IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides

guides

Security guides, checklists, and standards - explained.

Practical, accurate how-tos for testing and securing web apps and APIs, plus the OWASP standards explained - all cross-linked to the vulnerabilities and concepts they cover.

Testing how-tos

How-to

How to Test for IDOR (Broken Object Level Authorization)

A step-by-step method for finding Insecure Direct Object Reference (IDOR / BOLA) flaws in web apps and APIs using two accounts.

How-to

How to Prevent SSRF (Server-Side Request Forgery)

Concrete controls to prevent Server-Side Request Forgery, including DNS-rebinding-safe validation and cloud metadata hardening.

How-to

JWT Security Best Practices

How to validate and configure JSON Web Tokens correctly to prevent forgery, algorithm confusion, and token abuse.

Checklists

Checklist

API Penetration Testing Checklist

A practical checklist for testing REST and GraphQL APIs, mapped to the OWASP API Security Top 10.

Checklist

Web Application Security Testing Checklist

A structured checklist for testing web applications, aligned to the OWASP Top 10 and organized by area.

Standards explained

Explainer

OWASP Top 10 (2021) Explained

A concise explanation of each OWASP Top 10 (2021) category, with links to the underlying vulnerabilities.

Explainer

OWASP API Security Top 10 (2023) Explained

Each OWASP API Security Top 10 (2023) risk explained, with a focus on the authorization flaws that dominate API breaches.

Explainer

Continuous Penetration Testing: A Practical Guide

What continuous penetration testing is, why point-in-time testing falls short, and how to adopt it.

Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub