Why API Security Is No Longer an AppSec Problem – And What Security Leaders Must Do Instead

APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit...

OWASP Top 10 Business Logic Abuse: What You Need to Know

Over the past few years, API security has gone from a relatively niche concern to a headline issue. A slew of high-profile breaches and compliance mandates like PCI DSS 4.0 have woken security teams up to the reality that APIs are the front door to their data, infrastructure, and revenue streams...

API Attack Awareness: Business Logic Abuse — Exploiting the Rules of the Game

As Cybersecurity Awareness Month continues, we wanted to dive even deeper into the attack methods affecting APIs. We’ve already reviewed Broken Object Level Authentication BOLA, injection attacks, and authentication flaws; this week, we’re exploring business logic abuse BLA. Unlike technical flaw...

EUVD-2019-16196

Malware in sbrugna...

EUVD-2025-6969

Malicious code in bioql PyPI...

CVE-2025-50861

The CVE-2025-50861 entry affects the Lotus Cars Android App (com.lotus.carsdomestic.intl) version 1.2.8, where the exported component PushDeepLinkActivity is accessible without authentication via ADB or malicious apps. This could allow unintended access to application internals and may lead to de...

Altus Cars Lotus Cars Android app 安全漏洞

Altus Cars Lotus Cars Android app is a mobile app from Altus Cars UK that provides vehicle remote control and connectivity services. A security vulnerability exists in Altus Cars Lotus Cars Android app version 1.2.8, which originates from unauthenticated access to a component and could lead to a...

CVE-2025-50861

The Lotus Cars Android app com.lotus.carsdomestic.intl 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of service or logic abuse...

CVE-2019-6637

On BIG-IP ASM 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on...

Gunicorn HTTP Request/Response Smuggling vulnerability

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

UBUNTU-CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

CVE-2024-6827

CVE-2024-6827 affects Gunicorn 21.2.0 where Transfer-Encoding is not properly validated, causing fallback to Content-Length and TE.CL HTTP request smuggling. This can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, and data integrity issues. Root cause: improper vali...

CVE-2024-6827 HTTP Request Smuggling in benoitc/gunicorn

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

CVE-2024-6827 HTTP Request Smuggling in benoitc/gunicorn

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

Preventing Bot Attacks and Online Fraud on APIs

The rapid proliferation of Application Programming Interfaces APIs is spearheading digital transformation, leading to explosive growth in adoption of APIs in recent years. In fact, it’s hard to think of any software that doesn’t use or is in itself, an API. By supporting swift development and...

EXNESS: Taking position in a discontinued forex pair without executing any trades

Taking an indirect position on a discontinued forex pair could lead to a probable riskless trading and business logic abuse...

CVE-2019-6637

CVE-2019-6637 affects BIG-IP ASM: exploitation of REST endpoints by an authenticated user (role: Guest or higher) can trigger excessive memory consumption, causing the Linux kernel OOM killer and potential DoS. Affected: BIG-IP ASM versions 12.1.0–12.1.4, 13.0.0–13.1.1.4, 14.0.0–14.0.0.4, 14.1.0–...

RSA Conference 2019: The Expanding Automation Platform Attack Surface

SAN FRANCISCO – Automation platforms are increasingly being used to chain multiple IoT devices together to create user-friendly smart applications – but that’s also creating unpredictable attack surfaces that can be hard to manage. A Trend Micro report released at RSA Conference 2019 warns that...