable attackers to compromise customer cloud environments. These flaws could lead to the unauthorized access and exfiltration of sensitive customer data and private AI artifacts. The exploitation allows for full takeover of the SAP AI Core service, posing a significant risk to organizations using SAP's AI solutions. → wiz.io |
| 2026-06-21 NEW 2026 | Your control tower to secure code across GitHub, GitLab, and Azure Repos intermediate Supply Chain | Wiz offers a unified security platform for GitHub, GitLab, and Azure Repos, acting as a control tower for secure code. It leverages the Wiz Security Graph, configuration checks, and advanced code scanning to protect the entire development pipeline. This solution helps organizations maintain code security and streamline their development processes across multiple code repositories. → wiz.io |
| 2026-06-21 NEW 2026 | Is your team on the *security* naughty or nice list? beginner AI | This holiday season, assess your organization's security practices regarding AI, application security tooling, and other security-related areas. The content prompts a self-evaluation: are your current practices leading you to the security "naughty" or "nice" list this year? It's a metaphorical call to action for a year-end security check-up. → snyk.io |
| 2026-06-21 NEW 2026 | Build and deploy a Node.js security scanning API to Platformatic Cloud intermediate | This guide demonstrates how to build and deploy a Node.js security scanning API on Platformatic Cloud. It leverages Platformatic and Fastify for rapid, secure backend development, integrating with Snyk for security scanning capabilities. The focus is on creating a robust and secure application. → snyk.io |
| 2026-06-20 NEW 2026 | Mass Exploitation of Gravity SMTP Plugin Exposes Enterprise API Keys Globally news 3 min read | Tool for mass exploitation of Gravity SMTP plugin, registered as CVE-2026-4020, which leaks enterprise API keys globally. The vulnerability arises from an unauthenticated API endpoint that unconditionally returns "true" for permission checks, allowing attackers to retrieve detailed server configurations including web server versions, document roots, and active extensions. This high-fidelity reconnaissance data, alongside exposed API credentials for services like AWS, Google, Mailjet, and Zoho, facilitates targeted attacks and the weaponization of trusted email supply chains. → the420.in |
| 2026-06-20 NEW 2026 | JetBrains Plugin Security Alert: 70000 Installs Linked to AI Key Theft news | A JetBrains plugin with over 70,000 installations has been identified as a security risk, potentially stealing AI API keys. The plugin's malicious code was designed to exfiltrate sensitive authentication credentials. Users are strongly advised to uninstall the plugin immediately and to change their AI API keys. This incident highlights the importance of careful vetting of third-party software, especially in development environments where sensitive data is handled. No bounty payout amount is mentioned in the provided content. → gbhackers.com |
| 2026-06-20 NEW 2026 | Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys news 2 min read | Writeup of CVE-2026-4020 in Gravity SMTP, a WordPress plugin that allows unauthenticated attackers to extract API keys and system details via an exposed REST API endpoint. Exploited versions can reveal sensitive data including PHP and web server versions, active plugins, WordPress configuration, and credentials for email integrations like Amazon SES and Google. Attackers leverage this information for further compromise. A patch is available in version 2.1.5. → thehackernews.com |
| 2026-06-20 NEW 2026 | Avoiding security incidents due to request collapsing intermediate 5 min read | Library for mitigating security incidents caused by request collapsing in web caching, a feature of caching services like Amazon CloudFront that can return sensitive data intended for one user to multiple others. This behavior occurs when multiple identical requests for the same cache key arrive before the first response is returned, leading to delayed requests receiving a response that should not have been cached, even when Cache-Control: no-cache is used. The library suggests using the "CachingDisabled" managed cache policy or setting minimum TTL to 0 and configuring the origin to send Cache-Control: no-cache. → wiz.io |
| 2026-06-20 NEW 2026 | Node.js Fixes 12 Vulnerabilities Including 2 High-Severity Authentication Bypasses news | Node.js has released security updates addressing 12 vulnerabilities. Two of these are high-severity authentication bypass flaws. While the specific payout amounts for these vulnerabilities are not mentioned, the fix addresses critical security weaknesses in the Node.js runtime, enhancing its overall security posture. Users are advised to update to the latest versions to protect against these newly resolved issues. → cybersecuritynews.com |
| 2026-06-19 NEW 2026 | API Sprawl beginner 10 min read | Analysis of API Sprawl discusses the security risks and inefficiencies arising from unmanaged and undocumented APIs. Fueled by factors like decentralized development, microservices architectures, and DevOps practices, API sprawl leads to an expanded attack surface, with instances of shadow and zombie APIs posing significant threats. Organizations like Imperva report having more active APIs than they are aware of, contributing to an average of 10% to 20% more. This proliferation, highlighted by SALT's survey showing 57% of organizations suffering API-related data breaches, underscores the urgent need for robust API management and governance to mitigate security vulnerabilities and costs. |
| 2026-06-19 NEW 2026 | Node.js Releases Security Updates for 12 Vulnerabilities Two Rated High Severity news | Node.js has released security updates addressing 12 vulnerabilities, with two classified as high severity. These updates are crucial for maintaining the security and integrity of applications built with Node.js. Users are strongly advised to apply these patches promptly to mitigate potential risks associated with the identified vulnerabilities. No specific payout amounts were mentioned in the provided content. → gbhackers.com |
| 2026-06-19 NEW 2026 | Hackers Breach Klue Integration to Steal Salesforce CRM Data news | Hackers exploited a vulnerability in Klue's integration with Salesforce CRM, leading to the theft of customer data. The breach targeted the connection between the two platforms, compromising sensitive information stored within Salesforce. Further details on the exact nature of the exploited vulnerability and the extent of the data stolen are still emerging. This incident highlights the security risks associated with third-party integrations and the critical need for robust security measures in cloud-based CRM systems. → cyberpress.org |
| 2026-06-19 NEW 2026 | How to secure Python Flask applications beginner 14 min read Python | Library for securing Python Flask applications, addressing common vulnerabilities like XSS, CSRF, and SQL injection. It details insecure configurations such as secret key exposure, enabled debug mode in production, and unprotected sensitive data in configuration files. The resource highlights best practices like using environment variables for credentials, securely generating secret keys with `uuid`, and leveraging tools like Snyk for vulnerability detection and mitigation. → snyk.io |
| 2026-06-19 NEW 2026 | Preventing broken access control in express Node.js applications beginner 11 min read AuthZ | Library for preventing broken access control in Express.js Node.js applications, detailing vulnerabilities like unprotected admin panels, query parameter manipulation, obscure routes, clear text logging, insecure direct object references (IDOR), and missing CSRF protections. This resource explains how these flaws allow unauthorized access to sensitive data and administrative functions, impacting user privacy and system integrity. → snyk.io |
| 2026-06-19 NEW 2026 | Build an IDOR Vulnerability Lab: Why WHERE Clauses Don’t Protect Your API. intermediate IDOR | This article explains how IDOR (Insecure Direct Object Reference) vulnerabilities can occur in backend APIs, demonstrating that WHERE clauses alone do not adequately protect against them. The author emphasizes that API calls can be manipulated before reaching the server, leading to insecure queries. The content aims to teach developers how to make queries safer by addressing this common oversight. → infosecwriteups.com |
| 2026-06-19 NEW 2026 | Shynet | VERSION 0.13.1 news 11 min read Bug Bounty | Library identifying stored cross-site scripting (CVE-2026-35508) and password reset poisoning vulnerabilities in Shynet version 0.13.1. The XSS flaw allowed unauthenticated attackers to inject malicious JavaScript into analytics tracking scripts, potentially compromising all monitored web applications. The password reset vulnerability enabled account takeover via spoofed Host headers. Updates to version 0.14.0 are recommended. → bishopfox.com |
| 2026-06-18 NEW 2026 | Hackers Exploit WordPress SMTP Plugin With 100000 Installs to Steal Sensitive Data news | Hackers Exploit WordPress SMTP Plugin With 100,000+ Installs to Steal Sensitive Data https://ift.tt/7jPmD58 → gbhackers.com |
| 2026-06-18 NEW 2026 | How to secure a REST API? beginner 11 min read | Library for securing REST APIs, addressing injection attacks, broken authentication (like the 2018 Reddit breach), sensitive data exposure, rate limiting vulnerabilities (seen in the 2016 Dyn attack), and insecure dependencies (as with the 2017 Equifax breach via Apache Struts). It details implementing OAuth 2.0 and JWT for authentication, secure token management, enforcing HTTPS, and using AES encryption. The library also highlights the importance of HTTP headers such as Content Security Policy (CSP) and X-Content-Type-Options, recommending tools like Snyk Code and Snyk Open Source for vulnerability detection. → snyk.io |
| 2026-06-17 NEW 2026 | 42Crunch and GitHub Copilot Bring Deterministic API Security Guardrails to Agentic DevSecOps beginner | 42Crunch and GitHub Copilot are integrating to provide deterministic API security guardrails for agentic DevSecOps. This collaboration aims to enhance the security of API development by embedding security checks directly into the development workflow. By leveraging Copilot's AI capabilities alongside 42Crunch's API security platform, developers can proactively identify and address potential vulnerabilities, leading to more secure APIs from the outset. The goal is to streamline security processes and improve the overall resilience of API-driven applications. |
| 2026-06-17 NEW 2026 | Bug Bounty Bootcamp #45: Token? intermediate AuthN | In Bug Bounty Bootcamp #45, a critical vulnerability is highlighted: a password reset function that inadvertently leaks the magic token in its API response. This discovery poses a significant security risk, potentially allowing unauthorized access. The article suggests that developers may have even left an endpoint that directly provides this sensitive token, exacerbating the vulnerability. Further details on this insecure implementation and its implications can be found on InfoSec Write-ups. No specific bounty payout amount was stated. → infosecwriteups.com |
| 2026-06-17 NEW 2026 | Mastery Hunt: Hidden API Endpoints — A Deep Dive into API Bug Bounty Recon & Exploitation intermediate Bug Bounty Recon | This article explores API security testing as a prime area in bug bounty hunting, highlighting APIs as sources of sensitive data and critical vulnerabilities. It details the process of discovering, analyzing, and exploiting hidden API endpoints for bug bounty and penetration testing. The initial phase covered is "Surface Reconnaissance," focusing on methods for identifying the attack surface through passive reconnaissance techniques. The writeup aims to provide a comprehensive guide to API bug bounty reconnaissance and exploitation. → infosecwriteups.com |
| 2026-06-16 NEW 2026 | Radware Introduces AI Xploit Shield for Rapid Protection Against Application Vulnerabilities news 10 min read | Service from Radware, AI Xploit Shield, automates the creation of custom protections against newly discovered application and API vulnerabilities. This real-time service addresses the shrinking window between vulnerability identification and exploitation, offering virtual patching to block attacks without altering existing software. AI Xploit Shield aims to reduce operational risks by providing security teams time to validate and deploy fixes, ensuring consistent security across cloud, hybrid, and on-premises environments. |
| 2026-06-16 NEW 2026 | IngressNightmare: CVE-2025-1974 - 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX news 14 min read RCE | Writeup of IngressNightmare, a critical RCE vulnerability (CVE-2025-1974) in Ingress NGINX Controller for Kubernetes, allowing unauthenticated attackers to access cluster secrets and achieve full takeover. Discovered by Wiz Research, the vulnerability affects the admission controller component, which is often exposed externally and runs with elevated privileges. Exploitation involves injecting malicious NGINX configurations to trigger code execution within the controller's pod. Mitigation includes updating to patched versions or disabling the admission controller. A Nuclei template is available for detection. → wiz.io |
| 2026-06-16 NEW 2026 | Extending developer security with dev-first dynamic testing news 7 min read Fuzzing | Library for dynamic application security testing (DAST) and API security, acquired by Snyk, Probely offers a developer-first approach to testing. It integrates with CI/CD pipelines, boasts a low false positive rate of approximately 0.1%, and provides a simple user experience. This capability helps developers identify and fix security issues earlier in the SDLC, aligning with a "shift left" security model and addressing the growing need for API security in the GenAI era. → snyk.io |
| 2026-06-16 NEW 2026 | Working with SBOM Data via the Anchore Enterprise API intermediate | The Anchore Enterprise API allows users to programmatically access and work with Software Bill of Materials (SBOM) data. This enables automation of security and compliance tasks by integrating SBOM analysis into existing workflows. The API provides access to detailed information about software components, their dependencies, and associated vulnerabilities. This facilitates better understanding and management of the software supply chain. → securityboulevard.com |
| 2026-06-15 NEW 2026 | Google Bug Hunter Claims $500K From AI-Assisted Vulnerability Pipeline news 2 min read | Pipeline for AI-assisted vulnerability discovery, reportedly used by researcher Brutecat to claim over $500,000 in Google bug bounties. This workflow leverages API discovery documents, gathered API keys from APKs, and a Chrome extension for network traffic analysis to identify over 1,500 APIs. The pipeline converts API definitions into testable formats for AI models to detect broken access control, including insecure direct object references, across services like Google Voice/Fiber and YouTube, with reported bounties ranging from $12,000 to $30,000. → techrepublic.com |
| 2026-06-15 NEW 2026 | SecSuite - AI-powered Tool for OSINT Web and API Security Testing intermediate | SecSuite is an AI-powered tool designed for open-source intelligence (OSINT), web, and API security testing. It automates the process of identifying vulnerabilities and gathering intelligence, streamlining security assessments. The tool aids in discovering potential risks within web applications and APIs by leveraging AI capabilities for enhanced efficiency and accuracy in security testing. → cybersecuritynews.com |
| 2026-06-15 NEW 2026 | Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know news 3 min read | Analysis of CVE-2025-5349, CVE-2025-5777, and CVE-2025-6543, critical vulnerabilities in NetScaler ADC and Gateway. CVE-2025-5777, a memory overread, and CVE-2025-6543, a memory overflow, have been exploited in the wild, with the latter described as a 0-day. CVE-2025-5349 is an improper access control flaw. Organizations are advised to patch urgently to mitigate risks including unauthorized access, sensitive data leakage, and potential remote code execution. → wiz.io |
| 2026-06-15 NEW 2026 | SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771): Everything You Need to Know news 3 min read | Analysis of CVE-2025-53770 and CVE-2025-53771, actively exploited zero-day vulnerabilities in on-premises Microsoft SharePoint servers. CVE-2025-53770 is a critical RCE via unsafe deserialization, forming the execution stage of the ToolShell exploit chain. CVE-2025-53771 is a spoofing vulnerability enabling authentication bypass via header spoofing. These are bypasses of earlier vulnerabilities CVE-2025-49704 and CVE-2025-49706, respectively. The chained ToolShell exploit was demonstrated at Pwn2Own Berlin and actively exploited in the wild following emergency patches. → wiz.io |
| 2026-06-15 NEW 2026 | Securing the Digital Future: AppSec Best Practices in Digital Banking beginner 3 min read AuthZ | Talk slides from the Digital Banking Asia Summit 2024 detailing application security challenges in financial services, including regulatory compliance, third-party integration, sophisticated attackers, application complexity, legacy systems, resource limitations, insider threats, and release velocity. The presentation also covered key challenges for developers and security teams, leadership considerations for CTOs and CISOs, and five pillars of success in application security: developer adoption, security trust, delivering fixes, a comprehensive platform, and a strong partner ecosystem. → snyk.io |
| 2026-06-15 NEW 2026 | BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience beginner 2 min read AuthZ | Talk from CISO Indonesia 2024 discussing BFI Finance's digital transformation and application security journey. BFI transitioned from reactive pen tests to proactive security using Snyk, implementing pull request scans, code scans during development, IaC scans for Terraform, and container scans. This shift resulted in zero critical/high production issues, improved developer experience through IDE and CI/CD integration, and enhanced reporting. The talk highlighted collaboration across teams and cultural transformation as key to elevating secure development standards. → snyk.io |
| 2026-06-14 2026 | Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them intermediate 8 min read AuthZ | Library for securing applications built with "vibe coding" platforms. This resource details four common systemic risks: authentication logic in the browser, exposed API keys in client-side code, overly permissive Supabase Row-Level Security policies, and insecure serverless functions. It provides actionable solutions including enforcing server-side authentication, proxying API calls through secure backends, and correctly configuring Supabase RLS. The research highlights that 1 in 5 organizations are at risk due to these preventable misconfigurations. → wiz.io |
| 2026-06-14 2026 | Beyond CVEs: The Exploitation of Everyday Misconfigurations intermediate 6 min read AuthZ | Analysis of everyday cloud misconfigurations, such as unrestricted access, default credentials, excessive permissions, and exposed databases, reveals these are actively exploited pathways for attackers. The article details how misconfigurations in tools like Selenium Grid, Spring Boot Actuator, and PostgreSQL can lead to Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), and data exfiltration, often bypassing traditional CVE scanning. It emphasizes proactive perimeter scanning and shifting security left within CI/CD pipelines to mitigate these silent risks. → wiz.io |
| 2026-06-14 2026 | Consolidate Security Findings with Snyk and Google Security Command Center intermediate 3 min read | Integration between Snyk and Google Security Command Center consolidates application and cloud security findings into a single view. This allows CISOs and security teams to monitor Snyk-detected application vulnerabilities, such as critical issues in open-source libraries within container images, alongside cloud security issues identified by Security Command Center. The integration streamlines risk management, enables near real-time detection, and prioritizes remediation by providing actionable advice from Snyk alongside Google's threat intelligence and Mandiant's expertise. → snyk.io |
| 2026-06-14 2026 | Incorporating security by design: Managing risk in DevSecOps beginner 4 min read | Guide to integrating security by design into DevSecOps, emphasizing proactive risk management by embedding security from initial design and coding through deployment. This approach, which moves beyond traditional "shift-left" security, leverages automated code reviews, threat modeling, and developer-first security tools like Snyk to prevent vulnerabilities, reduce late-stage remediation costs, and ensure resilient software development. → snyk.io |
| 2026-06-14 2026 | Solving Security Challenges with Snyk Code and Symbolic AI intermediate 3 min read | Library that leverages Symbolic AI for static application security testing (SAST). Snyk Code analyzes code paths to detect vulnerabilities, outperforming traditional pattern-matching methods. It successfully identified open redirects in Python Flask applications, and Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and CRLF injection in Node.js Express applications. Snyk Code not only detects these issues but also offers suggested fixes and contextual best practices. → snyk.io |
| 2026-06-14 2026 | Learn about API security risks with the new Snyk Learn Learning Path beginner 1 min read | Learning path from Snyk Learn addresses the OWASP Top 10 for API security risks. This interactive resource provides developers and security teams with a deep understanding of critical API vulnerabilities and actionable strategies for mitigation. It covers real-world scenarios to fortify API security, complementing existing learning paths on OWASP Top 10 and GenAI & LLM risks. → snyk.io |
| 2026-06-14 2026 | DevSecOps Automation Framework intermediate 4 min read | Framework for DevSecOps automation that emphasizes shifting security left by integrating automated SAST, SCA, and IaC scanning into CI/CD pipelines. It outlines strategies for implementing repeatable, scalable security practices, detailing how tools like Snyk Code and Snyk Open Source help detect and remediate vulnerabilities in source code and dependencies early, enabling faster, more secure software delivery and compliance with regulations like ISO 27001, SOC 2, and GDPR. → snyk.io |
| 2026-06-14 2026 | Snyk and ServiceNow: Streamlining Vulnerability Management with ServiceNow VR Assignment Rules intermediate 2 min read Bug Bounty | Library lesson on ServiceNow Vulnerability Assignment rules, detailing how to automate task routing for application vulnerabilities by correlating data with CMDB fields. This integration with Snyk's platform streamlines remediation workflows and improves visibility for application security teams, ensuring vulnerabilities are assigned to the correct teams based on application ownership within the CMDB. → snyk.io |
