Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Topic Hub

API Security

How APIs are attacked and defended — REST, GraphQL, OAuth, JWT, rate limiting, CORS, and the authentication mechanisms that protect them.

10 knowledge articles9 case studies33 glossary terms

Understanding API Security

VulnerabilityCWE-639

Insecure Direct Object References: The Most Common Access Control Flaw

Insecure direct object references occur when an application exposes internal object identifiers without verifying that the requesting user is authorized to access them, enabling attackers to access or modify other users' data by simply changing a parameter.

9 min readRead article
VulnerabilityCWE-918

Server-Side Request Forgery: When Your Server Becomes the Attacker

Server-side request forgery turns your own infrastructure against you, allowing attackers to make your server send requests to internal systems, cloud metadata endpoints, and protected networks that should never be accessible from the outside.

10 min readRead article
Services

What We Test: Applications, APIs, Authentication, Infrastructure

A detailed breakdown of what Raijuna tests during security assessments — web applications, REST and GraphQL APIs, authentication and SSO flows, cloud infrastructure, and mobile backends. For each target type: what we look for, common findings, and why it matters.

11 min readRead article
VulnerabilityCWE-345

JWT Security: When Tokens Become Attack Vectors

JSON Web Tokens are the dominant authentication mechanism for modern APIs, but implementation flaws turn them into attack vectors. Algorithm confusion, weak secrets, and missing validation allow attackers to forge tokens, escalate privileges, and bypass authentication entirely.

10 min readRead article
VulnerabilityCWE-601

Open Redirects: The Underestimated Phishing Amplifier

Open redirect vulnerabilities let attackers hijack trusted domains to route users to malicious destinations. Often dismissed as low-severity, they become critical when chained with OAuth flows, SSO implementations, and server-side request forgery.

9 min readRead article
VulnerabilityCWE-200

GraphQL Security: Introspection, Batching, and Authorization Pitfalls

GraphQL APIs expose powerful capabilities by default — full schema introspection, query batching, and deeply nested queries. When authorization is implemented at the wrong layer or introspection is left enabled in production, attackers gain a complete blueprint of your API and the tools to exploit it.

10 min readRead article
VulnerabilityCWE-915

Mass Assignment: How Auto-Binding Overwrites Protected Fields

Mass assignment vulnerabilities occur when web frameworks automatically bind HTTP request parameters to object properties without filtering which fields users are allowed to modify. A single extra key in a JSON body can silently overwrite a role, credit balance, or administrative flag — with no error and no warning.

8 min readRead article
VulnerabilityCWE-863

OAuth 2.0 Security: Common Implementation Flaws and How to Exploit Them

OAuth 2.0 is a widely implemented authorization framework, but its flexibility creates a large surface for implementation mistakes. Missing state parameter validation, unrestricted redirect URIs, leaking authorization codes through Referer headers, and improper token storage each represent exploitable pathways that bypass the security the protocol was designed to provide.

11 min readRead article
VulnerabilityCWE-770

API Rate Limiting Bypass: When Throttling Fails

Rate limiting is the primary defense against credential stuffing, enumeration attacks, and resource exhaustion on API endpoints. When rate limiting is implemented incorrectly, these controls can be bypassed through header manipulation, endpoint variation, parameter cycling, and distributed request patterns — exposing applications to the attacks the throttling was meant to prevent.

11 min readRead article
Methodology

Password Reset Security: Common Flaws in Account Recovery Flows

Password reset flows are one of the most consistently misconfigured parts of authentication systems. Predictable tokens, missing expiry, host header injection, absent rate limiting, and information leakage through differential responses each represent exploitable weaknesses. Because account recovery is treated as an edge case rather than a critical path, it frequently receives less security scrutiny than the primary login flow — despite being a direct path to account takeover.

9 min readRead article

Real-World Cases

Info DisclosureCVSS 6.5medium

Publishing Your Complete API Surface by Accident

During a black-box assessment of a global infrastructure provider, publicly accessible OpenAPI specification files revealed the complete internal API surface of multiple services — including endpoints, authentication schemes, request parameters, and response schemas for operations that had no business being documented for public consumption. This is how they were found, what they disclosed, and why specification files sitting on the open internet represent a more serious risk than most organizations acknowledge.

Read case
API SecurityCVSS 7.5high

Nine Hosts, One Wildcard, Zero Access Control

During an external attack surface assessment against a media infrastructure company, systematic enumeration of API subdomains revealed a consistent CORS misconfiguration across nine separate hosts. Every host returned Access-Control-Allow-Origin: * alongside authenticated API responses. Any external page could read responses from any of these nine endpoints — authentication tokens, broadcast configuration data, and internal account details included.

Read case
API SecurityCVSS 8.1high

Chaining a Subdomain XSS Into API Token Theft

A cross-site scripting vulnerability on a help-center subdomain of a cryptocurrency exchange seemed low-risk in isolation. The exchange's main trading API disagreed: its CORS configuration trusted that subdomain as an allowed origin, turning reflected XSS into a mechanism for making credentialed requests to every authenticated trading endpoint.

