Authentication answers 'Who are you?' — Authorization answers 'What are you allowed to do?'. Both are frequently broken in APIs and represent the top two entries in the OWASP API Security Top 10.
# Weak JWT secret — easily bruted
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4ifQ.HMAC_WITH_WEAK_SECRET
# No token expiry
# Token reuse after logout
# Predictable API keysBOLA (also called IDOR) is the #1 API vulnerability. It occurs when an API endpoint uses user-supplied IDs to access objects without verifying the requesting user owns that object.
# User A's request:
GET /api/orders/1001 → returns User A's order
# Attacker changes ID:
GET /api/orders/1002 → returns User B's order ← BOLA!Verify exercises to earn ★ 150 XP and unlock next lab level.