| 2026-06-14 2026 | CVE-2025-29927 Authorization Bypass in Next.js Middleware news 3 min read AuthZ | Library analysis of CVE-2025-29927, an authorization bypass vulnerability in Next.js middleware versions prior to 13.5.9, 14.2.25, and 15.2.3. Discovered by Allam Rachid and Allam Yasser, the flaw allows bypassing middleware logic via the `x-middleware-subrequest` HTTP header. While Vercel and Netlify deployments are unaffected, self-hosted applications require upgrading to a fixed version or implementing a firewall rule. → snyk.io |
| 2026-06-13 2026 | Major AI Clients Shipping With Broken OAuth Implementations (JUNE 2026 UPDATE) news 4 min read AuthN | Matrix detailing OAuth refresh token support in major AI clients, noting Gemini CLI's full support and upgrades in others like Cursor, Claude, and VS Code following SEP-2207. It highlights Claude Code's persistent metadata discovery bug and issues with HTTP MCP servers, while pointing to the mcp-remote tool as a community workaround for stdio-only clients. |
| 2026-06-13 2026 | Secure AI-Generated Code at Speed with Snyk and ServiceNow intermediate 3 min read AI | Library integrating Snyk's AI-powered developer security platform with ServiceNow Application Vulnerability Response to secure AI-generated code and software supply chains. It offers real-time vulnerability detection in AI code, provides automated fixes via Snyk DeepCode AI, and leverages ServiceNow workflows for task assignment and remediation tracking, aiming to reduce mean time to remediate (MTTR) by up to 84% and conserve developer hours. → snyk.io |
| 2026-06-13 2026 | Snyk @ RSAC 2025 news 3 min read AI | Library update summarizing Snyk's participation at RSAC 2025, highlighting generative AI's impact on software security. The entry notes Snyk API & Web's Global InfoSec Award for Most Innovative API Security and its inclusion in CRN's 20 Coolest New Cybersecurity Products. It also details Snyk's commitment to secure AI development through participation in the Coalition for Secure AI (CoSAI) and its efforts to foster community with events like the "Women Leading Security" panel. → snyk.io |
| 2026-06-13 2026 | From Risk to Resilience: Achieving HIPAA Standards in Your App intermediate 4 min read | Tool for achieving HIPAA compliance in application development, Snyk API & Web automates security scanning to identify vulnerabilities like SQL Injection and Cross-Site Scripting (XSS). It supports continuous security testing, encryption, access controls, and audit trails, essential for protecting electronic protected health information (ePHI) and meeting regulatory requirements. → snyk.io |
| 2026-06-13 2026 | Header Manipulation: Bypasses, Probing, and the Security Audit Nobody Does intermediate AuthZ | Request headers are critical inputs, not mere metadata, and can be manipulated for security exploitation. Attackers leverage this to bypass access controls, probe for misconfigurations, spoof identities, and test security posture. This article delves into common header manipulation techniques frequently observed in security challenges and real-world scenarios. → infosecwriteups.com |
| 2026-06-13 2026 | KCD New York 2026: Trust, Agents, and the Work Behind the Work news 8 min read AI AuthZ | Talk from KCD New York 2026 discussing trust in cloud-native systems, focusing on Zero Trust for APIs with Istio Ambient Mesh, challenges in AI-driven Kubernetes CVE vulnerability management against sources like MITRE and maintainers, and agentic AI for autonomous multi-cluster remediation using MCP servers with a trust ladder approach. The talk also highlights the crucial role of community in sustaining open-source projects like Kubernetes. → blog.gitguardian.com |
| 2026-06-12 2026 | ServiceNow API Exposure: What to Review After the June 2026 Security Update news | The provided content is a link to an article about reviewing ServiceNow API exposure following the June 2026 security update. It highlights potential vulnerabilities and the importance of proactive security measures. The article likely details specific areas to examine within ServiceNow's API functionalities to ensure proper security after the update. No bug bounty payout amount is mentioned in the provided content. |
| 2026-06-12 2026 | Researcher Uses AI to Hack Google Earns $500000 Bug Bounty news | A researcher has successfully used AI to hack Google, earning a substantial $500,000 bug bounty. This achievement highlights the growing capabilities of AI in cybersecurity and its potential for both discovering vulnerabilities and rewarding those who find them. The significant payout underscores the value Google places on identifying and addressing security flaws. → gbhackers.com |
| 2026-06-12 2026 | Researcher Brutecat Uses Claude AI To Crack Google API Security news 2 min read | Writeup detailing how Claude AI assisted a researcher in discovering over 20 critical vulnerabilities across 1,500 Google APIs and internal systems, earning over $500,000 in bug bounty rewards. The process involved analyzing Google's API discovery documents, extracting thousands of API keys from Android and iOS applications, and leveraging AI for automated audits of access-control weaknesses. Vulnerabilities affected services like Google Voice, Fiber, YouTube, advertising platforms, and Vertex AI Search, with some enabling unauthorized access to sensitive user data and account control. → the420.in |
| 2026-06-12 2026 | Snyk Supercharges API Discovery with New Akamai Integration intermediate 3 min read | Library integration enhancing API discovery by ingesting API inventories and schemas directly from Akamai. This automates the process of providing API specifications for DAST scanning, overcoming the challenge of manual schema management for Snyk customers. Akamai's discovery capabilities, spanning traffic analysis and source code inspection, feed comprehensive data into Snyk API & Web, enabling single-click API scanning and increased coverage. This empowers joint customers to proactively test and remediate API vulnerabilities. → snyk.io |
| 2026-06-11 2026 | Researcher Hacked Google Using AI and Earned $500000 Bug Bounty news | A researcher successfully hacked Google by leveraging AI, earning a substantial bug bounty of $500,000. This achievement highlights the growing power of artificial intelligence in cybersecurity, both for identifying vulnerabilities and for ethical hacking. The substantial payout underscores the value Google places on securing its systems and the effectiveness of its bug bounty program in attracting skilled researchers. → cybersecuritynews.com |
| 2026-06-11 2026 | ServiceNow fixes API issue after reports of suspicious tenant activity news 3 min read | Library that remediated an unauthenticated API endpoint flaw in ServiceNow instances, allowing unauthorized access to tenant data. Discovered via bug bounty and impacting specific configurations, the vulnerability required authentication bypass for queries to endpoints like "/api/now/related_list_edit/create." While suspicious activity is attributed to security researchers, investigations are ongoing, and customers are advised to patch, audit logs for exploitation, and treat confirmed breaches as incidents. → csoonline.com |
| 2026-06-11 2026 | Canton Enterprise Integrations: APIs Connectors and Risk Boundaries beginner 12 min read | Reference of integration risks for Canton, detailing how API-related flaws, credential leakage, and data exfiltration from PQS can compromise security. It highlights the need for robust off-ledger security, noting Canton 3.4.11's upgrade to gRPC to address CVE-2025-58057 and CVE-2025-55163, and emphasizes that the Ledger API's JWT tokens, while providing authentication, are susceptible to leakage. |
| 2026-06-11 2026 | Authentication issues related to API requests intermediate AuthN | The provided content highlights authentication problems with API requests. The summary must be under 100 words and focus on key points. No specific bug bounty payout amount is mentioned. |
| 2026-06-11 2026 | Hacking Moltbook: The AI Social Network Any Human Can Control news 8 min read AI Secrets | Writeup detailing the unauthenticated Supabase database access to Moltbook, an AI social network. The breach exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages, allowing for complete account impersonation and content manipulation. The vulnerability stemmed from a missing Row Level Security (RLS) policy, a common pitfall in applications prioritizing rapid development over secure defaults, akin to previous exposures like DeepSeek data leaks. → wiz.io |
| 2026-06-11 2026 | Introducing AI Cyber Model Arena: A Real-World Benchmark for AI Agents in Cybersecurity beginner 2 min read AI | Benchmark suite featuring 257 real-world challenges across zero-day discovery, CVE detection, API security, web security, and cloud security. This evaluation, designed for AI agents, measures performance across AWS, Azure, GCP, and Kubernetes, using a multi-agent × multi-model matrix. Scoring is deterministic and programmatic, reported as pass@3, and challenges run in isolated Docker containers to ensure fairness and reflect true capability. Results highlight that offensive capability is jointly determined by model and agent scaffold, with performance varying significantly by domain. → wiz.io |
| 2026-06-11 2026 | From Detection to Remediation: It’s Time to Rethink AppSec Around Exploitability and Root Cause Fixes intermediate 4 min read Bug Bounty | Library for connecting runtime vulnerabilities to source code, enabling prioritization of exploitable risks. It leverages the Wiz Security Graph and Wiz Attack Surface Scanner to validate external exposure, then traces issues through a Code-to-Cloud Pipeline from source to runtime. The library facilitates one-click pull request generation for fixes and includes Mika AI for remediation guidance and posture issue management, consolidating vulnerabilities by root cause for systematic risk reduction. → wiz.io |
| 2026-06-11 2026 | Dedicated security review command now available in Copilot CLI beginner | Library for AI-driven security reviews via GitHub Copilot CLI. The experimental `/security-review` command analyzes local code changes directly in the terminal, flagging high-confidence findings and offering actionable suggestions for vulnerabilities like injection flaws, XSS, insecure data handling, path traversal, and weak cryptography. This tool complements existing GitHub security features by providing a lightweight, on-demand scan before commits. → github.blog |
| 2026-06-10 2026 | ServiceNow API Security Incident Exposes Customer Data: Analysis of Unauthenticated Access Vulnerability (June 2026) news 6 min read | Analysis of a ServiceNow API security incident in June 2026, where an unauthenticated access vulnerability in the `/api/now/related_list_edit/create` endpoint exposed sensitive customer data. The flaw, present in the Australia platform release and specific older configurations, allowed unauthorized queries to instance tables, potentially revealing IT tickets, employee records, and support case data. ServiceNow remediated the issue by enforcing authentication on the endpoint. Indicators of compromise included API requests to the vulnerable endpoint and activity from IP 51.159.98.241. The incident aligns with MITRE ATT&CK techniques T1190, T1213, and T1078, and highlights risks seen in other vendor API incidents. → rescana.com |
| 2026-06-10 2026 | ServiceNow Data Breach: Gated Advisory Left Customers Unaware of Exploited Zero-Auth API news 7 min read | Writeup detailing a ServiceNow zero-authentication API vulnerability, where attackers queried sensitive customer instance data through an unauthenticated Scripted REST Resource (specifically `/api/now/related_list_edit/create`) between June 2-5, 2026. This marks the third unauthenticated exploit against ServiceNow in eight months, following CVE-2025-12420 and CVE-2026-0542. The vendor's gated advisory, accessible only via login, drew criticism for failing to adhere to coordinated disclosure norms and leaving many customers unaware of the breach, hindering their incident response and regulatory notification efforts. → techtimes.com |
| 2026-06-10 2026 | ServiceNow's Unpatched API Endpoint Sparks 6% Selloff; Analysts Eye 42% Recovery as Macro Clouds Gat news 2 min read | Writeup on ServiceNow's API vulnerability (/api/now/related_list_edit/create) that exposed customer data. The unauthenticated endpoint flaw triggered a significant stock selloff, impacting customers on specific platform versions or legacy configurations. Despite this security incident and broader market headwinds from rising bond yields, analysts remain largely optimistic, projecting potential upside driven by strong subscription revenue growth and interest in their AI platform, though tempered by integration costs and technical resistance levels. |
| 2026-06-10 2026 | ServiceNow discloses security incident exposing customer data news 2 min read | Incident report detailing a security flaw in ServiceNow's `/api/now/related_list/edit` REST endpoint, allowing unauthenticated access to customer instance data. Attackers exploited this vulnerability, potentially exposing sensitive information within IT support tickets, employee records, and system configurations. ServiceNow applied a security update to restrict access to authenticated users, and administrators are advised to review logs for suspicious activity, particularly requests from `51.159.98.241`, and to audit exposed records and shared credentials. → bleepingcomputer.com |
| 2026-06-10 2026 | 10 Best AI Code Security Solutions for 2026 beginner | This article, "10 Best AI Code Security Solutions for 2026," likely explores emerging technologies and tools that leverage artificial intelligence to enhance code security. It probably covers a range of solutions, potentially including AI-powered vulnerability detection, automated code review, threat modeling, and secure coding assistants. The focus is on proactive and intelligent approaches to identifying and mitigating security risks in software development, preparing for the security landscape of 2026. No specific payout amounts are mentioned. → cybersecuritynews.com |
| 2026-06-09 2026 | F5 Expands AI-powered WAAP Solutions to Arm Enterprises Against Frontier AI Threats and Stop Attacks Before Exploitation beginner 5 min read | Library offering AI-powered WAF, air-gapped API discovery, and virtual patching to protect against frontier AI threats. It features dynamic risk scoring on every request, a continuously trained model for pre-exploit detection, and on-premises API security for regulated environments. These capabilities aim to stop attacks before exploitation by identifying novel attack patterns and providing runtime protection while vulnerabilities are patched, addressing challenges highlighted by the OWASP WAF and API Top 10. |
| 2026-06-09 2026 | LiteLLM Flaw CVE-2026-42271 Exploited in the Wild Chains to Unauthenticated RCE news 2 min read | Writeup on CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM exploited in the wild, allowing authenticated users to run arbitrary commands. This flaw, affecting LiteLLM versions between 1.74.2 and < 1.83.7, can be chained with CVE-2026-48710, a Starlette host header bypass, to achieve unauthenticated remote code execution. Attackers can exploit this chain to compromise model provider credentials and move laterally within AI infrastructure. Updates to LiteLLM 1.83.7+ and Starlette 1.0.1+ are recommended. → thehackernews.com |
| 2026-06-09 2026 | Securing the AI Edge: Wiz and Cloudflare Integrate for End-to-End AI Protection beginner 5 min read AI | Integration that combines Wiz's cloud context with Cloudflare's edge protection provides unified visibility into AI application endpoints and DNS exposure. This partnership helps secure AI workloads, detect sensitive data exposure, and guard against threats like prompt injection and shadow AI by mapping AI models to infrastructure and identifying unprotected edge services. → wiz.io |
| 2026-06-09 2026 | Mapping Your API Ecosystem: Wiz Expands API Discovery with Apigee intermediate 4 min read | Library integrating Google Cloud Apigee into the Wiz Security Graph. This integration discovers and maps Apigee architectures, including gateways, environments, proxies, and endpoints, connecting them to broader cloud infrastructure. It analyzes authorization schemes like OAuth, API Key, Bearer, Basic Auth, SAML, and HMAC, identifying unauthenticated endpoints and their associated risks. By visualizing API exposure alongside cloud workloads and data stores, it provides critical context for vulnerability management, application security, and leadership to prioritize risks effectively. → wiz.io |
| 2026-06-08 2026 | 42Crunch Announces Integration With Claude Code For Real-Time API Vulnerability Detection And Remediation news | Library integration with Claude Code offers real-time API vulnerability detection and automated remediation. This new functionality enables a fully automated DevSecOps model for APIs by embedding security directly into AI-driven development workflows. Vulnerabilities are identified as code is generated, with context-aware fixes applied autonomously and re-tested instantly, creating a continuous detect-and-fix loop from design through runtime enforcement. |
| 2026-06-08 2026 | Microsoft Threat Intelligence Exposes Prompt Injection Flaw In Anthropic Claude Code Action intermediate 3 min read | Library for securing AI coding agents, this entry details a prompt injection vulnerability discovered by Microsoft in Anthropic's Claude Code GitHub Action. The flaw allowed attackers to steal sensitive credentials and access tokens by embedding malicious instructions within issues, leading the AI agent to read restricted runner files like `/proc/self/environ`. Anthropic patched the vulnerability by reinforcing sandboxing around the Read tool and blocking access to sensitive procfs files. → the420.in |
| 2026-06-08 2026 | NSFOCUS AI-PTS: Safeguarding Web Applications Through Dual-Mode Architecture beginner | NSFOCUS AI-PTS utilizes a dual-mode architecture to protect web applications. This system combines cloud and on-premises deployment options, offering flexibility and robust security. The dual-mode approach enhances threat detection and response capabilities, providing comprehensive safeguarding for web applications against evolving cyber threats. → securityboulevard.com |
| 2026-06-08 2026 | Eliminate Critical API Attack Paths with Wiz API SPM news 5 min read | Tool Wiz API SPM is now generally available, helping organizations discover APIs, assess exploitability through techniques like Red Agent testing for OWASP API Top 10 vulnerabilities, and prioritize remediation by identifying toxic combinations. It integrates API findings with cloud security context via the Wiz Security Graph, providing a unified view to pinpoint critical attack paths, such as an internet-accessible API with SQL injection leading to PII, and offers actionable guidance for efficient resolution and automated remediation workflows. → wiz.io |
| 2026-06-08 2026 | [tl;dr sec] #330 - AWS Pathfinding Labs, Running Codex Safely at OpenAI, Glasswing Updates news 11 min read AI | Library for securing AI coding agents, Prempti by Falco intercepts tool calls with customizable Falco YAML rules and LLM-friendly explanations. OpenAI details their safe internal Codex deployment using sandboxed environments, approval workflows, and an auto-review subagent. Marco Lancini automates Renovate PR reviews with Claude Code Routines, classifying upgrade risks and scanning for dead or deprecated dependencies. AWS Security Agent now auto-generates verification scripts for pentest findings. Datadog's Pathfinding Labs offers over 100 vulnerable AWS environments for practicing cloud attack paths, deployable via Terraform. ROADtools, a Python framework used by nation-state actors, is discussed for its Entra ID enumeration and token manipulation capabilities. → tldrsec.com |
| 2026-06-08 2026 | WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine intermediate 7 min read AuthZ | Library for fuzzing WebSocket messages with custom Python code, extending the Burp Suite engine to exploit WebSocket-specific vulnerabilities. It facilitates testing for issues like Broken Access Controls, Race Conditions, and SQL Injection by enabling high-volume attacks against single targets. Features include custom Python scripting, filtering for relevant traffic, HTTP middleware for automated scanning, and a THREADED engine for testing race conditions via parallel connections. The extension supports handling protocols like Socket.IO and detecting vulnerabilities such as server-side prototype pollution. → portswigger.net |
| 2026-06-04 2026 | Hugging Face Transformers contains critical remote code execution vulnerability news 2 min read | Library vulnerability detailing critical remote code execution in Hugging Face's Transformers, tracked as CVE-2026-4372 and CVE-2026-1839. The flaw allows arbitrary code execution during routine model loading, even when `trust_remote_code=False`, due to deserialization of untrusted data. Exploits leverage crafted model configurations or malicious checkpoints with unsafe `torch.load()` calls. Patches are available in Transformers 5.3.0 and 5.0.0rc3 respectively, addressing widespread exposure in ML pipelines and inference services. → letsdatascience.com |
| 2026-06-03 2026 | Critical StrongDM Vulnerability Allow Attackers to Steal and Reuse Authentication news | A critical vulnerability in StrongDM has been discovered, allowing attackers to steal and reuse authentication credentials. This security flaw poses a significant risk by compromising user access. The full details and implications of this exploit are still being assessed, but it highlights a serious concern for organizations using StrongDM for access management. → cybersecuritynews.com |
| 2026-06-03 2026 | 1-Click GitHub Vulnerability Enables OAuth Token Theft news | A critical vulnerability in GitHub's OAuth application flow allowed attackers to steal OAuth tokens with a single click. This exploit leveraged a misconfiguration that enabled the redirection of authenticated users to malicious websites. Once redirected, attackers could trick users into granting permissions, effectively gaining unauthorized access to their GitHub accounts and associated data. This significant security flaw highlights the importance of robust authentication and authorization mechanisms. → gbhackers.com |
| 2026-06-03 2026 | Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account news | Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account https://ift.tt/6ykBmfY → cybersecuritynews.com |
| 2026-06-03 2026 | 1-Click GitHub Token Vulnerability Lets Attackers Steal Users' OAuth Tokens news | A severe vulnerability in GitHub's web application allows attackers to steal users' OAuth tokens with a single click. This exploit targets how GitHub handles certain types of URLs, enabling malicious actors to trick users into clicking a specially crafted link. Upon clicking, the attacker can gain access to sensitive user data and potentially perform actions on their behalf. The vulnerability was disclosed and has since been patched by GitHub, though specific payout details were not mentioned in the provided content. → cybersecuritynews.com |
| 2026-06-02 2026 | Claude Code's Vulnerability in GitHub Actions Allows an Attacker to Compromise any Repository news | A critical vulnerability has been discovered in Claude Code's integration with GitHub Actions. This flaw enables an attacker to compromise any repository utilizing the service. The exact payout amount for this bug bounty was not explicitly stated in the provided content. → cybersecuritynews.com |
