Study notes on API-layer vulnerabilities, aligned to the OWASP API Security Top 10 (2023).
Built on the two APIsec University courses I've completed (linked below) and reinforced by hands-on lab practice.
- API1:2023 — Broken Object Level Authorization
- API2:2023 — Broken Authentication
- API3:2023 — Broken Object Property Level Authorization
- API4:2023 — Unrestricted Resource Consumption
- API5:2023 — Broken Function Level Authorization
- API6:2023 — Unrestricted Access to Sensitive Business Flows
- API7:2023 — Server Side Request Forgery
- API8:2023 — Security Misconfiguration
- API9:2023 — Improper Inventory Management
- API10:2023 — Unsafe Consumption of APIs
Each item links to a dedicated writeup once complete.
- Burp Suite Community — primary
- Postman — pre-flight API surface discovery
httpxandffuf— enumerationnuclei— template-based scanning
- APIsec University — API Penetration Testing (Sep 2023)
- APIsec University — OWASP API Security Top 10 (Jan 2024)
Repository is updated as I re-review each Top-10 category during my Burp Practitioner prep window (Jul – Sept 2026).