Add agentic-system examples for stale OAuth scope abuse in API Security Top 10 #145
Description
Modern agentic and autonomous systems frequently reuse OAuth access tokens across chained service calls. Over time, scopes accumulate privileges that are no longer required, creating authorization drift that is not explicitly covered in the current API Security Top 10 documentation.
In AI-driven automation platforms:
- Tokens issued for narrow onboarding tasks are reused across unrelated workflows.
- Scopes are not rotated or revalidated per execution context.
- Background agents retain write or admin privileges long after the original authorization intent expires.
This results in abuse patterns where valid tokens can invoke privileged API functionality without violating any traditional authentication checks.
I propose adding documentation examples under:
- API3: Broken Object Property Level Authorization
- API5: Broken Function Level Authorization
Including scenarios such as:
- Autonomous agents reusing legacy tokens to invoke administrative endpoints.
- Tokens retaining configuration privileges after workflow context expiration.
- Authorization drift caused by stale OAuth scopes in distributed systems.
I am prepared to submit a documentation PR adding real-world examples and remediation guidance.