| 2026-06-02 2026 | Web Application & API Attacks Are Rising:Are You Blind to Modern Web Attacks? Join WAAP Security... beginner | Web application and API attacks are on the rise, leaving organizations vulnerable to modern threats. The provided content, titled "Web Application & API Attacks Are Rising: Are You Blind to Modern Web Attacks? Join WAAP Security...", suggests that businesses may be unaware of these escalating dangers. It promotes WAAP Security as a solution to address these blind spots and improve defenses against contemporary web attacks. The content does not mention any specific bug bounty payout amounts. → cybersecuritynews.com |
| 2026-06-02 2026 | Financial Data Crisis! ChatGPT Spreadsheet Plugin Exposes Serious Security Vulnerability news | A critical security vulnerability has been discovered in a ChatGPT spreadsheet plugin, potentially exposing sensitive financial data. The plugin's flaw could allow unauthorized access to user information. This presents a significant "Financial Data Crisis" and highlights the risks associated with integrating third-party tools into AI platforms. Users are advised to exercise caution and consider disabling the plugin until a fix is implemented. The exact payout amount for reporting this vulnerability is not specified in the provided content. |
| 2026-06-01 2026 | Eliminate Critical API Attack Paths with Wiz API SPM intermediate 5 min read | Library for continuous, agentless API discovery across AWS, Azure, and GCP environments. It assesses API exploitability by simulating attacker techniques, identifying "toxic combinations" where exposed APIs lead to sensitive data compromise. The library prioritizes remediation efforts and offers actionable guidance, even supporting automated workflows like triggering Terraform patches. It integrates API and cloud security context within a Security Graph, revealing attack paths and risks like SQL injection vulnerabilities or Broken Object Level Authorization. → wiz.io |
| 2026-05-31 2026 | Anthropic AI Vulnerability Scanner in Enterprise Beta: IBM Joins Glasswing After 10000 Flaws Found news 8 min read | Tool for AI-powered application security scanning, Claude Security, now in public beta for enterprise customers, identifies vulnerabilities by reasoning over code behavior and data flows, moving beyond traditional signature matching. This approach has surfaced over 10,000 critical software flaws through Anthropic's Project Glasswing consortium, which includes IBM, and has also revealed specific vulnerabilities like CVE-2026-5194 in wolfSSL. The tool aims to compress the find-fix cycle, though patching remains a bottleneck for maintainers. → techtimes.com |
| 2026-05-30 2026 | Vibe Coding Security: Why 62% Of AI-Generated Code Ships With Vulnerabilities news 18 min read | Library analyzing security flaws in AI-generated code, including Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). Research indicates AI code exhibits significantly higher vulnerability rates than human-written code, with studies highlighting failures in XSS defenses, exposed secrets, PII, and lack of CSRF protection and security headers across platforms like Cursor and Claude Code. → ox.security |
| 2026-05-29 2026 | Security Researcher: WordPress 7.0 Could Trigger Rush To Steal AI API Keys news 4 min read | Library discussing the security implications of AI API keys in WordPress 7.0, highlighting a specific bug where Anthropic API keys are exposed via browser autofill. This vulnerability, along with broader concerns about WordPress's architecture and secrets management, makes WordPress sites attractive targets for attackers aiming to steal valuable AI credentials for activities like bot networks, scaled phishing, and unauthorized AI usage, potentially leading to significant financial loss. |
| 2026-05-29 2026 | Anthropic Launches Free Claude Code Terminal Plugin to Detect Security Vulnerabilities beginner 3 min read | Plugin for Claude Code that continuously scans AI-generated code for vulnerabilities like injection flaws and insecure deserialization. It employs a three-layer review process: fast pattern matching on edits, an end-of-turn Claude security review for higher-level issues such as IDORs and SSRF, and an agentic review on commits. The plugin can be extended with custom rules and patterns. → gbhackers.com |
| 2026-05-28 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework intermediate 3 min read | Library update addressing CVE-2026-48710 in Starlette, the framework powering FastAPI, which allows authentication bypass via malformed Host headers. This flaw, rated as High by researchers at X41 D-Sec, can lead to SSRF and RCE in AI tools, model-serving infrastructure, and API gateways. A patch is available in Starlette 1.0.1 and later. → csoonline.com |
| 2026-05-28 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework intermediate 3 min read | Tool for detecting authentication bypass vulnerabilities in applications built with the Starlette framework, which powers FastAPI. The flaw, CVE-2026-48710, allows unauthenticated attackers to bypass host-validation protections by sending malformed Host headers containing special characters like slashes or question marks. This can lead to authentication bypass, SSRF, and potentially remote code execution, impacting LLM gateways, MCP servers, and agent infrastructure. A website, badhost.org, is available to test for the vulnerability. → infoworld.com |
| 2026-05-27 2026 | Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints intermediate 2 min read | Vulnerability, CVE-2026-48710, named BadHost, allows attackers to bypass authentication in AI agent servers by manipulating HTTP Host headers. This critical flaw affects Starlette versions before 1.0.1, a framework underpinning many FastAPI applications used for LLM inference, agent frameworks, and MCP gateways. Attackers can exploit this to access sensitive AI models, internal tools, and API keys by causing the application to misinterpret request paths. Upgrading Starlette, using more robust authentication mechanisms in FastAPI, or employing reverse proxies can mitigate this risk. → cybersecuritynews.com |
| 2026-05-27 2026 | Vulnerability in open-source component puts AI platforms at risk news 2 min read | Library affecting Starlette, a foundational framework for AI platforms like FastAPI, vLLM, and LiteLLM, is vulnerable due to CVE-2026-48710, dubbed BadHost. This flaw allows attackers to bypass access controls by manipulating HTTP Host headers, potentially exposing internal applications, authentication data, API keys, and sensitive corporate information, especially within AI agents that interact with external data sources. A patch is available in Starlette 1.0.1. → techzine.eu |
| 2026-05-26 2026 | Ghost CMS vulnerability exploited in large-scale campaign news 1 min read | Analysis of CVE-2026-26980, a critical SQL injection in Ghost CMS affecting versions 3.24.0 through 6.19.0, details its exploitation in a large-scale campaign. Attackers leverage this vulnerability to steal admin API keys, inject malicious JavaScript, and deploy malware like UtilifySetup.exe via ClickFix attack flows. The campaign impacts numerous domains, including universities and companies, with a fix available in Ghost CMS 6.19.1. → scworld.com |
| 2026-05-25 2026 | What Actually Matters For Web Application Security In The AI Era? beginner 4 min read | Analysis of web application security in the AI era highlights the evolving threat landscape, with AI-driven attacks projected to reach 28 million globally in 2025. Traditional perimeter-based security is insufficient as modern applications rely heavily on APIs, cloud services, and AI-driven features, significantly expanding the attack surface. API security incidents are prevalent, affecting 87% of organizations, and AI-generated code exhibits a 2.7x higher vulnerability density, frequently including SQL injection and cross-site scripting. Effective security is now a design decision, requiring proactive architectural planning for authentication, API authorization, and session management, rather than reactive remediation. |
| 2026-05-23 2026 | CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog news 2 min read | Vulnerability CVE-2025-34291 is an origin validation flaw in Langflow, a tool for AI workflows, caused by an overly permissive CORS configuration combined with SameSite=None cookies. This allows malicious websites to execute authenticated cross-origin requests, enabling attackers to steal refresh tokens, call backend authentication endpoints, potentially execute code, and achieve system compromise. CISA has added it to the Known Exploited Vulnerabilities catalog, urging immediate patching and review of CORS configurations. → cybersecuritynews.com |
| 2026-05-22 2026 | Cisco patches critical 10.0 flaw in Secure Workload APIs news 3 min read | Analysis of CVE-2026-20223, a critical CVSS 10.0 authentication failure vulnerability in Cisco Secure Workload APIs, highlights systemic issues in access validation for management APIs and control planes. This critical flaw, alongside other recent authentication bypass bugs in Cisco products like SD-WAN controllers, emphasizes the escalating threat posed by AI-driven vulnerability discovery tools targeting large codebases. The situation underscores the necessity for immediate patching, robust "assume breach" design principles, and identity-based microsegmentation to mitigate risks from compromised security platforms and prevent lateral movement. → scworld.com |
| 2026-05-22 2026 | WordPress 7.0 Exposes AI API Keys news 2 min read | Analysis of **WordPress 7.0** details a client-side vulnerability where browser autofill can expose AI API keys within the AI integration setup form. Patchstack founder Oliver Sild warns of increased hacker interest in these keys, which can be worth tens of thousands of dollars and are used for bot networks, scaled phishing, and malware generation. This issue highlights the elevated risk associated with integrating paid AI services and emphasizes the importance of credential hygiene and secure client-side form handling for WordPress users and plugin developers. → letsdatascience.com |
| 2026-05-22 2026 | Cisco Fixes CVE-2026-20223 Secure Workload API Flaw news 3 min read | Advisory for CVE-2026-20223, a critical flaw in Cisco Secure Workload's internal REST API functions, rated CVSS 10.0 and categorized under CWE-306. This vulnerability allows unauthenticated remote attackers to access sensitive information and modify configurations across tenant boundaries with Site Admin privileges. Cisco has released patched versions for on-premises deployments, while SaaS versions are already secured. No workarounds exist, necessitating immediate upgrades. → thecyberexpress.com |
| 2026-05-22 2026 | Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access news 1 min read | Analysis of CVE-2026-20223, a critical CVSS 10.0 flaw in Cisco Secure Workload, details how insufficient REST API validation and authentication allow unauthenticated attackers to access sensitive data and make configuration changes across tenant boundaries. The vulnerability impacts both SaaS and on-prem deployments and is addressed in Cisco Secure Workload Releases 3.10.8.3 and 4.0.3.17. → thehackernews.com |
| 2026-05-21 2026 | Cisco Patches Critical Vulnerability in Secure Workload news 1 min read | Advisory for CVE-2026-20223, a critical vulnerability in Cisco Secure Workload affecting cluster software. Insufficient validation in REST API endpoints allows attackers with crafted requests to gain Site Admin privileges, read sensitive information, and modify configurations across tenant boundaries. Patched in Secure Workload versions 3.10.8.3 and 4.0.3.17. → securityweek.com |
| 2026-05-21 2026 | Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API Security news 2 min read | Writeup of CVE-2026-20223, a critical vulnerability in Cisco Secure Workload allowing unauthenticated administrative access via internal REST API endpoints. This flaw, with a CVSS score of 10.0 and classified as CWE-306, enables attackers to gain Site Admin privileges, access sensitive cross-tenant data, modify configurations, and disrupt operations. Patches are available for on-premises deployments (versions 3.10.8.3 for 3.10, 4.0.3.17 for 4.0, and migration for earlier versions), while SaaS environments are already remediated. Immediate upgrades are strongly advised as there are no workarounds. → gbhackers.com |
| 2026-05-21 2026 | Claude Code's Network Sandbox Vulnerability Exposes User Credentials and Source Code news 2 min read | Writeup of Claude Code's SOCKS5 hostname null-byte injection vulnerability, which affected releases v2.0.24 through v2.1.89. This critical bypass, stemming from a parser differential between JavaScript and libc, allowed attackers to exfiltrate credentials, source code, and environment variables by crafting hostnames that tricked the JavaScript `endsWith()` check while resolving to a different, blocked host via `getaddrinfo()`. The issue, silently patched in v2.1.90, is a second consistent implementation failure following CVE-2025-66479, and was not publicly disclosed by Anthropic with a specific CVE. → cybersecuritynews.com |
| 2026-05-21 2026 | Cisco Secure Workload vulnerability can be exploited via API call news 2 min read | Writeup of CVE-2026-20223, a critical unauthenticated vulnerability in Cisco Secure Workload granting full Site Admin privileges via internal REST API calls. This flaw, scoring 10.0 CVSS, allows attackers to read sensitive data and alter configurations across tenant boundaries. Cisco reports no workarounds exist, requiring immediate installation of fixed releases for affected versions (3.10.8.3 for 3.10, 4.0.3.17 for 4.0) or migration to supported versions. The vulnerability was discovered internally with no current signs of active exploitation. → techzine.eu |
| 2026-05-21 2026 | Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw news 3 min read | Writeup detailing Cisco Secure Workload's CVÉ-2026-3155, a perfect 10 vulnerability enabling remote unauthenticated administrative access. This flaw allows attackers to gain complete control of the system without any prior authentication, posing a significant risk to organizations utilizing the software. → theregister.com |
| 2026-05-21 2026 | Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access news 2 min read | Writeup of CVE-2026-20223, a critical Cisco Secure Workload vulnerability allowing unauthenticated API access. Exploiting CWE-306 (Missing Authentication for Critical Function) via crafted REST API requests can grant Site Admin privileges, impacting tenant data and configurations across SaaS and on-premises deployments. Cisco has released patches for versions 3.10 and 4.0, with earlier versions requiring migration. → cybersecuritynews.com |
| 2026-05-21 2026 | Cisco Secure Workload Flaw Enables Unauthorized API Access news 2 min read | Writeup of CVE-2026-20223 in Cisco Secure Workload, a critical flaw (CVSS 10.0) allowing unauthenticated remote attackers to gain Site Admin privileges via unprotected internal REST API endpoints. Exploitation bypasses all access controls, enabling cross-tenant exposure and configuration changes. Affecting both SaaS and on-premises deployments, remediation requires immediate patching to fixed releases (3.10.8.3 or 4.0.3.17) as no workarounds exist. → cyberpress.org |
| 2026-05-19 2026 | Drupal warns admins to brace for highly critical core patch news 4 min read | Library for securing Drupal, warning administrators about a highly critical core patch to address vulnerabilities. This resource also touches upon AI-assisted API attacks, supply chain turbulence, data sovereignty, and identity resilience in cybersecurity. → theregister.com |
| 2026-05-18 2026 | Langflow Flaw Exploited to Steal AWS Keys and Deploy Botnet news | A critical vulnerability in Langflow, an open-source tool for building LLM applications, has been actively exploited. Attackers leveraged this flaw to gain unauthorized access to AWS keys. Following this compromise, the affected systems were used to deploy a botnet. The specifics of the exploit and the full extent of the damage are still under investigation. This incident highlights the security risks associated with open-source software and the importance of prompt patching and secure configuration. → sqmagazine.co.uk |
| 2026-05-16 2026 | PraisonAI Vulnerability Exploited Within Hours of Public Disclosure news 2 min read | Writeup on CVE-2026-44338, a severe PraisonAI vulnerability in its legacy API server. This flaw, stemming from authentication being disabled by default in the Flask API, allows unauthenticated enumeration of agents via the `/agents` endpoint and task execution through `/chat` by targeting the `agents.yaml` workflow. Attackers can hijack agent operations, drain API quotas, and extract sensitive data. PraisonAI version 4.6.34 patches this issue, and users are advised to update or migrate to the secure "serve agents" command. → cybersecuritynews.com |
| 2026-05-15 2026 | Critical Next.js Flaw Exposes Cloud Credentials API Keys and Admin Panels news 2 min read | Library patch addresses CVE-2026-44578, a critical Next.js vulnerability allowing server-side request forgery (SSRF) through malicious WebSocket upgrade requests. Attackers can exploit this unauthenticated flaw to steal cloud credentials, API keys, and access admin panels by targeting internal infrastructure and cloud metadata services. The vulnerability affects Next.js versions 13.4.13 through 16.2.4. Patched versions 15.5.16 and 16.2.5 implement stricter validation for WebSocket requests. Mitigations include avoiding direct internet exposure of origin servers and blocking unnecessary WebSocket requests at reverse proxies. → cyberpress.org |
| 2026-05-15 2026 | Anthropic faces scrutiny over Claude's architectural flaws after multiple security disclosures in May 2026 news 2 min read | Analysis of Anthropic's Claude reveals architectural flaws leading to security disclosures in May 2026. Independent research identified issues with trust boundaries across multiple surfaces, enabling remote code execution and credential theft. CVE-2026-21852, patched in Claude Code version 2.0.65, allowed API key leakage from malicious repositories. Further incidents included an accidental leak of 512,000 lines of Claude Code's internal source code via an npm package, and concerns surrounding the use of Mythos-class vulnerability scanning tools. |
| 2026-05-14 2026 | Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker news 4 min read | Library for securing Langflow, addressing CVE-2026-33017, an unauthenticated remote code execution flaw that allows attackers to steal AWS keys and deploy NATS workers. This vulnerability, added to the CISA KEV catalog, enables attackers to run commands within the Langflow container, dump sensitive environment variables, and pivot into cloud accounts for reconnaissance and abuse, including LLM jacking. Recommendations include patching Langflow and rotating affected cloud credentials. → cybersecuritynews.com |
| 2026-05-14 2026 | Critical WordPress Plugin Flaw Enables Authentication Bypass Attacks news 2 min read | Writeup of CVE-2026-8181, a critical authentication bypass in Burst Statistics WordPress plugin affecting versions 3.4.0-3.4.1.1, allowing unauthenticated attackers to take administrator control with a single HTTP request by exploiting a flawed return-value check in the `is_mainwp_authenticated()` function. The vulnerability, patched in version 3.4.2, carries a CVSS score of 9.8 and requires only a known administrator username. → cyberpress.org |
| 2026-05-14 2026 | Innovation at the speed of AI" is the goal - but for most security teams it's a visibility nightmare. When AWS Bedrock agents are granted the power to execute API calls and modify data the | The Cyber Security Hub news | The article "Innovation at the speed of AI" highlights a significant challenge for security teams: lack of visibility. This issue intensifies when AWS Bedrock agents are empowered to execute API calls and modify data, creating potential security risks. The core problem lies in the difficulty for security teams to monitor and control the actions of these AI agents, hindering their ability to ensure robust security practices amidst rapid AI adoption. |
| 2026-05-14 2026 | Langflow CVE-2026-33017 Exploited to Steal AWS Keys Deploy NATS Worker news 4 min read | Writeup detailing the exploitation of Langflow CVE-2026-33017, enabling attackers to steal AWS keys and deploy NATS workers. The vulnerability grants unauthenticated arbitrary Python execution, allowing access to environment variables and secrets. Attackers leverage this to compromise AWS environments, perform reconnaissance across various services like Bedrock and S3, and then deploy specialized Python and Go workers for credential harvesting. These workers communicate via a hardened NATS server, acting as covert command-and-control infrastructure for the "KeyHunter" project, which targets online code sandboxes and commercial LLM APIs. → gbhackers.com |
| 2026-05-14 2026 | PraisonAI vulnerability gets scanned within 4 hours of disclosure news 2 min read | Writeup of CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server, details how internet scanners began probing vulnerable instances within four hours of disclosure. The flaw, affecting versions 2.5.6 to 4.6.33, stems from default authentication being disabled in `api_server.py`, allowing unauthenticated access to agent workflows. Researchers identified the "CVE-Detector/1.0" user-agent as a sign of early reconnaissance targeting specific PraisonAI endpoints. → csoonline.com |
| 2026-05-14 2026 | New MCP Security Flaws: Kubectl-mcp-server Archon OS and MarkItDown Vulnerabilities news 3 min read | Library detailing vulnerabilities in widely used MCP tools, including CVE-2025-65719 and CVE-2025-69443 affecting Kubectl-mcp-server and Archon OS. These flaws expose over 140,000 GitHub stars to data exfiltration, credential theft, and lateral movement. The findings highlight systemic risks in AI supply chains due to unauthenticated and sandboxed MCP protocols, emphasizing the critical need for security at the integration layer rather than shifting responsibility to users. → ox.security |
| 2026-05-13 2026 | DDoS Protection for Insurance: Always-On Defense for Claims Quotes & APIs beginner | This article highlights the critical need for Always-On DDoS protection for insurance companies, specifically for their claims, quotes, and API services. It emphasizes that continuous availability is paramount to maintain customer trust and operational integrity. The proposed solution focuses on robust defense mechanisms to prevent service disruptions, ensuring that policyholders can access essential services like submitting claims or getting quotes without interruption, even under attack. → securityboulevard.com |
