https://appsec.fyi/apisec.html Curated API Security resources from appsec.fyi en-us Wed, 22 Apr 2026 18:38:42 +0000 carl@chs.us (Carl Sampson) https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2 https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2 A Deep Dive on the Most Critical API Vulnerability: BOLA API Security Wed, 22 Apr 2026 12:52:36 +0000 https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization What Is Broken Object Property Level Authorization? API Security Wed, 22 Apr 2026 12:52:35 +0000 https://www.paloaltonetworks.com/cyberpedia/broken-object-level-authentication-api1 https://www.paloaltonetworks.com/cyberpedia/broken-object-level-authentication-api1 What Is Broken Object Level Authorization? API Security Wed, 22 Apr 2026 12:52:35 +0000 https://spyboy.blog/2026/01/14/this-is-how-i-hacked-an-api-using-mass-assignment-vulnerability/ https://spyboy.blog/2026/01/14/this-is-how-i-hacked-an-api-using-mass-assignment-vulnerability/ This Is How I Hacked an API Using Mass Assignment Vulnerability API Security Wed, 22 Apr 2026 12:52:34 +0000 https://www.getastra.com/blog/vulnerability/cve-2026-34839/ https://www.getastra.com/blog/vulnerability/cve-2026-34839/ CVE-2026-34839: CORS Vulnerability in Glances REST API API Security Wed, 22 Apr 2026 12:52:33 +0000 https://www.wallarm.com/reports/2026-wallarm-api-threatstats-report https://www.wallarm.com/reports/2026-wallarm-api-threatstats-report API ThreatStats Report 2026 API Security Wed, 22 Apr 2026 12:52:32 +0000 https://github.com/erev0s/VAmPI https://github.com/erev0s/VAmPI VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities API Security Wed, 22 Apr 2026 12:52:32 +0000 https://salt.security/blog/api4-2023-unrestricted-resource-consumption https://salt.security/blog/api4-2023-unrestricted-resource-consumption API4:2023 Unrestricted Resource Consumption API Security Wed, 22 Apr 2026 12:52:31 +0000 https://salt.security/blog/the-era-of-agentic-security-is-here-key-findings-from-the-1h-2026-state-of-ai-and-api-security-report https://salt.security/blog/the-era-of-agentic-security-is-here-key-findings-from-the-1h-2026-state-of-ai-and-api-security-report 1H 2026 State of AI and API Security Report (Salt) API Security Wed, 22 Apr 2026 12:52:30 +0000 https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability PortSwigger Lab: Exploiting a Mass Assignment Vulnerability API Security Wed, 22 Apr 2026 12:52:30 +0000 https://www.stackhawk.com/blog/understanding-and-protecting-against-api1-broken-object-level-authorization/ https://www.stackhawk.com/blog/understanding-and-protecting-against-api1-broken-object-level-authorization/ BOLA API Attack & Prevention — StackHawk API Security Sun, 19 Apr 2026 02:37:05 +0000 https://www.invicti.com/blog/web-security/broken-object-level-authorization-bola https://www.invicti.com/blog/web-security/broken-object-level-authorization-bola Broken Object-Level Authorization (BOLA): What It Is and How to Prevent It API Security Sun, 19 Apr 2026 02:37:05 +0000 https://www.pynt.io/learning-hub/owasp-top-10-guide/owasp-top-10-api-security-risks-and-how-to-mitigate-them https://www.pynt.io/learning-hub/owasp-top-10-guide/owasp-top-10-api-security-risks-and-how-to-mitigate-them OWASP Top 10 API Security Risks and How to Mitigate Them — Pynt API Security Sun, 19 Apr 2026 02:22:17 +0000 https://www.indusface.com/learning/owasp-top-10-vulnerabilities/ https://www.indusface.com/learning/owasp-top-10-vulnerabilities/ OWASP Top 10 2025: Latest Changes and Enhancements API Security Sun, 19 Apr 2026 02:22:16 +0000 https://www.clouddefense.ai/api-security-top-10-vulnerabilities/ https://www.clouddefense.ai/api-security-top-10-vulnerabilities/ OWASP API Security Top 10 Vulnerabilities — 2025 API Security Sun, 19 Apr 2026 02:22:15 +0000 https://natoma.ai/blog/mcp-access-control-opa-vs-cedar-the-definitive-guide https://natoma.ai/blog/mcp-access-control-opa-vs-cedar-the-definitive-guide MCP Access Control: OPA vs Cedar - Natoma API Security Thu, 16 Apr 2026 21:02:59 +0000 https://www.code-intelligence.com/blog/stateful-rest-api-fuzzing