Read case
CryptographicCVSS 7.4high

The Service That Trusted Every Certificate

During a security assessment of an election management platform, a backend integration service was found to accept any TLS certificate during HTTPS connections to external endpoints — regardless of validity, expiry, or hostname match. The result was complete exposure to man-in-the-middle interception on traffic the platform considered encrypted and authenticated.

Read case
Access ControlCVSS 6.1medium

Poisoning Analytics Through an Open Endpoint

During an assessment of a cryptocurrency exchange's infrastructure, an unauthenticated API endpoint intended to proxy third-party analytics events accepted arbitrary payloads with no validation. An attacker could inject synthetic events into the platform's analytics pipeline, manipulating conversion tracking, corrupting behavioral data, and potentially influencing automated systems that acted on those signals.

Read case
Access ControlCVSS 8.8critical

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

Read case
Auth BypassCVSS 9.1critical

The Trusted Email That Wasn't

A legitimate password reset email — SPF passed, DKIM valid, sender verified. But the link inside pointed to an attacker's domain. One HTTP header turned a routine email into a full account takeover.

Read case
IDORCVSS 9.3critical

Half a Billion Profiles Behind a User-Agent String

A major platform's API returned full user profiles to anyone who asked. The only barrier was a WAF that ignored mobile traffic. One header change, hundreds of millions of accounts exposed.

Read case
Auth BypassCVSS 8.6high

The Trailing Slash That Bypassed Authentication

Adding a single character to the end of a URL turned a 401 into a 200. Not on one endpoint — on thirty, across ten microservices. One slash, an entire backend unlocked.

Read case

Key Terms

Access Control

Security mechanisms that regulate who or what can view, use, or modify resources in a system.

Account Takeover

An attack where a malicious actor gains unauthorized access to a legitimate user's account.

API Key

A unique identifier used to authenticate requests to an API and track usage.

API Security

The practice of protecting application programming interfaces from threats and vulnerabilities.

Attack Surface

The total number of points where an unauthorized user can attempt to enter or extract data from a system.

Audit Trail

A chronological record of system activities that provides evidence of who did what and when.

Authentication

The process of verifying the identity of a user, device, or system before granting access.

Authorization

The process of determining what actions or resources an authenticated user is permitted to access.

bcrypt

A password hashing function designed to be computationally expensive, making brute-force attacks impractical.

Bearer Token

An access token that grants the holder (bearer) access to protected resources without additional proof of identity.

Brute Force

An attack method that systematically tries all possible combinations to guess passwords, keys, or other secrets.

Bypass

A technique that circumvents or evades a security control to gain unauthorized access or perform restricted actions.

Cloud Security

The set of policies, controls, and technologies used to protect data, applications, and infrastructure in cloud environments.

Cookie

A small piece of data stored in the browser by a website, commonly used for session management and user tracking.

CORS (Cross-Origin Resource Sharing)

A browser mechanism that controls which external domains can access resources on a web server.

Cross-Site Request Forgery (CSRF)

An attack that tricks a user's browser into making unintended requests to a site where the user is authenticated.

JSON Hijacking

An attack that intercepts JSON data returned by a web application by exploiting how browsers handle script responses.

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties.

Key Management

The practices and procedures for generating, storing, distributing, rotating, and revoking cryptographic keys.

Multi-Factor Authentication

An authentication approach combining two or more independent credentials to verify a user's identity.

Multi-Factor Authentication (MFA)

A security mechanism that requires users to provide two or more independent verification factors to prove their identity.

Nonce

A unique, single-use value used in cryptographic protocols and security mechanisms to prevent replay attacks and ensure freshness.

OAuth

An authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials.

Open Redirect

A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.

OpenID Connect (OIDC)

An identity layer built on top of OAuth 2.0 that enables applications to verify user identity and obtain basic profile information.

Race Condition

A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.

Rate Limiting

A defensive mechanism that restricts the number of requests a user or client can make within a specified time period.

TLS (Transport Layer Security)

A cryptographic protocol that provides secure communication over a network by encrypting data in transit between two parties.

Token

A digitally generated string used to authenticate a user, authorize access, or maintain session state without repeatedly transmitting credentials.

TOTP (Time-Based One-Time Password)

An authentication mechanism that generates short-lived numeric codes based on a shared secret and the current time.

Two-Factor Authentication (2FA)

A security mechanism that requires users to provide two distinct forms of verification before gaining access to an account or system.

WebSocket Security

The set of security considerations and protections specific to WebSocket connections, which maintain persistent bidirectional communication channels.

Zero Trust

A security architecture that eliminates implicit trust by requiring continuous verification of every user, device, and connection regardless of network location.

Need your application tested?

Our security assessments cover the full range of api security vulnerabilities with methodology built from real-world research.

Request an Assessment