| 2026-05-12 2026 | JetBrains TeamCity vulnerability allows privilege escalation API exposure (CVE-2026-44413) news 1 min read | Writeup of CVE-2026-44413, a critical vulnerability in JetBrains TeamCity, allowing privilege escalation and exposure of sensitive information like API tokens and build secrets. Attackers could leverage these credentials to compromise cloud infrastructure or source code repositories, impacting software delivery pipelines. Exploitation requires TeamCity account access, attainable through brute force or credential stuffing, or via enabled guest access. Affected versions include TeamCity On-Premises 2025.11.4 and earlier, with fixes available in 2026.1 or a security patch plugin. → helpnetsecurity.com |
| 2026-05-12 2026 | OpenAI Introduces Daybreak: A Cybersecurity Initiative That Puts Codex Security at the Center of Vulnerability Detection and Patch Validation beginner 4 min read | Initiative utilizing OpenAI's Codex Security and frontier AI models to shift vulnerability detection and patch validation earlier into the development cycle. Daybreak assists with code review, dependency analysis, threat modeling, and patch validation, aiming to reduce analysis time from hours to minutes by reasoning across entire codebases, validating issues in isolated environments, and proposing patches for human review. It employs a tiered model structure (GPT-5.5, GPT-5.5 with Trusted Access, GPT-5.5-Cyber) and partners with over 20 security vendors across the stack, including Cloudflare, Cisco, CrowdStrike, Snyk, and Trail of Bits, to integrate into existing security toolchains. |
| 2026-05-11 2026 | Ollama Vulnerability Exposes Remote Process Memory news 3 min read | Writeup of CVE-2026-7482, "Bleeding Llama," a critical heap out-of-bounds read in Ollama's GGUF model loader. This vulnerability allows for the leakage of process memory, including API keys and user conversation data, through the `/api/create` and `/api/push` endpoints, especially when Ollama is configured to bind to `0.0.0.0`. Versions prior to 0.17.1 are affected, with remediation involving an immediate upgrade and auditing of network-exposed instances. → letsdatascience.com |
| 2026-05-10 2026 | Ollama contains critical GGUF out-of-bounds read news 3 min read | Writeup on CVE-2026-7482 details a critical heap out-of-bounds read in Ollama's GGUF model loader, affecting versions before 0.17.1. Exploitable via the unauthenticated /api/create endpoint with a crafted GGUF file, the vulnerability allows reading past allocated heap buffers, potentially leaking environment variables, API keys, and user data. This leaked data can be exfiltrated using the /api/push endpoint. Roughly 300,000 Ollama deployments are estimated to be publicly reachable, increasing the attack surface. → letsdatascience.com |
| 2026-05-10 2026 | Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak news 5 min read | Library detailing CVE-2026-7482, a critical out-of-bounds read vulnerability in Ollama's GGUF model loader that allows remote attackers to leak process memory, potentially exposing API keys and user data. It also covers two unpatched Windows vulnerabilities, CVE-2026-42248 (missing signature verification) and CVE-2026-42249 (path traversal), which can be chained for persistent code execution by influencing update responses. → thehackernews.com |
| 2026-05-09 2026 | Critical Ollama Memory Leak Vulnerability Exposes 300000 Servers Globally news 2 min read | Writeup of CVE-2026-7482, dubbed "Bleeding Llama," a critical vulnerability affecting Ollama deployments before version 0.17.1. This flaw allows unauthenticated attackers to trigger an out-of-bounds heap read via a crafted GGUF file, exfiltrating sensitive data like prompts, system instructions, and environment variables by preserving leaked memory during model conversion. Approximately 300,000 servers are at risk, with potential exposure of API keys and proprietary code. → cybersecuritynews.com |
| 2026-05-09 2026 | New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server news 3 min read | Library for detecting the ZiChatBot malware, which exploits Zulip REST APIs for command and control. This cross-platform malware, identified by Securelist and linked to the OceanLotus APT group (APT32), was distributed via malicious Python packages on PyPI, including fake libraries like uuid32-utils, colorinal, and termncolor. ZiChatBot uses two channel-topic pairs within Zulip to exfiltrate system information and receive shellcode commands, with execution confirmed by a heart emoji response. The dropper employs AES encryption and self-deletion for stealth. |
| 2026-05-07 2026 | Ollama vulnerability highlights danger of AI frameworks with unrestricted access news 2 min read | Library for running AI models on local hardware, Ollama, suffers from CVE-2026-7482, dubbed Bleeding Llama. This vulnerability, an out-of-bounds heap read in the model quantization pipeline, allows unauthenticated attackers to craft malicious GGUF files. Uploading these files via the API endpoint triggers a leak of sensitive process memory, including system prompts, user messages, environment variables, API keys, and proprietary code. Exploitation requires only three API requests to exfiltrate this data. Mitigation involves updating to Ollama version 0.17.1, using authentication proxies, and implementing IP access filters and firewalls. → csoonline.com |
| 2026-05-07 2026 | API Security Operations: How to Move from Visibility to Measurable Risk Reduction beginner | This article, "API Security Operations: How to Move from Visibility to Measurable Risk Reduction," discusses the transition from simply identifying API security vulnerabilities to actively reducing measurable risk. It likely outlines strategies and best practices for organizations to enhance their API security posture. The core message centers on moving beyond basic detection to implementing proactive measures that demonstrably improve security and minimize potential threats. The provided link points to further details on this topic. No specific bounty payout amount is mentioned. → securityboulevard.com |
| 2026-05-07 2026 | Critical Argo CD Vulnerability Enables Kubernetes Secret Extraction news 3 min read | Vulnerability in Argo CD (CVE-2026-42880) allows low-privileged users to extract Kubernetes Secrets from etcd by bypassing data-masking in the ServerSideDiff endpoint, especially when compare-options with mutation webhooks are enabled. Exploitation requires minimal skill, with a proof-of-concept script automating the extraction of credentials like service account tokens and API keys. Patched versions 3.3.9 and 3.2.11 are available, and organizations should audit configurations and consider interim mitigations like restricting endpoint access. → cyberpress.org |
| 2026-05-06 2026 | Major AI platform Ollama critically leaking: 300000 servers exposed to hackers news | Ollama, a popular AI platform, is critically vulnerable, exposing approximately 300,000 servers to potential hacking. This significant security lapse could allow unauthorized access to sensitive data and systems running on these servers. The extent of the breach and the specific nature of the leak are still under investigation, but the large number of affected servers highlights a major security concern within the AI infrastructure. Further details on remediation and the exact impact are expected as the situation develops. → cybernews.com |
| 2026-05-06 2026 | Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction news 2 min read | Library with CVE-2026-43824 allows low-privileged users to extract plaintext Kubernetes Secrets from Argo CD environments. This critical flaw, discovered by Alexmt and Hoang-Prod, bypasses data-masking in the ServerSideDiff endpoint when `IncludeMutationWebhook=true` is set. Attackers with read-only access can exploit this to steal sensitive operational data like passwords and tokens. Users are urged to upgrade to patched versions 3.3.9 or 3.2.11, or apply mitigations such as removing the annotation and tightening RBAC. → cybersecuritynews.com |
| 2026-05-06 2026 | Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access news 2 min read AuthZ | Writeup of a zero-authorization vulnerability in Schemata's API, a platform with DoD contracts, which exposed sensitive military training materials and service member records. Discovered by the Strix agent, the flaw lacked tenant isolation and authorization boundaries, allowing low-privileged accounts to access cross-tenant data and potentially modify or delete training courses. The exposed information included user lists, AWS S3 links to confidential training manuals, and Army field manuals. Schemata acknowledged and patched the vulnerability after 150 days, following private disclosure. → cybersecuritynews.com |
| 2026-05-06 2026 | Palo Alto Networks PAN-OS flaw exploited for remote code execution news 1 min read RCE | Writeup of CVE-2026-0030, a critical PAN-OS buffer overflow vulnerability exploited for unauthenticated remote code execution with root privileges. The flaw primarily targets PA-Series and VM-Series firewalls where the User-ID Authentication Portal is exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate this risk, noting limited exploitation has been observed. Fixes are anticipated by May 13, 2026. → securityaffairs.com |
| 2026-05-06 2026 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution news 1 min read RCE | Writeup on CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, enabling unauthenticated remote code execution with root privileges. This flaw, exploitable via specially crafted packets and impacting specific versions of PAN-OS, has seen limited exploitation in the wild, primarily targeting publicly accessible User-ID Authentication Portals on PA-Series and VM-Series firewalls. Fixes are planned, with interim mitigation strategies including restricting or disabling the User-ID Authentication Portal. → thehackernews.com |
| 2026-05-06 2026 | n8n: From Parsing Bug to Remote Code Execution aka CVE-2026-42231 news 9 min read RCE | Writeup detailing CVE-2026-42231 in n8n, a node-based workflow automation tool. This vulnerability chain exploits a prototype pollution primitive within the xml2js XML parsing library, stemming from semantic quirks in its CoffeeScript origins. The research demonstrates how this seemingly low-severity bug, when combined with specific gadget chains in n8n's internal modules like `@n8n/node-cli`, can escalate to unauthenticated remote code execution, bypassing previous mitigations against `spawn` exploitation. |
| 2026-05-05 2026 | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API news 1 min read RCE | Writeup of CVE-2026-22679, a critical unauthenticated RCE in Weaver E-cology 10.0, actively exploited via its debug API. Attackers can craft POST requests to "/papi/esearch/data/devops/dubboApi/debug/method" to execute arbitrary commands. Exploitation evidence dates back to March 17, 2026, with observed techniques including payload drops and discovery commands like `whoami`. A Python detection script is available to identify vulnerable instances. → thehackernews.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news 4 min read RCE Secrets | Library for securing AI-powered development tools, addressing critical flaws in Cursor AI that allow attackers to steal API keys and session tokens via unencrypted SQLite databases. Vulnerabilities, including CursorJacking, stem from poor credential storage and weak extension isolation, enabling malicious extensions to exfiltrate sensitive data silently. Additionally, CVE-2026-26268 details how the AI agent can execute code through Git hooks in untrusted repositories, bypassing user awareness. → sqmagazine.co.uk |
| 2026-05-01 2026 | CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Exposes API Credentials news SQLi | A critical pre-authentication SQL injection vulnerability, CVE-2026-42208, has been discovered in LiteLLM. This flaw allows attackers to bypass authentication and execute arbitrary SQL commands. The vulnerability can be exploited to steal sensitive information, including API credentials, potentially leading to unauthorized access and misuse of services. The impact is significant as it affects the security of systems relying on LiteLLM for API management. Further details and mitigation strategies are available via the provided link. → securityboulevard.com |
| 2026-04-30 2026 | Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems news 2 min read RCE | Library patches address critical remote code execution vulnerabilities in the Google Gemini CLI and its associated GitHub Action, allowing attackers to execute commands on host systems by exploiting the CLI's automatic workspace trust in non-interactive environments. Attackers could inject malicious agent configurations via pull requests, triggering code execution before the AI sandbox initializes and granting access to sensitive credentials and source code, posing significant supply-chain risks similar to incidents involving Axios, Shai-Hulud, and XZ Utils. → cybersecuritynews.com |
| 2026-04-30 2026 | Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild news 2 min read RCE | Writeup detailing CVE-2026-3965 and CVE-2026-4047, two authentication bypass vulnerabilities in Qinglong task scheduler versions 2.20.1 and earlier. These flaws, exploited in early 2026, allowed unauthenticated attackers to achieve remote code execution for cryptomining operations, specifically installing the `.fullgc` malware. The vulnerabilities stem from a URL rewrite rule mishandling `/open/*` requests and case-insensitive URL handling on `/api/*` endpoints, leading to credential reset and direct RCE. → cybersecuritynews.com |
| 2026-04-30 2026 | CVE MCP Server Turns Claude Into a Full-Spectrum Security Analyst With 27 Tools Across 21 APIs news 2 min read AI | Library for integrating Anthropic's Claude AI with 27 security tools across 21 APIs, enabling natural-language vulnerability triage. It consolidates data from NVD, EPSS, CISA KEV, VirusTotal, Shodan, and GitHub, incorporating MITRE ATT&CK and CAPEC techniques. The system features a weighted risk scoring formula, considers exploitability and network intelligence, and includes DevSecOps tools like dependency scanning for OSV.dev and GitHub advisories. → cybersecuritynews.com |
| 2026-04-29 2026 | Cursor Vulnerability Exposes Developer API Tokens news | A security vulnerability in Cursor has been disclosed, potentially exposing developer API tokens. The vulnerability, detailed in a linked article, raises concerns about the security of sensitive credentials used by developers on the platform. Specific details on the vulnerability's nature and impact, or any associated bug bounty payout, are not provided in the given content. → letsdatascience.com |
| 2026-04-29 2026 | SLOTAGENT Malware Hides API Calls and Strings to Thwart Analysis intermediate 3 min read | Library provides an IDA Python script to decrypt strings obfuscated with a TEA-like algorithm within the SLOTAGENT RAT. This malware, discovered in early 2026, employs advanced evasion techniques including dynamic API resolution via XOR and ROR11 hashing, RC4 decryption of its `db.config` file, and reflective loading of XOR-encoded payloads. SLOTAGENT communicates with its C2 server at 43.156.59[.]110:699 using a proprietary HTTP-like protocol and offers extensive post-exploitation capabilities like screenshotting, file operations, remote shell, BOF execution, and time stomping. → gbhackers.com |
| 2026-04-28 2026 | ClickUp is leaking customer data via hardcoded API key researcher claims news Secrets | A security researcher claims that ClickUp is leaking customer data due to a hardcoded API key. This vulnerability could potentially expose sensitive information belonging to ClickUp users. The specifics of the data leak and its extent are not detailed in the provided content. → cybernews.com |
| 2026-04-28 2026 | ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants news 2 min read Secrets | Writeup detailing a hardcoded Split.io SDK token within ClickUp's JavaScript bundle, which allowed an attacker to access 959 employee email addresses from Fortune 500 companies and government organizations. The incident also uncovered a Server-Side Request Forgery (SSRF) vulnerability in ClickUp's webhook functionality, enabling unauthorized internal requests to services like AWS metadata, potentially leading to cloud infrastructure compromise. → cyberpress.org |
| 2026-04-28 2026 | LiteLLM Contains Critical SQL Injection Vulnerability intermediate SQLi | LiteLLM, a library simplifying API calls to LLMs, has a critical SQL injection vulnerability. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to data breaches, unauthorized access, or system compromise. The vulnerability arises from improper sanitization of user-supplied input within the library's database interaction logic. Users are strongly advised to update LiteLLM to the latest version to patch this critical security flaw and protect their systems. No specific bounty payout amount was mentioned. → letsdatascience.com |
| 2026-04-28 2026 | ClickUp Security Flaw Exposes 959 Emails Linked to Major Fortune 500 Firms news 2 min read | Writeup on a ClickUp security flaw that exposed 959 emails from Fortune 500 firms and government agencies due to a hardcoded Split.io SDK token. The vulnerability, unaddressed for over 15 months, allowed attackers to extract sensitive backend data and government worker emails. A separate Server-Side Request Forgery (SSRF) vulnerability in the webhook API also enabled attackers to retrieve internal AWS IAM credentials. Despite ClickUp's multiple security certifications like SOC 2 and ISO 27001, these critical flaws went unnoticed by automated checks and audits. → gbhackers.com |
| 2026-04-27 2026 | Multiple OpenClaw Vulnerabilities Enable Policy Bypass and Host Override Attacks intermediate 2 min read | Library updates address three moderate-severity vulnerabilities in OpenClaw, an AI agent framework, impacting npm package versions prior to 2026.4.20. Exploits could allow policy bypass via prompt injection to override sandbox policies and filesystem protections, tool bypass by bundled MCP and LSP components despite deny lists, and credential exposure through a malicious .env file that overrides MINIMAX_API_HOST, leading to API key leakage. Administrators must upgrade to version 2026.4.20. → cyberpress.org |
| 2026-04-23 2026 | New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory news 2 min read | Writeup of CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, which was weaponized in the wild just 12 hours after its GitHub advisory. The flaw in the `load_image()` function allows attackers to coerce LMDeploy servers to make HTTP requests to internal networks, cloud metadata services, or other protected endpoints, as demonstrated by attempts to exfiltrate AWS IAM credentials and probe internal services like Redis and MySQL. Exploitation occurred rapidly without public proof-of-concept code, highlighting a growing trend in AI infrastructure attacks. → cyberpress.org |
| 2026-04-23 2026 | wapiti-scanner/wapiti: Web vulnerability scanner written in Python3 beginner 5 min read Python | Library for black-box web vulnerability scanning. Wapiti works by fuzzing web applications, sending payloads, and analyzing responses for vulnerabilities such as SQL Injection, XSS, File Disclosure, XXE, CRLF Injection, Shellshock, SSRF, Open Redirects, and Log4Shell (CVE-2021-44228) and Spring4Shell (CVE-2020-5398) detection. It supports proxy configuration, HTTP authentication, session management, and generates reports in HTML, XML, JSON, TXT, and CSV formats. The library can also fingerprint web technologies using Wappalyzer and enumerate CMS modules for platforms like WordPress. |
| 2026-04-23 2026 | Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core news 3 min read | Library update CVE-2026-40372 introduces a critical flaw in ASP.NET Core's Data Protection Library on Linux, macOS, and Windows. A bug in the .NET 10.0.6 package causes incorrect HMAC validation, allowing attackers to forge payloads and decrypt protected tokens and cookies. This requires rebuilding embedded applications, expiring affected tokens, and rotating credentials. → csoonline.com |
| 2026-04-22 2026 | Microsoft releases emergency patches for critical ASP.NET flaw news 2 min read | Library updates address critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in Data Protection cryptographic APIs. This flaw allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges, disclosing files, and modifying data. The regression impacts Microsoft.AspNetCore.DataProtection NuGet packages from 10.0.0-10.0.6. Updates to 10.0.7 are recommended, followed by key ring rotation for full remediation. Previously, Microsoft patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server. → bleepingcomputer.com |
| 2026-04-22 2026 | A Deep Dive on the Most Critical API Vulnerability: BOLA intermediate | A Deep Dive on the Most Critical API Vulnerability: BOLA |
| 2026-04-22 2026 | What Is Broken Object Property Level Authorization? beginner 14 min read | Guide to Broken Object Property Level Authorization, ranked third on OWASP's API Security Top 10 for 2023, details how APIs often fail to restrict access to individual data fields within objects. It covers how this vulnerability manifests in REST and GraphQL APIs, its business impact, and methods for implementing granular property-level access controls to prevent unauthorized reading and modification of sensitive data like internal identifiers or account status. → paloaltonetworks.com |
| 2026-04-22 2026 | What Is Broken Object Level Authorization? beginner 16 min read | Reference detailing Broken Object Level Authorization (BOLA), the top API security risk according to OWASP. This vulnerability arises when APIs fail to properly validate object permissions after function-level access is granted, allowing attackers to manipulate object identifiers within requests, such as direct object references in RESTful APIs, to access unauthorized data. The resource contrasts BOLA with Broken Function Level Authorization (BFLA), emphasizing that BOLA exploits parameter manipulation within authorized endpoints, not privilege escalation. → paloaltonetworks.com |
| 2026-04-22 2026 | This Is How I Hacked an API Using Mass Assignment Vulnerability intermediate 3 min read | Writeup detailing a silent privilege escalation via mass assignment in a REST API. The author demonstrates how trusting client-supplied JSON in profile update endpoints, where the backend blindly maps request fields to models without an allowlist, can lead to attackers silently gaining administrative privileges. This is achieved by "over-posting" extra fields like "role" or boolean flags, such as "is_admin", which the API then updates, effectively bypassing authorization. The writeup highlights common locations for this vulnerability, including profile updates, registration, and admin edit endpoints, and stresses the importance of explicit field allowlisting and using separate DTOs to prevent such flaws. |
| 2026-04-22 2026 | CVE-2026-34839: CORS Vulnerability in Glances REST API news | CVE-2026-34839: CORS Vulnerability in Glances REST API |
| 2026-04-22 2026 | API ThreatStats Report 2026 news | API ThreatStats Report 2026 |
| 2026-04-22 2026 | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities beginner 3 min read | Library implementing OWASP Top 10 API vulnerabilities, including SQLi, unauthorized password change, broken object level authorization, mass assignment, excessive data exposure, user and password enumeration, RegexDOS, lack of resources and rate limiting, and JWT authentication bypass. VAmPI is built with Flask, offers a global switch to enable or disable vulnerabilities, and includes OpenAPI 3 specs and a Postman collection for testing and learning purposes. It can be run locally via Python or Docker. |