https://www.code-intelligence.com/blog/stateful-rest-api-fuzzing Stateful REST API Fuzzing with RESTler API Security Thu, 16 Apr 2026 21:02:58 +0000 https://lab.wallarm.com/inside-modern-api-attacks-what-we-learn-from-the-2026-api-threatstats-report/ https://lab.wallarm.com/inside-modern-api-attacks-what-we-learn-from-the-2026-api-threatstats-report/ Inside Modern API Attacks: 2026 API ThreatStats Report - Wallarm API Security Thu, 16 Apr 2026 21:02:57 +0000 https://owasp.org/www-project-api-security-testing-framework/ https://owasp.org/www-project-api-security-testing-framework/ OWASP API Security Testing Framework API Security Thu, 16 Apr 2026 21:02:57 +0000 https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/kong-api-gateway-misconfigurations-an-api-gateway-security-case-study https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/kong-api-gateway-misconfigurations-an-api-gateway-security-case-study Kong API Gateway Misconfigurations Case Study - Trend Micro API Security Thu, 16 Apr 2026 21:02:56 +0000 https://api7.ai/learning-center/api-101/api-security-testing-tools-and-techiniques https://api7.ai/learning-center/api-101/api-security-testing-tools-and-techiniques API Security Testing: Tools and Techniques - API7.ai API Security Thu, 16 Apr 2026 21:02:55 +0000 https://lorikeetsecurity.com/blog/api-security-bola-bfla https://lorikeetsecurity.com/blog/api-security-bola-bfla BOLA and BFLA: The API Vulnerabilities That Silently Expose Data API Security Thu, 16 Apr 2026 21:02:55 +0000 https://nflo.tech/knowledge-base/api-penetration-testing-complete-guide/ https://nflo.tech/knowledge-base/api-penetration-testing-complete-guide/ API Penetration Testing: Complete Guide API Security Thu, 16 Apr 2026 21:02:54 +0000 https://42crunch.com/how-to-protect-apis-from-owasp-authorization-risks-bola-bopla-bfla/ https://42crunch.com/how-to-protect-apis-from-owasp-authorization-risks-bola-bopla-bfla/ How to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA and BFLA - 42Crunch API Security Thu, 16 Apr 2026 21:02:53 +0000 https://www.kayssel.com/post/bola-and-bfla/ https://www.kayssel.com/post/bola-and-bfla/ Securing the Gates: Mastering BOLA and BFLA in API Security API Security Thu, 16 Apr 2026 21:02:52 +0000 https://securityboulevard.com/2025/08/exploiting-api4-8-real-world-unrestricted-resource-consumption-attack-scenarios-and-how-to-stop-them/ https://securityboulevard.com/2025/08/exploiting-api4-8-real-world-unrestricted-resource-consumption-attack-scenarios-and-how-to-stop-them/ Exploiting API4: 8 Real-World Unrestricted Resource Consumption Attack Scenarios API Security Sat, 11 Apr 2026 16:42:53 +0000 https://danaepp.com/exploiting-ssrf-in-an-api https://danaepp.com/exploiting-ssrf-in-an-api Exploiting Server-Side Request Forgery in an API API Security Sat, 11 Apr 2026 16:42:52 +0000 https://medium.com/@instatunnel/api-versioning-vulnerabilities-the-deprecated-endpoints-still-accepting-requests-3b53631dfad6 https://medium.com/@instatunnel/api-versioning-vulnerabilities-the-deprecated-endpoints-still-accepting-requests-3b53631dfad6 API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests API Security Sat, 11 Apr 2026 16:42:52 +0000 https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-jwt-vulnerabilities https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-jwt-vulnerabilities Exploiting JWT Vulnerabilities: Advanced Exploitation Guide API Security Sat, 11 Apr 2026 16:42:51 +0000 https://github.com/matusf/openapi-fuzzer https://github.com/matusf/openapi-fuzzer openapi-fuzzer: Black-box Fuzzer for OpenAPI Specifications API Security Sat, 11 Apr 2026 16:42:50 +0000 https://endava.github.io/cats/ https://endava.github.io/cats/ CATS: REST API Fuzzer and Negative Testing Tool API Security Sat, 11 Apr 2026 16:42:50 +0000 https://github.com/microsoft/restler-fuzzer https://github.com/microsoft/restler-fuzzer RESTler: Stateful REST API Fuzzing Tool API Security Sat, 11 Apr 2026 16:42:49 +0000 https://tcm-sec.com/bfla-broken-function-level-authorization/ https://tcm-sec.com/bfla-broken-function-level-authorization/ BFLA: Broken Function Level Authorization API Security Sat, 11 Apr 2026 16:42:48 +0000 https://authress.io/knowledge-base/articles/2025/05/25/api-gateway-authorizers-vulnerable-by-design https://authress.io/knowledge-base/articles/2025/05/25/api-gateway-authorizers-vulnerable-by-design API Gateway Authorizers: Vulnerable By Design API Security Sat, 11 Apr 2026 16:42:47 +0000 https://www.apisec.ai/blog/http-request-smuggling-in-api-gateway https://www.apisec.ai/blog/http-request-smuggling-in-api-gateway HTTP Request Smuggling in API Gateways API Security Sat, 11 Apr 2026 16:42:47 +0000 https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/kong-api-gateway-misconfigurations-an-api-gateway-security-case-study https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/kong-api-gateway-misconfigurations-an-api-gateway-security-case-study Kong API Gateway Misconfigurations: A Security Case Study API Security Sat, 11 Apr 2026 16:42:46 +0000 https://github.com/RhinoSecurityLabs/Swagger-EZ https://github.com/RhinoSecurityLabs/Swagger-EZ Swagger-EZ: Pentesting APIs Using OpenAPI Definitions API Security Sat, 11 Apr 2026 16:42:45 +0000 https://github.com/brinhosa/apidetector https://github.com/brinhosa/apidetector APIDetector: Scan for Exposed Swagger Endpoints API Security Sat, 11 Apr 2026 16:42:45 +0000 https://www.darknet.org.uk/2025/10/autoswagger-automated-discovery-and-testing-of-openapi-swagger-endpoints/ https://www.darknet.org.uk/2025/10/autoswagger-automated-discovery-and-testing-of-openapi-swagger-endpoints/ Autoswagger: Automated Discovery and Testing of OpenAPI and Swagger Endpoints API Security Sat, 11 Apr 2026 16:42:44 +0000 https://bishopfox.com/blog/swagger-jacker-auditing-openapi-definition-files https://bishopfox.com/blog/swagger-jacker-auditing-openapi-definition-files Swagger Jacker: Auditing OpenAPI Definition Files API Security Sat, 11 Apr 2026 16:42:43 +0000 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/API%20Key%20Leaks/README.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/API%20Key%20Leaks/README.md PayloadsAllTheThings: API Key Leaks API Security Sat, 11 Apr 2026 16:42:42 +0000 https://snyk.io/articles/state-of-secrets/ https://snyk.io/articles/state-of-secrets/ State of Secrets: 28 Million Credentials Leaked on GitHub in 2025 API Security Sat, 11 Apr 2026 16:42:41 +0000 https://medium.com/@shahwarshah/bypassing-rate-limits-all-known-techniques-fffda37a7fa7 https://medium.com/@shahwarshah/bypassing-rate-limits-all-known-techniques-fffda37a7fa7 Bypassing Rate Limits: All Known Techniques API Security Sat, 11 Apr 2026 16:42:40 +0000 https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass Rate Limit Bypass - HackTricks API Security Sat, 11 Apr 2026 16:42:39 +0000 https://iaraoz.medium.com/hacking-apis-bypassing-rate-limiting-0c7bd075b86c https://iaraoz.medium.com/hacking-apis-bypassing-rate-limiting-0c7bd075b86c Hacking APIs: Bypassing Rate Limiting API Security Sat, 11 Apr 2026 16:42:39 +0000 https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/ https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/ What is Mass Assignment? Attacks and Security Tips API Security Sat, 11 Apr 2026 16:42:38 +0000 https://www.cobalt.io/blog/mass-assignment-apis-exploitation-in-the-wild https://www.cobalt.io/blog/mass-assignment-apis-exploitation-in-the-wild API Security 101: Mass Assignment and Exploitation in the Wild API Security Sat, 11 Apr 2026 16:42:37 +0000 https://infosecwriteups.com/what-is-bola-3-digit-bounty-from-topcoder-a25e7fae0d64 https://infosecwriteups.com/what-is-bola-3-digit-bounty-from-topcoder-a25e7fae0d64 What is BOLA? 3-digit bounty from Topcoder API Security Sat, 11 Apr 2026 16:42:34 +0000 https://lab.wallarm.com/api12023-broken-object-level-authorization/ https://lab.wallarm.com/api12023-broken-object-level-authorization/ API1:2023 Broken Object Level Authorization API Security Sat, 11 Apr 2026 16:42:33 +0000 https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ Exposing a New BOLA Vulnerability in Grafana API Security Sat, 11 Apr 2026 16:42:32 +0000