PinnedA Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)Intro In this article I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA…API16 min readAPI16 min read
Nov 27, 2022OWASP API Top 10 for Dummies — Part #2Welcome back to our blog series on the OWASP API Top 10! This is continued from Part I. If you haven’t read the first part, check it out! …API5 min readAPI5 min read
Nov 27, 2022OWASP API Top 10 for Dummies — Part #1Introduction In this blog series I will try to explain the most common threats for APIs using simple analogies. I started thinking about writing this blog last time I was visiting my grandfather. He asked me — “Inon, what do you do for work?”. Simple answers like “Cybersecurity” didn’t tell him…API4 min readAPI4 min read
Dec 17, 2021Log4Shell — Simple Techincal Explanation of the ExploitLast week’s Log4Shell vulnerability is a dramatic example of how modern applications, interconnected services and pervasive APIs can create substantial security challenges. As a security researcher who has spent years looking at API vulnerabilities, this is an excellent example of how things can go wrong. …Log4j6 min readLog4j6 min read
Sep 23, 2021Hacking your mind — Mindfulness Journey from a hacker perspectiveIntro My job is to hack systems, so I usually write about cybersecurity and different hacking techniques. Today I decided to write about something a bit different — my mindfulness journey and how I find this process similar to hacking. Background Before I jump into the details, I would like to share…Mindfulness9 min readMindfulness9 min read
Aug 23, 202131 Tips — Advanced Bug Bounty & PentestingTo welcome Blackhat & Defcon conferences, we published a daily tip on Bug Bounty & AppSec during the month of July 2021. We started this project because we wanted to help developers, security engineers, and pentesters learn about AppSec and API pentesting. We realize it’s not easy to find resources…Pentesting2 min readPentesting2 min read
Apr 19, 2021Behind the Scenes of SAST — The Challenges of Code ScanningI love the idea behind Static Application Security Testing (SAST) tools — they aim to create a utopian world clean from application vulnerabilities. If Dynamic Application Security Testing (DAST) tools look at your application to find doors and windows left open to intruders, SAST tools try to prevent them from…Application Security7 min readApplication Security7 min read
Mar 16, 2021Behind the Scenes of DAST — How do Security Scanners Work?The idea behind Dynamic Applications Security Testing (DAST) is pretty clever — a tool that simulates a human penetration tester. With the URL of an app to test, the tool gets its hands dirty and provides a vulnerabilities report. DAST tools are not just contextless fuzzers; they have intelligence and…Appsec7 min readAppsec7 min read
Aug 26, 2020Modern Application Security — Good and Bad NewsThis is the second article in a 2-part blog series. In the previous article, we talked about the major changes in application development in the last several years. In this article, we will discuss how these changes impact application security as we used to know it, and redefined the boundaries. Extended Boundaries: Application Security is a Widespread Concern …Application Security4 min readApplication Security4 min read
Aug 26, 2020Modern Application Security — What are Modern Applications?Introduction This is the first article in a 2-part blog series outlining how application security has changed (or needs to change). Before I get into the article, let me give you a little background on myself. I am currently the Head of Security Research at Traceable but my personal journey with…API6 min readAPI6 min read