| 2026-04-22 2026 | API4:2023 Unrestricted Resource Consumption beginner | API4:2023 Unrestricted Resource Consumption |
| 2026-04-22 2026 | 1H 2026 State of AI and API Security Report (Salt) news | 1H 2026 State of AI and API Security Report (Salt) |
| 2026-04-22 2026 | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability intermediate 1 min read | Lab walkthrough demonstrating exploitation of a mass assignment vulnerability to purchase a product. The lab involves logging in with `wiener:peter`, adding an item to the basket, and then identifying and manipulating a `chosen_discount` parameter within the `/api/checkout` POST request. By adding this hidden parameter and altering its value, users can bypass credit limitations and solve the exercise. → portswigger.net |
| 2026-04-21 2026 | Lovable left thousands of projects exposed for 48 days and the vibe coding security crisis is only getting worse news 6 min read | Library for detecting vulnerabilities in AI-generated code, specifically addressing issues found in "vibe coding" platforms like Lovable. It highlights common flaws such as broken object-level authorization, exposed database credentials, and AI hallucination-related vulnerabilities, noting that 40-62% of AI-generated code contains security flaws and that market incentives often prioritize growth over security in this rapidly expanding field. |
| 2026-04-21 2026 | Lovable AI App Builder Reportedly Exposes Thousands of Project Data via API Flaw news 2 min read | Analysis of an API flaw in the Lovable AI app builder reveals potential exposure of sensitive project data, including source code, credentials, and user information. The vulnerability, reportedly exploitable by free account users, stems from inconsistent API security implementation that fails to protect projects created before November 2025. Researchers demonstrated that older projects return "200 OK" responses for unauthorized access attempts, whereas newer projects correctly return "403 Forbidden." Exposed data can include AI conversation histories containing technical details and customer information, potentially impacting employees from major technology companies like Nvidia, Microsoft, Uber, and Spotify. → cyberpress.org |
| 2026-04-21 2026 | Vibe coding upstart Lovable denies data leak cites 'intentional behavior' then throws HackerOne under the bus news 4 min read | Writeup detailing a Broken Object Level Authorization (BOLA) vulnerability exploited by an OSINT researcher against Vibe coding platform Lovable. The vulnerability allowed unauthorized access to sensitive user data, including credentials, chat history, and source code, via publicly accessible projects. Lovable's initial response attributed the exposure to "intentional behavior" and unclear documentation before blaming bug bounty platform HackerOne for mishandling the researcher's report. → theregister.com |
| 2026-04-21 2026 | Lovables API flaw exposed private project data from the $6.6 billion AI app builder used by Nvidia and Microsoft teams news 3 min read | Analysis of a Lovable API vulnerability that exposed chat histories, source code, and Supabase API keys from projects created before November 2025. The flaw, reported via HackerOne in March 2026, stemmed from missing ownership checks on API endpoints, allowing any authenticated user to access data from older projects, impacting users at companies like Nvidia and Microsoft. Affected users are advised to rotate all credentials used within the platform. |
| 2026-04-21 2026 | Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of Projects news 2 min read | Writeup on an API flaw in the Lovable AI app builder, allowing unauthorized access to thousands of older projects. Disclosed 48 days ago by @weezerOSINT on X, the vulnerability grants free account holders access to source code, database credentials, customer information, and AI chat histories, potentially exposing data from users at companies like Nvidia, Microsoft, Uber, and Spotify. The bug stems from inconsistent patching, where projects created before November 2025 return a 200 OK status, while newer ones are protected. → gbhackers.com |
| 2026-04-21 2026 | Lovable Left Thousands of Projects Exposed for 48 Days And Still Hasn't Fixed It news 4 min read | Writeup of BOLA vulnerability in Lovable.dev API exposing source code, database credentials, and AI chat histories. The flaw, affecting projects created before November 2025, allows free account users to access sensitive data from other users. This vulnerability, reported on HackerOne, highlights systemic security issues in AI-assisted development platforms, similar to the recent Vercel incident linked to Context.ai. Lovable has addressed chat history exposure but maintains source code visibility on public projects is intentional. |
| 2026-04-21 2026 | API Security Risks Rise as AI Adoption Accelerates beginner 4 min read | Survey of API security risks stemming from AI adoption, revealing that 49% of organizations struggle to monitor machine-to-machine traffic and 48% cannot distinguish AI agents from bots. The report highlights amplified vulnerabilities like broken object-level authorization (BOLA) and challenges with AI-generated code security, noting traditional SAST and DAST tools are insufficient. Attackers increasingly target authenticated access, with 99% of attempts originating from such entities, underscoring the need for continuous verification and behavioral monitoring. → esecurityplanet.com |
| 2026-04-20 2026 | Lovable AI App Builder Reportedly Exposes Customer Data From Projects via Unpatched API Flaw news 2 min read | Writeup on a Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI app builder, allowing unauthorized access to project data including source code, database credentials, and customer information. The flaw, unpatched for projects created before November 2025, enables free-tier users to make unauthenticated API calls to retrieve sensitive data via endpoints like `api.lovable.dev/GetProjectMessagesOutputBody`. Researchers found exposed Supabase credentials and data from individuals at Accenture Denmark and Copenhagen Business School, along with potential risks for employees at Nvidia, Microsoft, Uber, and Spotify. This issue was previously reported on HackerOne as duplicate report #3583821. → cybersecuritynews.com |
| 2026-04-19 2026 | BOLA API Attack & Prevention — StackHawk intermediate 13 min read AuthZ | Library detailing Broken Object Level Authorization (BOLA) vulnerabilities, the #1 API security risk. BOLA occurs when APIs fail to verify user permissions for specific data objects, allowing unauthorized access to sensitive information like financial or medical records by manipulating predictable identifiers or bypassing ownership checks. The resource explains BOLA's prevalence, the distinction from IDOR, root causes like over-reliance on object identifiers and insufficient authorization focus, and provides examples of attacks against social media profiles and medical records. |
| 2026-04-19 2026 | Broken Object-Level Authorization (BOLA): What It Is and How to Prevent It beginner 6 min read | Reference explaining Broken Object-Level Authorization (BOLA), the most common API vulnerability, where unchecked object identifiers expose sensitive data. It details how attackers exploit BOLA by manipulating identifiers, the risks in microservices, and secure coding practices involving server-side authorization checks on every request. The article highlights compliance implications under GDPR and HIPAA, and prevention strategies including robust authorization logic, opaque identifiers, and automated API security testing to detect variants like insecure direct object references (IDOR). → invicti.com |
| 2026-04-19 2026 | OWASP Top 10 API Security Risks and How to Mitigate Them — Pynt beginner 11 min read | Library of techniques and examples for mitigating the OWASP API Security Top 10 risks, including Broken Object Level Authorization (BOLA), Broken Authentication, and Server-Side Request Forgery (SSRF). It details practical defenses like fine-grained authorization, secure authentication protocols, and rate limiting. The resource also highlights how tools can automate detection of these vulnerabilities during development, addressing common weaknesses such as misconfigurations and improper inventory management. |
| 2026-04-19 2026 | OWASP API Security Top 10 Vulnerabilities — 2025 beginner 10 min read | Reference detailing the OWASP API Security Top 10 Vulnerabilities for 2025, including risks like Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, and Unrestricted Resource Consumption. It outlines how these vulnerabilities are exploited through mechanisms like ID manipulation, weak credential handling, excessive data exposure, and resource overuse, and provides prevention strategies such as enforcing authorization, implementing standardized token practices, using short-lived access tokens, restricting data exposure, preventing mass assignment, and employing rate limiting. |
| 2026-04-16 2026 | MCP Access Control: OPA vs Cedar - Natoma advanced 4 min read | Reference comparing Open Policy Agent (OPA) and AWS Cedar for MCP access control. Independent research indicates Cedar offers stronger security guarantees, deterministic behavior, and formal verification, excelling in safety-critical or AWS-centric environments with simpler policies. OPA, with its Rego language, provides greater expressiveness and integration capabilities, making it suitable for complex logic and mature operational scenarios. The choice depends on prioritizing security and performance (Cedar) versus flexibility and extensive integrations (OPA). |
| 2026-04-16 2026 | Stateful REST API Fuzzing with RESTler intermediate 5 min read | Tool for stateful REST API fuzzing, RESTler utilizes Swagger/OpenAPI specifications to automatically generate fuzzing grammars. It executes sequences of requests, where resources created by earlier requests are consumed by subsequent ones, enabling the discovery of input validation flaws, authentication issues, and resource management bugs. RESTler's extensible design allows for custom security checkers to be plugged into its fuzzing loop, and it can help validate API specifications for consistency and completeness. |
| 2026-04-16 2026 | Inside Modern API Attacks: 2026 API ThreatStats Report - Wallarm news 6 min read | Report analyzing 2025 API attack trends from Wallarm's 2026 API ThreatStats Report, highlighting APIs as the primary attack surface due to compounding failures in identity, exposure, and abuse. It details that 43% of CISA KEVs and 36% of AI vulnerabilities are API-related. Attack vectors like Cross-Site Issues, Injection, and Broken Access Control are prevalent, with 97% of vulnerabilities exploitable by a single request and 98% being easy or trivial to exploit. |
| 2026-04-16 2026 | OWASP API Security Testing Framework beginner 2 min read | Library for automated API security validation, the OWASP API Security Testing Framework (ASTF) identifies vulnerabilities based on the OWASP API Security Top 10. It supports REST, GraphQL, and gRPC, offers a comprehensive test suite, CI/CD integration, customizable rules, and detailed reporting with remediation guidance, incorporating real-world attack patterns. → owasp.org |
| 2026-04-16 2026 | Kong API Gateway Misconfigurations Case Study - Trend Micro news 10 min read | Library for securing Kong API Gateway deployments, detailing common misconfigurations such as exposing the administration API and missing firewall rules. It highlights the risk of storing secrets like API keys in plain text within the database, especially in the community version lacking robust encryption and vault support. The entry emphasizes the importance of secure access controls and proper network segmentation to prevent unauthorized access and potential back-end compromise. → trendmicro.com |
| 2026-04-16 2026 | API Security Testing: Tools and Techniques - API7.ai beginner 7 min read | Library for comprehensive API security testing, detailing static analysis with tools like Semgrep and Gosec, dynamic testing using OWASP ZAP and StackHawk, and penetration testing with Burp Suite. It emphasizes business logic testing for BOLA and IDOR vulnerabilities, highlighting specialized tools such as Escape and Cequence. The resource also covers AI-powered protection, API gateway enforcement, and open-source developer tools, stressing discovery and inventory mapping with Akto and Noname. |
| 2026-04-16 2026 | BOLA and BFLA: The API Vulnerabilities That Silently Expose Data beginner 5 min read | Library for identifying and mitigating Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) vulnerabilities in APIs. These OWASP API Security Top 10 risks, often missed by automated scanners, allow unauthorized access to user data or administrative functions by failing to enforce object ownership and role-based access controls server-side. The library's approach mirrors penetration testing methodologies, emphasizing multi-account testing and endpoint function enumeration to uncover these critical business-logic flaws. |
| 2026-04-16 2026 | API Penetration Testing: Complete Guide beginner 18 min read | Reference covering API penetration testing methodology, focusing on techniques to identify and exploit vulnerabilities in programmatic interfaces. It details threats from the OWASP API Security Top 10, including Broken Object Level Authorization (BOLA), Broken Authentication, and Server Side Request Forgery (SSRF). The guide also discusses security differences and testing approaches for REST, GraphQL, and gRPC architectures. |
| 2026-04-16 2026 | How to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA and BFLA - 42Crunch intermediate 4 min read | Guide to defending against OWASP API authorization risks, focusing on Broken Object Level Authorization (BOLA), Broken Object Property Level Authorization (BOPLA), and Broken Function Level Authorization (BFLA). It emphasizes making authorization auditable, defining rules in OpenAPI contracts, and integrating API audit and scan testing tools into IDEs and CI/CD pipelines for early detection and remediation of vulnerabilities. |
| 2026-04-16 2026 | Securing the Gates: Mastering BOLA and BFLA in API Security intermediate 6 min read | Writeup detailing Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) vulnerabilities in API security. The resource demonstrates how BOLA allows unauthorized access to sensitive data by exploiting improper authorization checks on specific objects, using OWASP crAPI and Firefox Containers to illustrate intercepting and altering requests. It then explores BFLA, where users can execute functions beyond their permitted scope, showcasing how changing endpoint parameters from "user" to "admin" can lead to unauthorized actions like deleting other users' videos. |
| 2026-04-16 2026 | DAST Tools: Complete Buyer's Guide & 10 Solutions to know in 2026 beginner 21 min read | Guide to Dynamic Application Security Testing (DAST) tools focusing on critical features for modern applications. It details common frustrations with legacy scanners, such as excessive configuration, high false positive rates, poor API testing capabilities (specifically for GraphQL and REST), and weak CI/CD integration. The guide highlights essential criteria for evaluating new DAST solutions, including business logic vulnerability detection (BOLA, IDOR), low false positive rates with proof-based scanning, native API protocol support for REST and GraphQL, and deep CI/CD integration. It contrasts these with the limitations of older tools, emphasizing the need for DAST solutions that can keep pace with rapid development cycles and complex application architectures. → securityboulevard.com |
| 2026-04-15 2026 | Top 10 Best API Security Providers Protecting Web Apps in 2026 beginner 17 min read | Tool for API security, evaluating providers for 2026, highlighting Salt Security for its AI-driven business logic protection and automated discovery, and Akamai for its comprehensive lifecycle coverage and global threat intelligence. The entry emphasizes the critical need for API security in modern web applications due to evolving threats like Broken Object Level Authorization (BOLA), shadow APIs, and business logic abuse, recommending solutions that offer API discovery, runtime protection, and DevSecOps integration. → gbhackers.com |
| 2026-04-14 2026 | Critical etcd Vulnerability Allows Unauthorized Access to Sensitive Cluster APIs news 2 min read | Writeup of CVE-2026-33413, an authentication bypass in etcd allowing unauthorized access to sensitive cluster APIs like Maintenance.Alarm, KV.Compact, and Lease.LeaseGrant. Discovered autonomously by Strix, this critical vulnerability (CVSS 8.8) exploits a flaw in the applier chain, where specific methods are not checked by the authApplierV3 wrapper, enabling unauthenticated or under-privileged users to perform disruptive operations. A patch was released in March 2026. → gbhackers.com |
| 2026-04-11 2026 | Exploiting API4: 8 Real-World Unrestricted Resource Consumption Attack Scenarios intermediate 5 min read | Library of resources detailing 8 real-world Unrestricted Resource Consumption (API4:2023) attack scenarios, including large file uploads, high-latency responses, financially impactful API abuse (e.g., SMS gateways, LLM APIs), GraphQL batching and query abuse, data bombs, and buffer overflows like CVE-2025-22457. These scenarios illustrate how attackers can cause denial of service, performance degradation, and financial losses through various API vulnerabilities. → securityboulevard.com |
| 2026-04-11 2026 | Exploiting Server-Side Request Forgery in an API intermediate 9 min read | Library for identifying and exploiting Server-Side Request Forgery (SSRF) vulnerabilities in APIs. This resource details how SSRF, a dangerous OWASP API Security Top 10 vulnerability, allows attackers to trick servers into making unauthorized requests, potentially leading to data leaks or remote code execution. It covers techniques for identifying SSRF through common parameter names, webhooks, file imports, and PDF generators, and explores exploitation methods like local/remote port scanning and local file reads. → danaepp.com |
| 2026-04-11 2026 | API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests intermediate | API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests |
| 2026-04-11 2026 | Exploiting JWT Vulnerabilities: Advanced Exploitation Guide advanced 11 min read Bug Bounty JWT | Library detailing advanced JWT exploitation techniques, covering flaws stemming from misconfigurations and improper input validation. It analyzes vulnerabilities such as the 'none' algorithm allowance, missing signature validation, algorithm confusion attacks, and JWK spoofing, referencing CVE-2018-0114. The guide breaks down JWT structure and common attack vectors like authentication bypass and injection. → intigriti.com |
| 2026-04-11 2026 | openapi-fuzzer: Black-box Fuzzer for OpenAPI Specifications intermediate 4 min read | Tool for black-box fuzzing APIs based on OpenAPI specifications (v3). This Rust-based fuzzer, `openapi-fuzzer`, identifies parsing bugs and invalid formats by generating and sending payloads. It stores findings in JSON and can replay triggering seeds using the `resend` subcommand. Configuration options include ignoring specific status codes, adding custom headers, and adjusting request counts. |
| 2026-04-11 2026 | CATS: REST API Fuzzer and Negative Testing Tool intermediate | Library for REST API negative testing, CATS automatically generates and runs thousands of tests based on data types and structural constraints, moving beyond typical random input fuzzing. It offers rapid execution with no coding required and extensive configurability, allowing users to match or ignore response codes, bodies, API paths, and more, while fine-tuning reporting. |
| 2026-04-11 2026 | RESTler: Stateful REST API Fuzzing Tool intermediate 5 min read | Library for stateful REST API fuzzing that analyzes OpenAPI specifications to generate and execute tests, discovering security and reliability bugs. RESTler intelligently infers producer-consumer dependencies and dynamically learns service behavior from responses to explore deeper service states and find issues like internal server errors and logic bugs. It offers compile, test, fuzz-lean, and fuzz modes for comprehensive bug hunting. |
| 2026-04-11 2026 | BFLA: Broken Function Level Authorization beginner 4 min read | Library: BFLA is a resource that delves into Broken Function Level Authorization vulnerabilities. This document, crafted by TCM Security, is part of their broader offerings in cybersecurity services and education, including penetration testing, vulnerability scanning, and training. The content implicitly supports their mission of revealing risk, meeting requirements, and strengthening security for organizations by exposing exploitable gaps. |
| 2026-04-11 2026 | API Gateway Authorizers: Vulnerable By Design intermediate 5 min read | Library discussing how API Gateway authorizer caching can lead to authorization vulnerabilities. When caching is keyed solely by the JWT, subsequent requests to different resources can incorrectly inherit permissions from previous requests. This is especially problematic when using services like AWS Verified Permissions to grant granular access, as the cache may not reflect specific resource authorizations, leading to potential over-permissioning. The solution involves configuring the API Gateway cache key to include the HTTP method and path, ensuring that authorization checks are specific to the requested resource. |
| 2026-04-11 2026 | HTTP Request Smuggling in API Gateways intermediate 6 min read | Library for detecting and preventing HTTP request smuggling attacks targeting API gateways. This technique exploits discrepancies in how gateways and backends interpret request boundaries, allowing attackers to bypass security controls like authentication and rate limiting. The library details common attack types such as CL.TE, TE.CL, and H2.CL, and provides mitigation strategies like enforcing HTTP/2 end-to-end, disabling backend connection reuse, and normalizing ambiguous requests. It also references specific vulnerabilities like CVE-2024-53008 and CVE-2023-40225 affecting HAProxy, and CVE-2024-33452 impacting Kong Gateway. |
| 2026-04-11 2026 | Kong API Gateway Misconfigurations: A Security Case Study intermediate 10 min read | Library detailing Kong API Gateway misconfigurations, including exposing the Administration API on public interfaces, missing firewall rules, and insecure storage of secrets like API keys in plain text. It highlights how default configurations and examples found in container image repositories can lead to these vulnerabilities, emphasizing the need for proper access controls and secure credential management. → trendmicro.com |
| 2026-04-11 2026 | Swagger-EZ: Pentesting APIs Using OpenAPI Definitions intermediate | Tool for pentesting APIs using OpenAPI (Swagger) definitions. Swagger-EZ parses Swagger 2.0 JSON files, either by URL or pasted blob, to populate API endpoints and parameters within a browser UI. Users configure their proxy, like Burp Suite, to intercept requests. After loading the API definition, parameters can be populated with test data and sent, facilitating API security testing. |
