Endpoint
A single addressable location of an API, e.g. /accounts/{id}, with a specific purpose.
BOLA
Broken Object Level Authorization: access to someone else's records because the API doesn't check ownership.
BFLA
Broken Function Level Authorization: calling functions that shouldn't be available to your own role.
Pentest
Penetration test: a controlled attack to find real, exploitable vulnerabilities before someone else does.
False Positive
A reported "finding" that isn't actually one. Too many of these drown real risks in noise.
CVSS
Common Vulnerability Scoring System: a standardized score for the severity of a vulnerability.
Shadow API
An API that's live but documented nowhere, a classic entry point because nobody checks it.
SARIF
An open interchange format for analysis results, so findings can be used across tools.
Keep reading