Abuse Case Catalog¶
Purpose¶
Capture adversarial use-cases and required controls/tests for public-facing APIs.
| Abuse Case | Surface | Control | Test Type |
|---|---|---|---|
| Credential stuffing | Login endpoint | rate-limit + WAF + anomaly detection | security integration |
| Token replay | API + WS | short TTL + refresh rotation + nonce/session checks | auth replay tests |
| Webhook replay spoofing | Stripe webhook | signature verification + timestamp + event-id dedupe | webhook replay tests |
| API brute-force scanning | Public API | IP/user rate limiting + bot mitigation | abuse load tests |
| Resource hoarding | Provision API | quota/policy checks + budget guardrails | policy tests |
| Tenant boundary probing | list/read endpoints | tenant scoping in DAL + authz policy checks | tenant isolation tests |
| Oversized payload attack | upload/webhook | body size limits + parsing controls | negative tests |
| WS flood | terminal/notifications WS | connection limits + per-user concurrency caps | WS stress tests |
Required Output¶
- Each abuse case mapped to owner and CI test gate.