Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Topic Hub

API Security

How APIs are attacked and defended — REST, GraphQL, OAuth, JWT, rate limiting, CORS, and the authentication mechanisms that protect them.

6 knowledge articles4 case studies33 glossary terms

Understanding API Security

VulnerabilityCWE-639

Insecure Direct Object References: The Most Common Access Control Flaw

Insecure direct object references occur when an application exposes internal object identifiers without verifying that the requesting user is authorized to access them, enabling attackers to access or modify other users' data by simply changing a parameter.

9 min readRead article
VulnerabilityCWE-918

Server-Side Request Forgery: When Your Server Becomes the Attacker

Server-side request forgery turns your own infrastructure against you, allowing attackers to make your server send requests to internal systems, cloud metadata endpoints, and protected networks that should never be accessible from the outside.

10 min readRead article
Services

What We Test: Applications, APIs, Authentication, Infrastructure

A detailed breakdown of what Raijuna tests during security assessments — web applications, REST and GraphQL APIs, authentication and SSO flows, cloud infrastructure, and mobile backends. For each target type: what we look for, common findings, and why it matters.

11 min readRead article
VulnerabilityCWE-345

JWT Security: When Tokens Become Attack Vectors

JSON Web Tokens are the dominant authentication mechanism for modern APIs, but implementation flaws turn them into attack vectors. Algorithm confusion, weak secrets, and missing validation allow attackers to forge tokens, escalate privileges, and bypass authentication entirely.

10 min readRead article
VulnerabilityCWE-601

Open Redirects: The Underestimated Phishing Amplifier

Open redirect vulnerabilities let attackers hijack trusted domains to route users to malicious destinations. Often dismissed as low-severity, they become critical when chained with OAuth flows, SSO implementations, and server-side request forgery.

9 min readRead article
VulnerabilityCWE-200

GraphQL Security: Introspection, Batching, and Authorization Pitfalls

GraphQL APIs expose powerful capabilities by default — full schema introspection, query batching, and deeply nested queries. When authorization is implemented at the wrong layer or introspection is left enabled in production, attackers gain a complete blueprint of your API and the tools to exploit it.

10 min readRead article

Real-World Cases

Access ControlCVSS 8.8critical

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

Read case
Auth BypassCVSS 9.1critical

The Trusted Email That Wasn't

A legitimate password reset email — SPF passed, DKIM valid, sender verified. But the link inside pointed to an attacker's domain. One HTTP header turned a routine email into a full account takeover.

Read case
IDORCVSS 9.3critical

Half a Billion Profiles Behind a User-Agent String

A major platform's API returned full user profiles to anyone who asked. The only barrier was a WAF that ignored mobile traffic. One header change, hundreds of millions of accounts exposed.

Read case
Auth BypassCVSS 8.6high

The Trailing Slash That Bypassed Authentication

Adding a single character to the end of a URL turned a 401 into a 200. Not on one endpoint — on thirty, across ten microservices. One slash, an entire backend unlocked.

Read case

Key Terms

Access Control

Security mechanisms that regulate who or what can view, use, or modify resources in a system.

Account Takeover

An attack where a malicious actor gains unauthorized access to a legitimate user's account.

API Key

A unique identifier used to authenticate requests to an API and track usage.

API Security

The practice of protecting application programming interfaces from threats and vulnerabilities.

Attack Surface

The total number of points where an unauthorized user can attempt to enter or extract data from a system.

Audit Trail

A chronological record of system activities that provides evidence of who did what and when.

Authentication

The process of verifying the identity of a user, device, or system before granting access.

Authorization

The process of determining what actions or resources an authenticated user is permitted to access.

bcrypt

A password hashing function designed to be computationally expensive, making brute-force attacks impractical.

Bearer Token

An access token that grants the holder (bearer) access to protected resources without additional proof of identity.

Brute Force

An attack method that systematically tries all possible combinations to guess passwords, keys, or other secrets.

Bypass

A technique that circumvents or evades a security control to gain unauthorized access or perform restricted actions.

Cloud Security

The set of policies, controls, and technologies used to protect data, applications, and infrastructure in cloud environments.

Cookie

A small piece of data stored in the browser by a website, commonly used for session management and user tracking.

CORS (Cross-Origin Resource Sharing)

A browser mechanism that controls which external domains can access resources on a web server.

Cross-Site Request Forgery (CSRF)

An attack that tricks a user's browser into making unintended requests to a site where the user is authenticated.

JSON Hijacking

An attack that intercepts JSON data returned by a web application by exploiting how browsers handle script responses.

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties.

Key Management

The practices and procedures for generating, storing, distributing, rotating, and revoking cryptographic keys.

Multi-Factor Authentication

An authentication approach combining two or more independent credentials to verify a user's identity.

Multi-Factor Authentication (MFA)

A security mechanism that requires users to provide two or more independent verification factors to prove their identity.

Nonce

A unique, single-use value used in cryptographic protocols and security mechanisms to prevent replay attacks and ensure freshness.

OAuth

An authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials.

Open Redirect

A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.

OpenID Connect (OIDC)

An identity layer built on top of OAuth 2.0 that enables applications to verify user identity and obtain basic profile information.

Race Condition

A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.

Rate Limiting

A defensive mechanism that restricts the number of requests a user or client can make within a specified time period.

TLS (Transport Layer Security)

A cryptographic protocol that provides secure communication over a network by encrypting data in transit between two parties.

Token

A digitally generated string used to authenticate a user, authorize access, or maintain session state without repeatedly transmitting credentials.

TOTP (Time-Based One-Time Password)

An authentication mechanism that generates short-lived numeric codes based on a shared secret and the current time.

Two-Factor Authentication (2FA)

A security mechanism that requires users to provide two distinct forms of verification before gaining access to an account or system.

WebSocket Security

The set of security considerations and protections specific to WebSocket connections, which maintain persistent bidirectional communication channels.

Zero Trust

A security architecture that eliminates implicit trust by requiring continuous verification of every user, device, and connection regardless of network location.

Need your application tested?

Our security assessments cover the full range of api security vulnerabilities with methodology built from real-world research.

Request an Assessment