| 2026-04-11 2026 | APIDetector: Scan for Exposed Swagger Endpoints intermediate 7 min read | Library for scanning exposed Swagger and OpenAPI endpoints. APIDetector v3 features a modern web interface and command-line options for discovering API documentation like `/swagger-ui.html` and `/openapi.json`. It supports multi-threaded scanning over HTTP/HTTPS, automatically captures screenshots of vulnerable endpoints, and performs XSS detection on vulnerable Swagger versions. The tool is built with Python 3.x and requires Flask, Requests, and Playwright for browser automation. |
| 2026-04-11 2026 | Autoswagger: Automated Discovery and Testing of OpenAPI and Swagger Endpoints intermediate 5 min read | Tool for automated discovery and testing of OpenAPI and Swagger endpoints, Autoswagger identifies unauthenticated API endpoints and data exposure risks. It locates spec files, extracts paths and methods, and concurrently tests endpoints, flagging outputs containing personally identifiable information or secrets using Presidio and regex heuristics. The tool supports multi-phase discovery, optional brute-force parameter testing, and flexible JSON or table output for actionable results. |
| 2026-04-11 2026 | Swagger Jacker: Auditing OpenAPI Definition Files intermediate 3 min read | Tool for auditing OpenAPI definition files. Swagger Jacker automates the analysis of API routes defined in specification documents, identifying potential vulnerabilities like IDOR and SQL injection. It parses fields such as "Info" for API metadata and "security" for authentication mechanisms, then generates requests to test endpoint accessibility and authentication requirements, significantly reducing manual testing time for publicly exposed or unintentionally leaked definition files. → bishopfox.com |
| 2026-04-11 2026 | PayloadsAllTheThings: API Key Leaks intermediate 2 min read | Library of resources for identifying and managing API key leaks, including tools like aquasecurity/trivy, blacklanternsecurity/badsecrets, irsdl/crapsecrets, d0ge/sign-saboteur, mazen160/secrets-patterns-db, momenbasel/KeyFinder, streaak/keyhacks, trufflesecurity/truffleHog, and projectdiscovery/nuclei-templates. It covers common leak vectors such as hardcoding in source code, public repositories, Docker images, logs, and configuration files, offering techniques to detect and verify leaked credentials. |
| 2026-04-11 2026 | State of Secrets: 28 Million Credentials Leaked on GitHub in 2025 news 17 min read Secrets | Library for detecting and preventing hardcoded secrets in code, addressing accidental commits, the .env file problem, supply chain attacks via compromised NPM packages like tinyColor and ngx-bootstrap, leaks from non-code surfaces such as Slack and Jira, and the increasing risks associated with AI-assisted development and MCP server configurations. → snyk.io |
| 2026-04-11 2026 | Bypassing Rate Limits: All Known Techniques intermediate | Bypassing Rate Limits: All Known Techniques |
| 2026-04-11 2026 | Rate Limit Bypass - HackTricks intermediate 6 min read | Library detailing rate limit bypass techniques. This resource explores methods including brute-forcing variations of endpoints like `/api/v3/sign-up`, inserting blank bytes, and modifying headers such as `X-Forwarded-For` to evade IP-based rate limiting. It also covers bypassing limits by altering user-agent and cookie headers, adding non-significant parameters, and leveraging HTTP/2 multiplexing and GraphQL batching. Advanced techniques like using WebSocket or gRPC streaming, sharding counters across multiple regions, and utilizing tools like PortSwigger's Turbo Intruder and `websocat` are also discussed. → book.hacktricks.xyz |
| 2026-04-11 2026 | Hacking APIs: Bypassing Rate Limiting intermediate | Hacking APIs: Bypassing Rate Limiting |
| 2026-04-11 2026 | What is Mass Assignment? Attacks and Security Tips beginner 4 min read | Guide to Mass Assignment vulnerabilities, also known as autobinding or object injection, detailing how attackers can manipulate HTTP request parameters to modify or create unintended object variables. It illustrates attacks, including privilege escalation via user profile modification on platforms like GitHub (2012) and GraphQL API exploitation, and provides prevention techniques such as implementing strict field whitelisting on the server-side, referencing OWASP for framework-specific solutions. → vaadata.com |
| 2026-04-11 2026 | API Security 101: Mass Assignment and Exploitation in the Wild beginner 4 min read | Guide to exploiting mass assignment vulnerabilities in APIs, covering its impact on privilege escalation and financial abuse. This guide details how mass assignment functions in frameworks like Ruby on Rails, NodeJS, Spring MVC, ASP NET MVC, and PHP, and demonstrates exploitation techniques using examples and the crAPI demo lab. It also outlines remediation strategies such as disabling automatic property mapping and implementing read-only fields. → cobalt.io |
| 2026-04-11 2026 | What is BOLA? 3-digit bounty from Topcoder beginner | What is BOLA? 3-digit bounty from Topcoder → infosecwriteups.com |
| 2026-04-11 2026 | API1:2023 Broken Object Level Authorization beginner 3 min read | Analysis of API1:2023 Broken Object Level Authorization examines how applications fail to validate permissions for every API call to every object. Attackers manipulate object IDs in API requests to access unauthorized data or functionality, leading to potential data breaches, account takeovers, or permission escalation. Detecting and mitigating BOLA vulnerabilities through code changes and inline API security tools like Wallarm is crucial for preventing these impacts. |
| 2026-04-11 2026 | Exposing a New BOLA Vulnerability in Grafana intermediate 8 min read | Writeup on CVE-2024-1313, a Broken Object Level Authorization (BOLA) vulnerability in Grafana, allows low-privileged users to delete dashboard snapshots from other organizations using snapshot keys. Versions 9.5.0 before 9.5.18, 10.0.0 before 10.0.13, 10.1.0 before 10.1.9, 10.2.0 before 10.2.6, and 10.3.0 before 10.3.5 are affected. The vulnerability, with a CVSS score of 6.5, arises from the dashboard snapshot APIs and could lead to data loss or integrity issues. Additionally, an endpoint allows any user to create snapshots with weak self-assigned keys, potentially enabling denial-of-service or brute-force attacks. → unit42.paloaltonetworks.com |
| 2026-04-10 2026 | Doyensec: Common OAuth Vulnerabilities intermediate 13 min read AuthN | Checklist of common OAuth vulnerabilities, this resource details attacks against the protocol's implementations. It explains the Implicit Flow, Authorization Code Flow, Authorization Code Flow with PKCE, Client Credentials Flow, Device Authorization Flow, and the Resource Owner Password Credentials Flow. Common attack vectors like XSS and flawed redirect_uri validation are highlighted, particularly in the Implicit Flow. → blog.doyensec.com |
| 2026-04-10 2026 | GitLab Fixes Critical Bugs Allowing DoS and Code Injection Attacks news 2 min read | Library updates from GitLab address critical vulnerabilities, including CVE-2026-5173 enabling code injection by bypassing WebSocket access controls, and denial-of-service flaws like CVE-2026-1092 in the Terraform state lock API and CVE-2025-12664 in the GraphQL API. Additional fixes target CVE-2026-1516 for code injection in Code Quality reports, CVE-2026-4332 for XSS in analytics, and information disclosure issues, urging immediate patching of self-managed instances. → cyberpress.org |
| 2026-04-10 2026 | API Exploitation For Bug Bounty intermediate | API Exploitation For Bug Bounty |
| 2026-04-10 2026 | API Penetration Testing Roadmap (2025) beginner 1 min read | Roadmap for API penetration testing covering REST, SOAP, and GraphQL, detailing techniques for identifying Broken Authentication, Rate Limiting Bypasses, Injection Attacks (SQLi, XSS, SSTI), and Business Logic Vulnerabilities. It emphasizes hands-on practice with tools like Burp Suite, Postman, and OWASP ZAP, alongside learning from platforms such as PortSwigger's Web Security Academy, APIsec University, and bug bounty reports from HackerOne. The roadmap stresses practical application on live systems and understanding OWASP API Security Top 10 principles. |
| 2026-04-10 2026 | API Security Testing Tool Checklist (2026) beginner 7 min read | Library for API security testing, this resource outlines essential features for modern application security. It emphasizes robust authentication support, including OAuth2, JWT, and multi-step workflows, alongside schema import capabilities for OpenAPI, Swagger, and Postman collections to ensure comprehensive coverage of REST, GraphQL, and Async APIs. The checklist highlights the importance of rate limiting and safe scan controls to prevent operational disruption, continuous environment support across CI/CD and staging, and noise reduction through proof of exploitability. Key vulnerabilities addressed include Broken Object Level Authorization (BOLA) and business logic abuse, stressing workflow-level testing over basic scanning for effective API security. |
| 2026-04-10 2026 | GraphQL Security Best Practices: A Developer's Guide beginner 15 min read | Guide to GraphQL security best practices detailing risks like query depth and complexity attacks, introspection abuse, batching exploits, and field-level authorization challenges. It explains how GraphQL's flexible query language and single endpoint architecture differ from REST, creating unique attack surfaces. The guide covers mitigations for these issues, crucial for developers securing GraphQL services. |
| 2026-04-10 2026 | OWASP API Security Top 10 Risks beginner 8 min read | Reference detailing the OWASP API Security Top 10 Risks, updated in 2023 to reflect evolving threats. This includes risks like Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization (BOPLA), Unrestricted Resource Consumption, Broken Function Level Authorization (BFLA), Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery (SSRF), and Security Misconfiguration. The document offers mitigation strategies for these vulnerabilities, citing examples like Uber and Trello breaches. → wiz.io |
| 2026-04-10 2026 | API Security Reality Check: Q2 2025 API ThreatStats Report news 3 min read | Report detailing Q2 2025 API security trends, highlighting a 9.8% increase in API CVEs and a significant rise in AI-specific API vulnerabilities, with 34 new CVEs. The report addresses the hidden risks of GraphQL, where despite no reported breaches, vulnerabilities like excessive data exposure and denial of service from nested queries are prevalent due to poor visibility and traditional tool limitations. Most exploited flaws include unauthenticated access, Broken Object Level Authorization (BOLA), token abuse, and injection risks, emphasizing the need for complete API visibility, securing AI stacks, strengthening authorization, and comprehensive lifecycle testing beyond schema validation. |
| 2026-04-10 2026 | GraphQL Security Testing: Complete Guide intermediate 12 min read | Library for securing GraphQL APIs, addressing unique vulnerabilities like schema exposure via introspection and Apollo suggestions, deeply nested query attacks, missing field-level authorization (BOLA) and IDOR via argument manipulation, SQL injection through variables, and batch query attacks. It highlights how these differ from REST APIs and provides actionable insights for mitigation, emphasizing the need for per-object authorization and query complexity limits. |
| 2026-04-10 2026 | Common API Security Vulnerabilities & Solutions (2026 Guide) beginner 15 min read | Guide on common API security vulnerabilities, covering the OWASP API Top 10 including BOLA, BFLA, Mass Assignment, and Excessive Data Exposure. It details real-world exploits like JWT misuse and GraphQL abuse, emphasizing the need for active testing beyond static scans. Solutions discussed include strong access controls (RBAC/ABAC), secure authentication with MFA and OAuth 2.0, limiting data exposure, implementing rate limiting, and secure configurations to mitigate breaches and financial losses. |
| 2026-04-10 2026 | Common Attacks on REST APIs and GraphQL APIs beginner GraphQL | Common Attacks on REST APIs and GraphQL APIs |
| 2026-04-10 2026 | GraphQL API Security: Common Vulnerabilities and Exploits intermediate GraphQL | GraphQL API Security: Common Vulnerabilities and Exploits |
| 2026-04-10 2026 | API Security Risks: The 10 Most Exploited in 2026 news 10 min read | Library cataloging the top 10 API security risks for 2026, detailing threats like AI-powered attacks, injection attacks (SQL, XSS), supply chain compromise, shadow APIs, Broken Object-Level Authorization (BOLA), and GraphQL vulnerabilities. The entry highlights real-world breaches including Azure AD user data exposure, Facebook account data theft via API authentication bypass, Stripe API hijacking for Magecart attacks, Intel employee data exfiltration, and OpenAI customer data exposure through Mixpanel. It emphasizes emerging vectors and the critical need for API posture governance strategies. |
| 2026-04-10 2026 | What Are the OWASP Top 10 API Security Risks? - Akamai beginner | What Are the OWASP Top 10 API Security Risks? - Akamai → akamai.com |
| 2026-04-10 2026 | OWASP API Security Top 10 (2025) Guide with Tests beginner 25 min read | Reference detailing the OWASP API Security Top 10 (2023) standard, including explanations and testing strategies for vulnerabilities such as Broken Object Level Authorization (BOLA), Broken Object Property Level Authorization (BOPLA), Broken Authentication, Excessive Data Exposure, and Security Misconfiguration. It highlights shifts in the OWASP framework, provides examples like the T-Mobile breach and the Peloton API flaw, and offers remediation advice including server-side permission checks, allowlisting fields, and proper configuration management. |
| 2026-04-10 2026 | OWASP Top 10 2025: What's Changed and Why beginner 9 min read | Library summarizing the OWASP Top 10 2025 list, detailing the significant changes from the 2021 edition. It highlights two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). The entry also notes shifts in existing categories, with Security Misconfiguration rising to #2, Server-Side Request Forgery (SSRF) consolidated into Broken Access Control (A01), Cryptographic Failures dropping to #4, Injection to #5, and Insecure Design to #6. This resource reflects an updated understanding of modern attack vectors, encompassing a broader analysis of CVEs and community insights. |
| 2026-04-10 2026 | Top 10 OWASP API Security in 2026 beginner 6 min read | Reference detailing the OWASP API Security Top 10 risks for 2025, including Broken Object Level Authorization (BOLA), Broken Authentication, Unrestricted Resource Consumption, Broken Function Level Authorization, Server Side Request Forgery (SSRF), and Security Misconfiguration, with strategies for mitigation and prevention. |
| 2026-04-10 2026 | OWASP Top Ten 2025: Key Security Risks for APIs beginner | OWASP Top Ten 2025: Key Security Risks for APIs |
| 2026-04-10 2026 | OWASP API Security: Top 10 Risks & Remedies for 2026 beginner 18 min read | Reference discussing OWASP's Top 10 API Security Risks, highlighting evolving threats particularly due to AI integration and agentic applications. It details vulnerabilities such as third-party API exploitation, forgotten and shadow APIs, and security misconfigurations in API management solutions. Recommendations include implementing rigorous input validation, API inventory, secure communication channels, and automated security testing, with mentions of Axway's Amplify Platform for API cataloging and management. |
| 2026-04-09 2026 | API Security Breach Statistics 2026: Hidden Threats beginner 11 min read | Statistics detail a massive surge in API attack traffic (600%+) and near-universal organizational exposure (99% hit in the past year), with only 21% reporting strong detection capabilities and 13% preventing over half of attacks. Path Traversal (27.3%), SQL Injection (20.0%), and SSRF (14.5%) are leading vulnerabilities, while AI-driven attacks accelerate exploitation to as little as 1.2 hours. Major breaches like T-Mobile and Optus underscore the risk of authentication flaws and broken object authorization, with 80,000+ incidents projected by end of 2025 if trends continue. → sqmagazine.co.uk |
| 2026-04-06 2026 | Anthropic Patches Claude Code Bypass Vulnerability news | Anthropic Patches Claude Code Bypass Vulnerability https://ift.tt/MXrTcEF → letsdatascience.com |
| 2026-04-06 2026 | Protecting Payment, Cart, and Login Endpoints at the Edge intermediate 7 min read | Library for edge-based API security that protects critical e-commerce endpoints like payment, cart, and login from OWASP API Security Top 10 attacks. It utilizes API schema definition and real-time request validation at the network edge to block threats such as Broken Object Level Authorization, Broken Authentication, and Injection attacks without introducing latency or requiring manual rule management. |
| 2026-04-06 2026 | Open Banking API Security: The Complete Guide in 2026 beginner | Open Banking API Security: The Complete Guide in 2026 |
| 2026-04-06 2026 | Enhancing REST API Fuzzing with Access Policy Violation Detection intermediate 66 min read Fuzzing | Library extension for EvoMaster that adds novel automated oracles to detect access policy violations, specifically Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA), alongside traditional SQL Injection and XSS attacks. This approach integrates seamlessly into existing REST API fuzzing workflows, enabling the generation of executable test cases in multiple programming languages to identify security issues missed by other methods. → arxiv.org |
| 2026-04-06 2026 | 6 Ways to Protect Your Spring Boot APIs from Common Attacks intermediate | 6 Ways to Protect Your Spring Boot APIs from Common Attacks |
| 2026-04-06 2026 | 7 Identity and API Security Tools Modern SaaS Teams Should Evaluate in 2026 beginner 12 min read | Library for assessing application security in modern SaaS environments. It highlights tools addressing enterprise SSO provisioning, API runtime protection, AI agent security, and passwordless authentication. Key solutions include SSOJet for SSO integration, Gopher Security for quantum-resistant MCP protection, Salt Security for API threat detection, 42Crunch for OpenAPI-driven security, Akto for API discovery, StackHawk for CI/CD-native DAST, and MojoAuth for passwordless CIAM. These tools aim to mitigate risks from increased API attacks, broken authentication (52% of API incidents per Wallarm), and growing AI agent adoption. → securityboulevard.com |
| 2026-04-05 2026 | 'Each vulnerability exposes a different class of enterprise data': LangChain framework hit by several worrying security issues here's what we know news 4 min read | Library patches address critical vulnerabilities in LangChain and LangGraph, including path traversal (CVE-2026-34070), deserialization of untrusted data exposing secrets (CVE-2025-68664), and SQL injection in SQLite checkpoints (CVE-2025-67644). These flaws allowed exfiltration of files, API keys, and conversation histories, with risks potentially impacting downstream dependencies. Developers are urged to upgrade to the latest versions and audit configurations, treating LLM outputs as untrusted input. → techradar.com |
| 2026-04-03 2026 | API management: Fundamentals for cloud security teams beginner 9 min read | Library for API management, a crucial component of cloud security, offering standardized authentication and policy enforcement via edge gateways. It enhances API security by combining agentless cloud scanning with API discovery, mapping APIs to cloud resources and data sensitivity. This approach reduces incident response times, minimizes audit findings, and enables zero trust architectures by addressing vulnerabilities like broken object-level authorization, broken authentication, and shadow APIs. Key capabilities include gateway traffic management, centralized authentication/authorization, and comprehensive monitoring and observability. → wiz.io |
| 2026-04-03 2026 | InQL - GraphQL Scanner | PortSwigger BApp Store intermediate 2 min read | Library for GraphQL security testing that simplifies vulnerability identification through schema analysis, query generation, and custom scanning. It auto-generates queries, mutations, and subscriptions, with features like circular reference detection and batch query support for rate limit bypasses and DoS vectors. Results integrate with Burp Repeater and Intruder, and schemas can be visualized with GraphiQL or GraphQL Voyager. → portswigger.net |
| 2026-04-03 2026 | OWASP API Security Top 10 Explained | Salt Security beginner | OWASP API Security Top 10 Explained | Salt Security |
| 2026-04-03 2026 | How To Prepare For An API Penetration Test beginner 12 min read | Guide for preparing API penetration tests, detailing common vulnerabilities and the importance of scope definition. It advises providing documentation, Postman collections, and Swagger files to testers for grey-box or source code-assisted assessments, and outlines the use of tools like Postman and Swagger UI in the testing process. |
| 2026-04-03 2026 | Awesome GraphQL Security - Curated List of Resources beginner 4 min read GraphQL | Library of curated resources for GraphQL security, encompassing frameworks like GraphQL Shield and GraphQL Armor, testing tools such as Escape, GraphCrawler, and InQL, and educational materials covering vulnerabilities like aliasing attacks, CSRF, cyclic queries, and IDOR. It also lists clients like Postman and Insomnia, and schema visualization tools like Voyager. |
| 2026-04-03 2026 | API Testing with Burp Suite: A Practical Guide intermediate 7 min read | Library for intercepting, modifying, and analyzing API traffic with Burp Suite, detailing techniques for REST APIs like parameter tampering and SQL injection detection in Repeater, and for GraphQL APIs, including schema introspection queries and modifying requests via dedicated GraphQL tabs. The library also highlights Burp Intruder for fuzzing and Pynt as an alternative tool. |
| 2026-04-03 2026 | Top 6 API Pentesting Tools | Cobalt beginner 6 min read | Library of top API penetration testing tools including Postman for managing requests and proxied through tools like Burp Suite for in-depth analysis, vulnerability discovery via Repeater and Intruder, and automated scanning. Swagger aids testers by providing standardized API documentation, while SoapUI assists with SOAP-based APIs. GraphQL, a query language, presents unique challenges requiring schema understanding and targeted query crafting for vulnerabilities like DoS and authorization bypasses. ZAP, an OWASP DAST tool, offers proxying, scanning for vulnerabilities like XSS and SQL injection, and supports formats like JSON and XML, with add-ons for OpenAPI, GraphQL, and SOAP. → cobalt.io |
| 2026-04-03 2026 | API Attack Awareness: BOLA - Why It Tops the OWASP API Top 10 beginner 4 min read | Analysis of Broken Object Level Authorization (BOLA) vulnerabilities, a top OWASP API Top 10 risk, detailing how unauthenticated access to objects can lead to data leakage, account compromise, and business impact. The entry highlights common exploitation methods, the difficulty in detecting these stateful flaws with traditional tools, and emphasizes the need for robust backend authorization checks, mentioning Wallarm's capabilities in detecting and preventing BOLA attacks through API discovery and custom controls. → securityboulevard.com |
