OWASP Security
API Security Broken Object Level Authorization Aka IDOR (In-secured Direct Object Reference) - Accessing unauthorized objects using same token due to lack of authorization checks Mitigation implement authorization checks with user policies and hierarchy dont rely on IDs sent from client. Use IDs from session Check authorization each time there is client request to access database Use random non guessable IDs (UUIDs) Broken Authentication Due to Lack of best practices. Mitigation Check all possible ways to authenticate to all APIs Password reset APIs and one-time links also allow users to get authenticated and should be protected just as seriously Use standard authentication, token generation, password storage, MFA Use short-lived access tokens Authenticate your apps (so you know who is talking to you) OAuth token is not authentication (hotel key analogy) Use stricter rate-limiting for authentication, implement lockout policies and weak password ...