OWASP · PauloASilva · Jul 4, 2019 · Jun 24, 2019 · Jun 24, 2019 · Jun 24, 2019
diff --git a/2019/en/dist/owasp-api-security-top-10.odt b/2019/en/dist/owasp-api-security-top-10.odt
diff --git a/2019/en/dist/owasp-api-security-top-10.pdf b/2019/en/dist/owasp-api-security-top-10.pdf
diff --git a/2019/en/src/0x00-toc.md b/2019/en/src/0x00-toc.md
@@ -8,9 +8,9 @@ Table of Contents
 * [Release Notes](0x04-release-notes.md)
 * [API Security Risks](0x10-api-security-risks.md)
 * [OWASP Top 10 API Security Risks – 2019](0x11-t10.md)
-* [A1:2019 Broken Object Level Access Control](0xa1-broken-object-level-access-control.md)
+* [A1:2019 Missing Object Level Access Control](0xa1-missing-object-level-access-control.md)
 * [A2:2019 Broken Authentication](0xa2-broken-authentication.md)
-* [A3:2019 Improper Data Filtering](0xa3-improper-data-filtering.md)
+* [A3:2019 Excessive Data Exposure](0xa3-excessive-data-exposure.md)
 * [A4:2019 Lack of Resources & Rate Limiting](0xa4-lack-of-resources-and-rate-limiting.md)
 * [A5:2019 Missing Function/Resource Level Access Control](0xa5-missing-function-resource-level-access-control.md)
 * [A6:2019 Mass Assignment](0xa6-mass-assignment.md)

diff --git a/2019/en/src/0x11-t10.md b/2019/en/src/0x11-t10.md
@@ -3,9 +3,9 @@ OWASP Top 10 API Security Risks – 2019
 
 | Risk | Description |
 | ---- | ----------- |
-| A1:2019 - Broken Object Level Access Control | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be taken in mind in every function that accesses a data source using an input from the user. |
+| A1:2019 - Missing Object Level Access Control | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be taken in mind in every function that accesses a data source using an input from the user. |
 | A2:2019 - Broken Authentication | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising system's ability to identify the client/user, compromises API overall security. |
-| A3:2019 - Improper Data Filtering | Looking forward to generic implementations developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before showing it to the user. Without controlling client's state, servers receive more and more filters which can be abused to gain access to sensitive data. |
+| A3:2019 - Excessive Data Exposure | Looking forward to generic implementations developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before showing it to the user. Without controlling client's state, servers receive more and more filters which can be abused to gain access to sensitive data. |
 | A4:2019 - Lack of Resources & Rate Limiting | Quite often APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only this can impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force. |
 | A5:2019 - Missing Function/Resource Level Access Control | Complex access control policies with different hierarchies, groups and roles and a not so clear separation between administrative and regular functions tend to lead to authorization flaws. Exploiting these issues, attackers gain access to other users resources and/or administrative functions. |
 | A6:2019 - Mass Assignment | Binding client provided data (e.g. JSON) to data models without proper properties filtering based on a whitelist usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints or reading the documentation, providing additional object properties in request payloads, allow attackers to modify object properties they are not supposed to. |

diff --git a/...xa1-broken-object-level-access-control.md → ...a1-missing-object-level-access-control.md b/...xa1-broken-object-level-access-control.md → ...a1-missing-object-level-access-control.md
@@ -1,5 +1,5 @@
-A1:2019 Broken Object Level Access Control
-==========================================
+A1:2019 Missing Object Level Access Control
+===========================================
 
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |

diff --git a/2019/en/src/0xa3-improper-data-filtering.md → 2019/en/src/0xa3-excessive-data-exposure.md b/2019/en/src/0xa3-improper-data-filtering.md → 2019/en/src/0xa3-excessive-data-exposure.md
@@ -1,14 +1,14 @@
-A3:2019 Improper Data Filtering
+A3:2019 Excessive Data Exposure
 ===============================
 
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |
 | API Specific : Exploitability **3** | Prevalence **2** : Detectability **2** | Technical **2** : Business Specific |
-| Exploitation of improper data filtering is simple, and is usually done by using different clients while sniffing the traffic they produce to analyze the API responses and look for sensitive data exposure that should not be returned to the user. | APIs rely on clients to perform the data filtering. Since APIs are used as data sources, sometimes developers try to implement them in a generic way without thinking about the sensitivity of the exposed data. Automatic tools usually can’t detect this type of vulnerability because it’s hard to differentiate between legitimate data returned from the API and sensitive data that should not be returned without a deep understanding of the application. | Improper Data Filtering commonly leads to exposure of sensitive data. |
+| Exploitation of excessive data exposure is simple, and is usually done by using different clients while sniffing the traffic they produce to analyze the API responses and look for sensitive data exposure that should not be returned to the user. | APIs rely on clients to perform the data filtering. Since APIs are used as data sources, sometimes developers try to implement them in a generic way without thinking about the sensitivity of the exposed data. Automatic tools usually can’t detect this type of vulnerability because it’s hard to differentiate between legitimate data returned from the API and sensitive data that should not be returned without a deep understanding of the application. | Excessive Data Exposure commonly leads to exposure of sensitive data. |
 
 ## Is the API Vulnerable?
 
-There are two types of Improper Data Filtering:
+There are two types of Excessive Data Exposure:
 
 * **Client Side Data Filtering**: The API returns sensitive data to the client
   by design. This data is usually filtered on the client side before being