| 2026-04-03 2026 | GraphQL API Vulnerabilities | Web Security Academy intermediate 11 min read GraphQL | Reference detailing GraphQL API vulnerabilities, focusing on implementation and design flaws like exposed introspection. It covers finding GraphQL endpoints, identifying vulnerabilities through universal queries and unsanitized arguments (leading to issues like IDOR), and leveraging introspection queries to map schema information. The reference highlights how Burp Suite can assist in discovering endpoints and introspection, and discusses best practices for securing GraphQL APIs. → portswigger.net |
| 2026-04-03 2026 | API Testing | Web Security Academy beginner 8 min read | Library for testing RESTful and JSON APIs, covering techniques to identify endpoints, analyze API documentation, and interact with identified resources using tools like Burp Suite. It details how to discover hidden endpoints and parameters by manipulating HTTP methods and content types, and how to leverage machine-readable documentation such as OpenAPI specifications. This resource also maps common web vulnerabilities to their API equivalents, referencing the OWASP API Security Top 10. → portswigger.net |
| 2026-04-03 2026 | OWASP API Security Top 10 beginner 1 min read | Project that provides awareness and mitigation strategies for common API security risks. It aims to document the Top 10 API Security Risks, offer best practices for secure API development, and foster community collaboration for evolving security trends. The resources are licensed under Creative Commons. → owasp.org |
| 2026-04-03 2026 | OWASP API Security Project | OWASP Foundation beginner 5 min read | Project detailing API security strategies and solutions, focusing on mitigating unique vulnerabilities. It highlights the API Security Top 10 2023 list, including Object Level Access Control issues, faulty authentication, excessive data exposure, denial of service, authorization flaws, business logic abuse, Server-Side Request Forgery (SSRF), insecure configurations, lack of proper documentation, and reliance on third-party APIs. The project is licensed under Creative Commons Attribution-ShareAlike 4.0 and is freely available, with contributions maintained on GitHub. → owasp.org |
| 2026-02-06 2026 | SOAPwnwatchtowr soappwn research whitepaper advanced | SOAPwnwatchtowr soappwn research whitepaper |
| 2026-01-19 2026 | Hackmanit/Web-Cache-Vulnerability-Scanner: Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/). beginner 5 min read | Library for testing web cache poisoning and deception. It supports ten cache poisoning techniques, including unkeyed header poisoning and HTTP response splitting, and multiple cache deception techniques like path traversal. The tool features an adaptive crawler, customizable options for headers, cookies, and parameters, and can generate JSON reports. WCVS can be integrated into CI/CD pipelines and is available as pre-built binaries or via Go installation. |
| 2026-01-17 2026 | pwviptbl/ProxyHunter: Aplicação Python com interface gráfica que permite configurar regras de interceptação para modificar parâmetros de requisições HTTP. Quando o navegador envia uma requisição para uma rota configurada, o proxy intercepta, modifica apenas os parâmetros especificados e encaminha a requisição mantendo todos os outros parâmetros originais. intermediate 12 min read Burp Python | Tool that intercepts HTTP requests, modifies specific parameters based on configurable rules, and forwards them. It features a graphical interface, WebSocket support, an advanced Intruder for automated attacks, and scanners for SQL Injection, XSS, CSRF, Path Traversal, and more. Additional functionalities include a passive and active scanner, spider/crawler, request comparator, and CLI management. |
| 2026-01-07 2026 | GitHub - pranav-cs-1/nexus: A terminal-based HTTP client for API testing intermediate 2 min read | Tool for terminal-based API testing, Nexus streamlines request management with a keyboard-driven interface and persistent storage via the sled embedded database. It supports full HTTP method functionality, request organization into collections, response viewing with status codes and headers, and complete request editing. Nexus can import Postman Collections (v2.1) with support for authentication and nested folders, and export collections as JSON or individual requests as curl commands. |
| 2025-12-30 2025 | Teycir/BurpAPISecuritySuite: Burp Suite extension for API security testing with 15 attack types, 108+ payloads, intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance. Supports REST/GraphQL/SOAP APIs with Nuclei, Turbo Intruder, and external tool integration. OWASP API Top 10 coverage. intermediate 38 min read Burp Fuzzing GraphQL | Library for comprehensive API security testing within Burp Suite. This extension consolidates 15 attack types, over 108 payloads, and integrates external tools like Nuclei, Turbo Intruder, and ApiHunter. It features intelligent fuzzing, automated reconnaissance, and detection of vulnerabilities such as BOLA and IDOR, with support for REST, GraphQL, and SOAP APIs, covering OWASP API Top 10 and offering AI integration for payload generation. |
| 2025-11-27 2025 | How Hackers Are Exploiting Salesforce and Why Architects Must Act | Salesforce Ben news 9 min read | Analysis of Salesforce security exploits highlights a critical knowledge gap between security and Salesforce teams. Hackers exploit undocumented features like public links, Chatter groups, and Lightning APIs, as well as content ingestion and third-party risks such as phishing links and malicious images, which native Salesforce tooling and audits often miss. The article emphasizes the need for individuals with hybrid skillsets to bridge this divide and properly architect secure, usable Salesforce organizations, noting that expensive native tools like Event Monitoring and Data Detect require additional implementation and expertise to be effective. |
| 2025-10-19 2025 | GitHub - fosrl/pangolin: Identity-Aware Tunneled Reverse Proxy Server with Dashboard UI intermediate 2 min read | Library implementing an identity-aware tunneled reverse proxy server with a dashboard UI. Pangolin enables secure remote access to private and public resources via browser-based or client-based connections, combining reverse proxy and VPN capabilities. It facilitates access through restrictive firewalls using outbound tunnels and NAT traversal, offering granular access controls, role-based access control (RBAC) via integrated users or external identity providers, and supports automatic SSL certificates and load balancing, adhering to a zero-trust model. |
| 2025-10-05 2025 | API Hacking - Just Hacking Training (JHT) beginner 1 min read Bug Bounty | Workshop slides from DEF CON 32 covering hardware fault injection on specific targets. |
| 2025-08-14 2025 | Detect SSRF Attacks in Cloud Applications and APIs | Datadog intermediate 3 min read SSRF | Library for detecting server-side request forgery (SSRF) attacks against cloud applications and APIs. It highlights prevalent vulnerabilities in Java services, like those in Jackson and Apache libraries, and details how attackers exploit them to access cloud metadata services and credentials. The library aids in identifying malicious traffic by monitoring API response timing and patterns, such as requests to sensitive domains like metadata.google.internal or malformed URLs. It integrates with Datadog Application and API Protection (AAP) for automated detection and blocking via its WAF. |
| 2025-08-06 2025 | ByteByteGo | How does HTTPS work? beginner 1 min read | Guide detailing HTTPS functionality, explaining its role in securing internet communication through Transport Layer Security (TLS). It breaks down the handshake process, including TCP connection establishment, client and server hellos, SSL certificate validation, and the secure exchange of a session key using asymmetric and symmetric encryption to protect data from interception. |
| 2025-05-07 2025 | Using JWTs in Python Flask REST Framework | AppSignal Blog intermediate 8 min read AuthN Python | Library for implementing JWT-based authentication in Python Flask REST Framework applications. This resource details the structure of JWTs (header, payload, signature), their benefits like stateless sessions and security, and demonstrates their practical application. It covers setting up a Flask environment, creating user registration and login endpoints that issue JWTs using Flask-JWT-Extended, securing API routes with `@jwt_required()`, and managing task creation, retrieval, updates, and deletion for authenticated users. The guide also explains how to implement token refreshes for longer-lived sessions. |
| 2025-03-01 2025 | CORS Finally Explained — Simply - Level Up Coding beginner | There are millions of articles explaining how to fix the error above, but what exactly is this “Cross-Origin Resource Sharing” (CORS) thing, and why does it even exist? Let's begin by first answering… → levelup.gitconnected.com |
| 2025-02-10 2025 | GitHub - usebruno/bruno: Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia) intermediate 2 min read | Library for API exploration and testing, Bruno offers a privacy-focused, offline-first alternative to Postman and Insomnia. It stores API collections in local filesystem folders using the Bru markup language, facilitating collaboration via Git or other version control systems. Bruno is available for Mac, Windows, and Linux, with installation options including binary downloads and package managers like Homebrew, Chocolatey, Scoop, Snap, Flatpak, and Apt. |
| 2025-02-10 2025 | GitHub - samwafgo/SamWaf: SamWaf开源轻量级网站防火墙,完全私有化部署 SamWaf is a lightweight, open-source web application firewall for small companies, studios, and personal websites. It supports fully private deployment, encrypts data stored locally, is easy to start, and supports Linux and Windows 64-bit. beginner 1 min read | Library for lightweight, open-source web application security, SamWaf offers fully private deployment with encrypted local data storage. It supports custom rule creation, IP and URL blacklisting, CC frequency limiting, and OWASP CRS rule sets. SamWaf is designed for small companies and personal websites, easily deployable on Linux and Windows, and includes features like automatic SSL certificate management and IPv6 support. |
| 2025-01-28 2025 | GitHub - traefik/whoami: Tiny Go server that prints os information and HTTP request to output beginner 2 min read | Tool is a tiny Go webserver that prints OS information, HTTP request details, environment variables, and network information. It supports custom wait times via the `wait` query parameter, allows modification of GET response status codes with POST requests to `/health`, and can serve HTTPS with provided certificates. The tool also features WebSocket echo, health checks, and can be configured to listen on different ports. It can be used to test network configurations, debug HTTP requests, and integrate with containerized environments. |
| 2025-01-22 2025 | GitHub - c0dejump/HExHTTP: Header Exploitation HTTP intermediate 4 min read | Tool for testing HTTP headers to identify vulnerabilities such as web cache poisoning and Cache Poisoning DoS (CPDoS). HExHTTP supports flexible proxy configuration, integration with Burp Suite for issue reporting, and human-like request behavior to bypass WAFs. It analyzes various header types, including hop-by-hop headers, and tests CDN/proxy responses. |
| 2025-01-20 2025 | GitHub - chaitin/SafeLine: SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits. beginner 2 min read | Library for a self-hosted Web Application Firewall (WAF) and reverse proxy, SafeLine protects web applications from attacks including SQL injection, XSS, code injection, OS command injection, CRLF injection, XXE, SSRF, path traversal, bruteforce, and HTTP floods. It offers proactive bot defense, HTML/JS code encryption, IP-based rate limiting, and web access control lists, defending against DoS attacks and traffic surges. SafeLine implements anti-bot and authentication challenges, with dynamic protection that encrypts code on each visit. |
| 2024-12-22 2024 | GitHub - fabriziosalmi/patterns: Automated OWASP CRS and Bad Bot Detection for Caddy, Nginx, Apache, Traefik and HaProxy intermediate 4 min read | Library automates OWASP CRS and bad bot detection for Caddy, Nginx, Apache, Traefik, and HAProxy. It scrapes OWASP Core Rule Set patterns daily, converting them into WAF configurations for various web servers to defend against SQL Injection, XSS, RCE, and LFI. Additionally, it integrates bad bot blocking using public lists to thwart malicious crawlers and scrapers, offering pre-generated configurations and automated updates via GitHub Actions. |
| 2024-12-20 2024 | GitHub - xnl-h4ck3r/knoxnl: This is a python wrapper around the amazing KNOXSS API by Brute Logic intermediate 8 min read Python | Library for Python that wraps the KNOXSS API, enabling automated scanning for Cross-Site Scripting (XSS) and Open Redirect vulnerabilities. It supports various input methods, including single URLs and files, and allows for detailed configuration, including Discord webhook notifications, API key management, and Flash Mode for quick tests. The library also integrates with Burp Suite via the Piper extension for proxy-based testing, handling both GET and POST requests with optional headers and post data. |
| 2024-12-14 2024 | postMessage Braindump intermediate 2 min read | Writeup on postMessage security vulnerabilities, detailing how to identify and exploit them. It highlights `postMessage` as a cross-origin communication mechanism akin to an API, discoverable via Frans Rosen's postMessage Tracker and browser DevTools. The writeup explains debugging techniques using breakpoints to trace `postMessage` execution paths, demonstrating an XSS vulnerability achieved by setting event attributes via malicious `postMessage` payloads. It also warns about common regex errors when validating `event.origin` for securing `postMessage` listeners. |
| 2024-12-13 2024 | Server SSL certificate verification - HTTPie 3.2.4 (latest) docs beginner 39 min read | Library for interacting with HTTP services from the command line, designed for human-friendly testing and debugging. It supports intuitive syntax, formatted output, JSON, forms, uploads, HTTPS, proxies, authentication, custom headers, persistent sessions, downloads, and a plugin system. Installation instructions are provided for various package managers and operating systems, including standalone executables. The documentation details usage for custom methods, headers, JSON data, form submissions, offline requests, authentication, file uploads/downloads, sessions, and URL parameters. |
| 2024-12-12 2024 | API Testing with Insomnia and Burp Suite: An Alternative to Postman intermediate 8 min read Burp | Library for API testing using Insomnia and Burp Suite, offering an alternative to Postman. This resource details capturing API requests with mitmproxy, converting them to OpenAPI 3.0 format using mitmproxy2swagger, and importing into Insomnia. It covers Insomnia's variable management, integration with Burp Suite for request interception and modification, and testing for outdated API versions. |
| 2024-12-03 2024 | Hacking API discovery with a custom Burp extension intermediate 8 min read Burp | Library for enhanced API discovery within Burp Suite, employing a brute-force methodology to locate API documentation artifacts. It dynamically generates a wordlist exceeding 4,000 combinations, combining various prefix directories, doc endpoints, UI endpoints, and extensions. The library also implements resilient request handling with exponential backoff and adjusted connection timeouts, alongside parallel processing for increased efficiency. → danaepp.com |
| 2024-11-28 2024 | GitHub - cc1a2b/jshunter: JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers and security researchers. intermediate 8 min read | Tool for analyzing JavaScript files, JSHunter extracts endpoints, identifies sensitive data like API keys and JWT tokens, and detects vulnerabilities. It supports comprehensive endpoint discovery, advanced code analysis, multiple input methods, and high-performance processing with stealth features such as proxy support and user-agent rotation. Features include deobfuscation, source map parsing, GraphQL analysis, and WAF bypass detection, with professional output formats like JSON and CSV, and direct integration with Burp Suite. |
| 2024-11-26 2024 | The OAuth Oversight: When Configuration Errors Turn into Account Hijacks intermediate AuthN | Hey folks I hope you are doing well. I am back with another writeup on OAuth misconfiguration leads to account takeover. The PoC is… |
| 2024-11-05 2024 | What is Azure Web Application Firewall on Azure Front Door? beginner 7 min read | Library for Azure Web Application Firewall on Azure Front Door, offering centralized protection against web exploits and vulnerabilities. It inspects incoming requests globally at network edge locations, preventing attacks before they reach your virtual network. Features include custom rules for IP allow/block lists, geographic access control, HTTP parameter matching, rate limiting, and Azure-managed rule sets for SQL injection, cross-site scripting, and more. WAF policies can operate in detection or prevention modes, with actions like ALLOW, BLOCK, LOG, and REDIRECT. |
| 2024-11-05 2024 | HTTP Security Headers: A complete guide to HTTP headers beginner 21 min read | Reference on HTTP security headers detailing their functions in protecting against vulnerabilities like Cross-Site Scripting (XSS) and Clickjacking. It explains key headers such as Access-Control-Allow-Origin for CORS, Content-Type for data interpretation, and Content-Security-Policy (CSP) for controlling resource loading and execution. The guide emphasizes the importance of properly configuring these headers to enhance web application security. |
| 2024-10-03 2024 | Automate your API hacking with Autorize intermediate 6 min read AuthN AuthZ | Library for automating API security testing, Autorize is a Burp Suite extension that detects broken object level authorization (BOLA) by repeatedly sending requests with different user privileges. It analyzes response changes to identify authorization and authentication issues, supporting active scans and offering configuration for interception filters and enforcement detectors. Autorize can be integrated with Repeater and customized to filter results for potential bypasses and 401 status codes, aiding in the discovery of vulnerabilities like unauthorized access to administrative functions. → danaepp.com |
| 2024-10-01 2024 | Exploiting trust: Weaponizing permissive CORS configurations advanced 15 min read | Writeup on exploiting permissive CORS configurations, detailing how misconfigurations can lead to severe vulnerabilities. It explains the same-origin policy and how Cross-Origin Resource Sharing (CORS) relaxes it. The writeup highlights common mistakes like reflecting the "Origin" header without validation, trusting the "null" origin, and flawed subdomain validation in trusted origins. Case studies, including those from a bank and a travel booking application, demonstrate how these weaknesses can be weaponized to steal API keys, session tokens, and achieve account takeovers through techniques like those discovered using Burp Suite's CORS scan check. |
| 2024-09-23 2024 | Sec_Mind_Maps/OWASP API TOP 10.pdf at main · h0tak88r/Sec_Mind_Maps beginner | cyber security mind maps collection. Contribute to h0tak88r/Sec_Mind_Maps development by creating an account on GitHub. |
| 2024-09-21 2024 | Proving API exploitability with Burp Collaborator intermediate 5 min read Burp | Tool for proving API exploitability using Burp Collaborator, an out-of-band application security testing (OAST) feature. This method allows demonstration of vulnerabilities like RCE, SSRF, and blind XXE by capturing interactions with mock network services (DNS, HTTP, SMTP) without needing to establish reverse shells. Examples include its use in testing CVE-2023-4044, an insecure deserialization flaw in WS_FTP, and against crAPI for blind SSRF detection. Users can leverage hosted services or set up private Burp Collaborator servers. → danaepp.com |
| 2024-09-16 2024 | Automating the CORS Vulnerability Scan intermediate AuthZ Bug Bounty | When conducting a bug bounty, automating your scanning process not only saves time but ensures you don’t miss common vulnerabilities. One… |
| 2024-09-14 2024 | Unlocking OAuth Security intermediate AuthN | In this blog, we will uncover the different oauth security implications on both the client applications and the oauth server. → infosecwriteups.com |
| 2024-09-05 2024 | JWT vs PASETO: New Era of Token-Based Authentication beginner AuthN JWT | This article delves into a comprehensive comparison of Paseto and JWT, dissecting their core functionalities, security features, and… |
| 2024-08-16 2024 | Securing OAuth 2.0 Token Exchange Flow with Keycloak intermediate AuthN JWT | RFC 8693: Token Exchange describes a mechanism for exchanging an existing token (JWT) for a new token with different issuing client id… |
| 2024-08-12 2024 | GitHub - Brum3ns/firefly: Black box fuzzer for web applications beginner 3 min read Fuzzing | Library for black-box web application fuzzing, Firefly utilizes goroutines for high performance and an inductive engine to analyze responses. It offers customizable payloads, tampering, encoding, and detailed filtering options for request verification and result refinement. Firefly supports various input methods including raw HTTP requests and integrates with tools like `jq` for advanced result analysis. |
| 2024-08-03 2024 | Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit advanced 10 min read Fuzzing | Technique for expanding single-packet race conditions by overcoming the 1,500-byte request limit. This method leverages IP fragmentation to split large TCP packets across multiple IP packets, allowing for the full utilization of the TCP window size, up to 65,535 bytes. It then employs TCP sequence number reordering, specifically a "First Sequence Sync," to delay server packet processing until the final packet with the initial sequence number is received, enabling the synchronization and simultaneous processing of numerous large requests. |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover beginner AuthN XSS | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. → darkreading.com |
| 2023-10-12 2023 | Web AppSec Interview Questions beginner 16 min read Bug Bounty | Reference for web application security interview questions, this resource delves into topics such as Web Cache Deception vs. Poisoning, Session Fixation exploitation, Base64 vs. Base64URL, various XSS types, Blind SQL Injection, Same-Origin Policy, HTTP Request Smuggling (TE.TE variant), DOM Clobbering, HTTP Parameter Pollution, IDOR, JWKs/JKUs, Business Logic vulnerabilities, Server-Side Template Injection payloads, Sec-WebSocket-Key header, CSP's "unsafe-inline", stateless authentication weaknesses, CSRF mitigation techniques, XML parameter entities in XXE, DOM-based XSS fixes, CORS Preflight request prevention, Insecure Deserialization exploitation, secure file upload practices, Mass Assignment, GraphQL batching for rate limiting bypass, type juggling with JSON, sensitive data exposure techniques, and CSRF immune requests. |
