Ten vulnerability patterns that appear consistently across REST, GraphQL, and AI-generated API endpoints. Maintained by OWASP and used by security teams worldwide as the baseline for API review.
The number one API bug: endpoints that hand out any object to anyone who asks for it by ID.
Read the storyAuth that works for the happy path and quietly falls over the moment anyone pokes at it.
Read the storyWhen your GET endpoint leaks admin flags and your PATCH endpoint lets users write them.
Read the storyEvery route has a price tag — CPU, memory, database rows, LLM tokens, SMS messages. Most are uncapped.
Read the storyWhen the frontend hides the admin button but the backend still answers the request.
Read the storyThe endpoint works perfectly. A script that calls it 50,000 times works perfectly too.
Read the storyYou asked for a link preview feature. You shipped a way for attackers to read the cloud metadata endpoint.
Read the storyCORS set to '*'. An admin endpoint with no auth. A management port open to the internet. All three in one deploy.
Read the story/api/v1 still works. It has the bug you fixed six months ago in /api/v2.
Read the storyYour code validates user input and then trusts the JSON from a third-party API like it came from God.
Read the storyFlowpatrol tests every category on this list — and proves every finding with a real exploit. Paste a URL, get a report in minutes.