Broken Object Level Authorization (BOLA)
The API sibling of IDOR, listed as the top risk in the OWASP API Security Top 10 because authorisation checks on object-scoped endpoints are often missing.
Access ControlGlossary
Page 1 of 2 · 16 terms
Cross-Site Request Forgery (CSRF)
A defect where a cross-origin page tricks the browser into sending an authenticated request to a target site, relying on automatic cookie inclusion.
AppSecCross-Site Scripting (XSS)
An injection flaw where attacker-controlled data reaches a browser-side scripting sink, letting the attacker execute script in the victim's session origin.
InjectionDynamic Application Security Testing (DAST)
Black-box testing against a running application that probes HTTP surfaces for injection, auth, and misconfiguration classes without needing source access.
AppSecInsecure Direct Object Reference (IDOR)
An access-control flaw where the server accepts a client object identifier and returns the object without verifying the caller is authorised.
Access ControlJSON Web Token (JWT)
A compact signed token format used to assert claims between parties, popular for stateless auth and notorious for implementation defects.
CryptoLog4Shell (CVE-2021-44228)
A remote code execution flaw in Apache Log4j 2.x where JNDI lookups inside logged strings caused servers to fetch and execute attacker classes.
InjectionMutual TLS (mTLS)
An extension of TLS where both server and client authenticate each other with X.509 certificates, common for service-to-service auth in zero-trust.
CryptoOAuth 2.0 (OAuth2)
A delegated authorisation framework specified in RFC 6749 that lets a third-party client access a user's resources without holding the user's password.
CryptoRace Condition
A defect where correctness depends on the timing of concurrent operations, exploited by rapid parallel requests that bypass a business-logic check.
AppSec