- Endpoint
- A single addressable location of an API, e.g.
/accounts/{id}, with a specific purpose.
- BOLA
- Broken Object Level Authorization: access to someone else's records because the API doesn't check ownership.
- BFLA
- Broken Function Level Authorization: calling functions that shouldn't be available to your own role.
- Pentest
- Penetration test: a controlled attack to find real, exploitable vulnerabilities before someone else does.
- False Positive
- A reported "finding" that isn't actually one. Too many of these drown real risks in noise.
- CVSS
- Common Vulnerability Scoring System: a standardized score for the severity of a vulnerability.
- Shadow API
- An API that's live but documented nowhere, a classic entry point because nobody checks it.
- SARIF
- An open interchange format for analysis results, so findings can be used across tools.