| 2023-10-09 2023 | What is OAuth (The Modern Guide) beginner 69 min read AuthN | Guide to OAuth 2.0 detailing eight common real-world modes: local login/registration, third-party/first-party/enterprise login/registration (federated identity), third-party/first-party service authorization, machine-to-machine authentication/authorization, and device login/registration. It clarifies the distinction between OAuth and SAML, explaining OAuth as an authorization system with authentication layered on top, contrasting it with SAML's primary authentication focus. The guide helps developers choose the appropriate OAuth mode based on specific use cases, such as outsourcing authentication, avoiding credential storage, or enabling service-to-service communication. |
| 2023-09-03 2023 | ffuf advanced tricks - ACCEIS intermediate 14 min read Fuzzing | Library for advanced `ffuf` techniques, focusing on fuzzing capabilities beyond simple directory enumeration. This resource details using configuration files for persistent settings like colorization, custom headers (e.g., `X-SOC-Tag`), and proxy integration. It also covers reading from standard input, employing external payload mutators like Radamsa, and avoiding false negatives with advanced filtering. The content assumes familiarity with basic `ffuf` usage, including fuzzing parameters and identifying virtual hosts. |
| 2023-09-02 2023 | Web AppSec Interview Questions beginner 16 min read | Reference of web application security interview questions and answers covering topics like Web Cache Poisoning, Session Fixation, SQL Injection variants (Boolean Error Inferential), DOM Clobbering, HTTP Request Smuggling (TE.TE), Cross-Site Scripting (XSS), HTTP Parameter Pollution, Insecure Deserialization, Mass Assignment, GraphQL batching, type juggling, and Cross-Site Request Forgery (CSRF) mitigation techniques. |
| 2023-08-30 2023 | NosyMonkey: API hooking and code injection made easy! advanced 12 min read Mobile | Library for API hooking and code injection, NosyMonkey simplifies complex tasks for security researchers. It automates the process of making compiled binaries perform unintended actions or alter their behavior without requiring source code modification. NosyMonkey handles the intricate details of creating DLLs, injecting code, and establishing hooks, allowing researchers to easily modify API calls, conceal processes from tools like Task Manager, or dump sensitive information like LSASS credentials, as demonstrated in examples involving API microservicing and direct system calling. |
| 2023-08-22 2023 | (Research) Exploiting HTTP Parsers Inconsistencies advanced Bug Bounty | (Research) Exploiting HTTP Parsers Inconsistencies https://ift.tt/EfMHcVm |
| 2023-07-26 2023 | Web Application Black-Box testing intermediate Bug Bounty Recon | Web Application Black-Box testing https://ift.tt/d1Mrqn4 |
| 2023-07-19 2023 | Web App Hacking with Caido.io intermediate Burp | Web App Hacking with Caido.io https://www.youtube.com/watch?v=lW-u_2EByT4 |
| 2023-06-15 2023 | DetectCrossOriginMessaging intermediate 1 min read | Library for detecting cross-origin messaging vulnerabilities, specifically those stemming from insecure use of `postMessage` in JavaScript. It helps identify tainted data sources and common sinks like `document.write` and `element.innerHTML`, as well as common origin validation bypasses involving unescaped dots or incomplete regex patterns. This Burp extension aids in investigating `postMessage` implementations to prevent DOM XSS and information leaks. |
| 2023-06-14 2023 | hisxo/JSpector beginner | Extension for Burp Suite, JSpector passively crawls JavaScript files, identifying URLs, endpoints, and dangerous methods. Upon successful loading (requiring Jython), it automatically generates issues in the Dashboard tab, allowing for export of discovered information to the clipboard. |
| 2023-05-27 2023 | open-appsec ML-based WAF protects against modern SQLi AutoSpear evasion techniques news 5 min read SQLi | Library that uses machine learning to defend against advanced SQL injection evasion techniques, including those demonstrated by the AutoSpear project. It focuses on identifying "non-legitimate" payloads rather than classifying specific attack types, allowing it to block zero-day attacks and bypasses involving complex encoding, case swapping, whitespace substitution, and DML substitution without requiring constant rule updates. |
| 2023-04-13 2023 | OWASP Proactive Controls 2023/2024 v1 beginner AuthN AuthZ | OWASP Proactive Controls 2023/2024 v1 https://ift.tt/xVAnFY5 → docs.google.com |
| 2023-04-13 2023 | WebSockets are a Pain - A Journey in Learning and Leveraging intermediate 7 min read | Library detailing WebSocket communication, its advantages for attackers like real-time data transfer and bypassing proxies, and its handshake process. The entry includes practical applications for Command and Control (C2) infrastructure using tools like Caddy, PowerShell, and native Linux tooling such as websocat, demonstrating how to leverage WebSockets for covert communication and data exfiltration. → blog.zsec.uk |
| 2023-04-10 2023 | How to Implement OAuth 2.0 Login for Python Flask Web Server Applications intermediate 4 min read AuthN Python | Tutorial on implementing OAuth 2.0 login for Python Flask web server applications. This guide details enabling Google APIs, creating OAuth client IDs, securely storing credentials, and writing Python code for the login flow. It covers redirect URIs, environment variables, and front-end HTML templates, with complete code available on GitHub. |
| 2023-04-08 2023 | HTTPolice beginner | Library for validating HTTP requests and responses, HTTPolice identifies syntax errors in headers, incorrect status codes, and other common issues. It functions as a command-line tool capable of parsing HAR files and raw HTTP/1.x TCP streams, integrating with mitmproxy for TLS and HTTP/2 traffic, or serving as a Python library. Integrations include a Django package and a Chrome extension. HTTPolice was inspired by REDbot but focuses on analyzing provided traffic rather than active testing. |
| 2023-04-05 2023 | OAuth 2.0 beginner 4 min read AuthN | Library for implementing OAuth 2.0 authorization flow, specifically for the Google APIs Client Library for Python. It guides users on acquiring client IDs and secrets, managing browser redirects with `Flow` classes like `InstalledAppFlow`, and exchanging authorization codes for `Credentials` objects. The library supports both end-user authorization and service account authentication, deprecating the older `oauth2client` library in favor of `google-auth` and `google-auth-oauthlib`. |
| 2022-06-09 2022 | Favorite tweet by @fardeenahmed411 beginner Bug Bounty | Favorite tweet: API Bug-Bounty Tools Check list (Part - 1) - Postman (It is like Burpsuite for API) - APISec - AppKnox - Synopsis API Scanner - Data Theorem API Secure #cybersecuritytips #bugbountyti... |
| 2022-03-23 2022 | Favorite tweet by @imranparray101 news Bug Bounty | Favorite tweet: We at @snap_sec recently published a bunch of articles on “Attacking modern web apps” , go check them out. 👇 https://t.co/dwzeO7cGl2 https://t.co/8bpZX25CTL https://t.co/WHT1rreRro ht... |
| 2022-01-08 2022 | Damn Vulnerable GraphQL Application beginner 2 min read GraphQL | Library for practicing GraphQL security, Damn Vulnerable GraphQL Application (DVGA) is an intentionally insecure implementation featuring numerous flaws including injections, code execution, authorization bypasses, denial of service, and SSRF. It offers beginner and expert modes, covering scenarios like GraphQL introspection, batch query attacks, and OS command injection, with a provided Postman collection for challenge solutions. |
| 2022-01-06 2022 | awesome-apisec beginner 2 min read | Library of open-source API security tools and resources, curated for community benefit. It categorizes offerings into areas like API keys, enumeration, fuzzing, firewalls, and design, along with books, cheat sheets, and presentations. The repository emphasizes community contributions and avoids vendor-specific, commercial, or closed-source materials, focusing strictly on relevance to API security, bug hunting, hardening, and hacking. |
| 2021-12-15 2021 | REST Resources Provided By: Bitbucket Server - REST beginner 133 min read | Reference for Bitbucket Server's REST API, detailing how to access resources via URIs, utilize HTTP methods like GET and POST, and handle JSON responses. It explains paging mechanisms, authentication methods (HTTP Basic, OAuth, Cookies, Trusted Applications), and common error responses including 40x client errors and 500 server errors. The reference covers accessing personal repositories through both project-centric and user-centric URLs, and includes specific examples for clearing CAPTCHAs and deleting groups. |
| 2021-11-26 2021 | Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client intermediate 3 min read RCE | Library for building multi-platform HTTP(S) reverse shells, Phantom provides a server and client implemented in Python 3. It facilitates encrypted communication via HTTPS by supporting auto-generated or user-supplied certificates and includes a helper script for generating self-signed certificates. Binaries for Linux and Windows can be built using PyInstaller, with client binaries containing hardcoded server URLs for stealthy connections. Phantom supports dependency management via Poetry or Virtualenv. |
| 2021-11-23 2021 | Hacking OAuth Applications intermediate 3 min read AuthN | Talk from DEF CON 31 detailing how to hack OAuth applications. It covers vulnerabilities like impersonation by manipulating access tokens and state parameters, authorization code theft via manipulated redirect URIs, and bypassing validation with localhost URIs or duplicate parameters. The talk also discusses stealing implicit grant tokens, exploiting registration flaws for account takeovers, and leaking tokens via Host header injection. |
| 2021-11-13 2021 | Web Attack Cheat Sheet beginner 61 min read Bug Bounty SQLi XSS | Cheatsheet detailing web attack techniques, including discovery, enumeration, scanning, monitoring, manual payloads, bypasses, and specific vulnerabilities like SSRF, XXE, OAuth, DNS Rebinding, HTTP/SMTP Header Injection, Web Shells, Reverse Shells, SQLi, XSS, XPath Injection, Path Traversal, LFI, SSTI, Information Disclosure, and WebDAV. It also references tools and data sources for reconnaissance, CDN IP range identification, origin IP discovery, and subdomain enumeration. |
| 2021-11-12 2021 | Advanced request smuggling advanced 8 min read SSRF | Library detailing advanced HTTP request smuggling techniques, building on fundamental concepts to explore potent HTTP/2 vectors. It covers how common HTTP/2 implementations, including H2.CL and H2.TE vulnerabilities stemming from HTTP/2 downgrading, enable new attack opportunities. The library also addresses response queue poisoning, persistent response cache poisoning for site takeover, and constructing high-severity exploits even without connection reuse, with examples referencing Black Hat USA 2021 research. → portswigger.net |
| 2021-11-10 2021 | Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond intermediate 14 min read | Library for practical HTTP header smuggling, a technique that hides request headers from some servers in a chain while others see them. This method identifies header smuggling by comparing server responses to mutated headers versus regular ones, demonstrating its effectiveness in bypassing AWS API Gateway IP restrictions and AWS Cognito rate limiting. The research also details how header smuggling can lead to exploitable cache poisoning, and presents a black-box methodology for detecting CL.CL request smuggling vulnerabilities. |
| 2021-11-01 2021 | MalAPI.io beginner Mobile | MalAPI.io |
| 2021-10-26 2021 | How to set up Docker for Varnish HTTP/2 request smuggling intermediate 3 min read | Walkthrough of setting up a Docker environment to test HTTP/2 request smuggling, focusing on CVE-2021-36740. This technique exploits how H2-compatible proxies rewrite HTTP/2 requests to HTTP/1.1, specifically when Varnish cache improperly handles the `Content-Length` header during this conversion, allowing malicious requests to be prepended to subsequent legitimate ones. The setup involves Varnish, Hitch for TLS termination, and origin servers. → labs.detectify.com |
| 2021-10-25 2021 | HTTP Headers beginner 12 min read | Cheatsheet detailing security-focused HTTP headers like X-Frame-Options, Content Security Policy (CSP) frame-ancestors, X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security (HSTS), and recommendations for their configuration to prevent vulnerabilities such as Cross-Site Scripting and Clickjacking. It also covers other headers including X-XSS-Protection, Content-Type, Cache-Control, Set-Cookie, and Access-Control-Allow-Origin, highlighting their roles in enhancing web application security. → cheatsheetseries.owasp.org |
| 2021-09-21 2021 | HTTPS Cheat Sheet beginner 4 min read | Cheatsheet for HTTPS configuration, detailing acceptable TLS protocols, cipher suite breakdown (key exchange, authentication, cipher, mode), and recommended Nginx/Apache directives. It covers HSTS, OCSP Stapling, and performance benefits like HTTP/2 and Brotli compression, with links to SSL Labs, securityheaders.io, Mozilla's config generator, and articles on HSTS and migration strategies. |
| 2021-09-15 2021 | HTTP Parameter Pollution intermediate | HTTP Parameter Pollution |
| 2021-09-06 2021 | Exploiting GraphQL intermediate 6 min read GraphQL | Tool BatchQL aids in exploiting GraphQL by identifying introspection query support, schema suggestions, and potential CSRF vulnerabilities. It performs batching attacks, including JSON list-based and query name-based methods, to bypass rate limiting and uncover sensitive mutations. The tool leverages techniques described in blog posts and integrates with external resources like Clairvoyance and the Altair Chrome Extension for schema recovery. |
| 2021-09-01 2021 | Shopify API versioning intermediate 3 min read | Reference for Shopify API versioning details its quarterly release schedule for stable API versions (e.g., 2026-04), which are supported for at least 12 months with nine months of overlap. It distinguishes between stable, release candidate, and unstable versions, and outlines deprecation processes for outdated or unsafe features, with potential delisting from the Shopify App Store for non-compliance. |
| 2021-08-30 2021 | api_wordlist beginner 1 min read Recon | Library of API function names for web application API fuzzing. Includes pre-compiled lists like `api_seen_in_wild.txt`, `actions.txt`, and `objects.txt`, alongside variations for case sensitivity. The resource details how to effectively use these lists within Burp Suite's Intruder, configuring it for "Cluster Bomb" attacks with "Runtime file" payloads to test API endpoints. |
| 2021-08-30 2021 | Cross-Site WebSocket Hijacking (CSWSH) intermediate XSS | Cross-Site WebSocket Hijacking (CSWSH) |
| 2021-08-25 2021 | Inside Figma: securing internal webapps intermediate 14 min read | Library for securely exposing internal web applications, detailing Figma's system built with AWS Application Load Balancers and Okta. It leverages SAML for authentication, AWS Cognito for identity management, and Terraform for infrastructure-as-code. The system emphasizes zero-trust principles, strong authentication via WebAuthn and MFA, centralized authorization using Okta Groups, and minimizes operational toil for the security team. |
| 2021-08-25 2021 | API Testing with HTTPie beginner Python | API Testing with HTTPie |
| 2021-08-21 2021 | API Security 101: Security Misconfiguration beginner | API Security 101: Security Misconfiguration |
| 2021-08-12 2021 | HTTP/2: The Sequel is Always Worse advanced 23 min read | Analysis of HTTP/2 vulnerabilities, including H2.CL and H2.TE request desynchronization attacks that target front-end servers downgrading HTTP/2 to HTTP/1.1. Case studies demonstrate exploitation against Amazon's Application Load Balancer and Netty, with one vulnerability leading to CVE-2021-2195 and maximum bug bounties by compromising Netflix accounts through JavaScript hijacking. Novel techniques and tooling for identifying and exploiting these widespread, overlooked request smuggling variants are also presented. → portswigger.net |
| 2021-07-22 2021 | HackerOne Hacker API tools beginner 1 min read | Library of Hacker API tools for bug bounty reconnaissance and reporting, including BBRF for workflow coordination, bbscope for scope gathering across platforms like HackerOne and Bugcrowd, Depcher for technology stack analysis and Vulners scans, and h1_2_nuclei for scanning programs with Nuclei. It also features tools like HackerBot for report notifications, h1scope for retrieving in-scope items, and reNgine for automated web application reconnaissance. |
| 2021-07-14 2021 | RequestBin Collect inspect and debug HTTP requests and webhooks beginner 1 min read Burp | Platform for inspecting and debugging HTTP requests and webhooks, offering cloud storage for persistent data access across devices, real-time request monitoring, and detailed analytics. It supports collaboration for distributed teams and remote development, built on SOC 2, GDPR, and CCPA compliant infrastructure, serving as a reliable service since 2018 for developers. |
| 2021-06-30 2021 | Web-Application-Pentest-Checklist beginner Bug Bounty Recon | This document is a comprehensive checklist for web application penetration testing. It outlines the key areas and steps involved in assessing the security of web applications. The checklist covers various testing phases, including information gathering, reconnaissance, vulnerability scanning, manual testing, and reporting. It aims to provide a structured approach for pentesters to ensure thorough coverage of potential security weaknesses. The content focuses on practical methodologies and common attack vectors. |
| 2021-06-28 2021 | Guide To Shopify Webhooks Features And Best Practices beginner 11 min read | Library for managing Shopify webhooks, detailing their features, configuration via Admin Dashboard, GraphQL Admin API, REST Admin API, or app TOML. It covers webhook payload structures, security best practices including HMAC-SHA256 signature verification and responding within 5 seconds, and implementing idempotency using the X-Shopify-Event-Id header. The guide also touches upon GDPR compliance webhooks like customers/data_request and customers/redact. |
| 2021-06-21 2021 | OAuth 2.0 Token Binding intermediate AuthN | OAuth 2.0 Token Binding enhances security by cryptographically binding access tokens to the underlying TLS connection. This prevents token reuse if a token is intercepted, as the attacker would lack the corresponding TLS session key. It ensures that a token can only be used by the client that originally received it, bolstering protection against various attack vectors like token theft and replay attacks. The implementation focuses on securing the token's lifecycle within a specific secure connection. |
| 2021-05-24 2021 | Sending webhooks securely intermediate 6 min read | Library for securely sending webhooks, addressing vulnerabilities like SSRF and DNS rebinding. It details mitigation strategies, including proper IP validation after DNS resolution to prevent attacks like those found in PagerDuty and DialogFlow. The library also covers authentication methods such as request signing with HMAC or digital signatures, and mutual TLS, noting potential issues with confused deputy problems in services like Google DialogFlow and PagerDuty. It recommends using languages with robust TLS implementations like Go or Java over those relying on OpenSSL bindings for certificate chain verification. |
| 2021-05-14 2021 | Creating an Authentication API with GolangUsing Gin & Nrok intermediate AuthN | This article outlines the process of building an authentication API using Golang, the Gin web framework, and Nrok for tunneling. It likely covers setting up a Gin server, implementing authentication logic (e.g., user registration, login, token generation), and using Nrok to expose the local development server for testing. The focus is on practical implementation steps for creating a functional authentication system. |
| 2021-05-06 2021 | CWE-598: Information Exposure Through Query Strings in GET Request beginner | CWE-598 describes the vulnerability where sensitive information is exposed through query strings in GET requests. This occurs when confidential data, such as credentials or personal details, is appended directly to the URL. Attackers can easily access this information through browser history, server logs, or by intercepting network traffic. This practice should be avoided, and sensitive data should be transmitted using more secure methods like POST requests or encrypted channels. |
| 2021-05-06 2021 | XSS Through Parameter Pollution intermediate XSS | This content explains how Cross-Site Scripting (XSS) vulnerabilities can be exploited through parameter pollution. This technique involves injecting malicious scripts by manipulating multiple parameters within a single request. Attackers can leverage this to bypass security filters and execute arbitrary code in a user's browser. The article details the methods used for such attacks and emphasizes the importance of robust input validation to prevent them. |
| 2021-05-04 2021 | OAuth 2.0: Security Considerations beginner 6 min read AuthN | Reference detailing OAuth 2.0 security considerations, including common mistakes in Classic Web Applications, Single Page Applications, and Mobile Applications. It elaborates on design choices, implementation pitfalls, and exploitation techniques, referencing RFCs like 6749 and 7636. The resource utilizes a sample "gallery" application and its integrations like "photoprint" and "mypics" to illustrate secure OAuth 2.0 flows, such as authorization code grant with PKCE, and discusses token introspection and revocation. |
Frequently Asked Questions
- What is the OWASP API Security Top 10?
- The OWASP API Security Top 10 is a list of the most critical API security risks, including Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Server Side Request Forgery, Security Misconfiguration, and Lack of Protection from Automated Threats.
- Why are APIs harder to secure than web applications?
- APIs often expose more data and functionality than web UIs, accept complex input formats, lack the natural access controls of a browser interface, and are harder to monitor. They also tend to grow organically, creating shadow APIs that bypass security controls, and their machine-to-machine nature makes abuse detection more difficult.
- What tools are used for API security testing?
- Common tools include Burp Suite with API-focused extensions, Postman for manual testing, OWASP ZAP for automated scanning, Akto for API inventory and testing, and custom scripts for fuzzing API parameters. For GraphQL APIs, InQL and graphql-cop are essential. API specification files (OpenAPI/Swagger) are valuable for understanding and testing the full attack surface.
Weekly AppSec Digest
Get new resources delivered every Monday.