API-specific surfaces. See api-security for path ordering.

Discovery

• swagger-discovery · api-content-discovery

AuthZ

• bola · bfla · mass-assignment

Auth tokens

• jwt · oauth-flows · api-keys
• jwt-key-confusion · jwt-jku-jwk-injection
• saml-xsw-attacks

Protocols

• graphql-attacks · grpc-attacks
• soap-attacks · rpc-attacks

Bug classes

• cross-api-scripting-xas

Methodology

• api-threat-modeling · api-fuzzing-wide-vs-deep

Abuse

• rate-limit-bypass