API Security Articles
The Latest API Security News, Vulnerabilities & Best Practices
APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.
API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.
Subscribe to the API Security newsletter
By clicking Subscribe you agree to our Data Policy
From the APISecurity.io Twitter
API authentication 101: A breakdown of the pros and cons of OAuth, basic auth and mutual TLS by @tammysock at @BuiltIn
https://builtin.com/software-engineering-perspectives/api-security
APICheck by @ggdaniel / @bbva Innovation Security Labs has been donated to @owasp. It's an extensible pipeline for API check utilities that accept and produce JSON: @OpenApiSpec linters, request replay, JWT validator, sensitive data detector, proxy, acurl
https://owasp.org/www-project-apicheck/
An excessive data exposure flaw in the password reset API in @Grindr allowed full account takeover. The endpoint allowed unauthenticated access and returned reset token for any email address. Found by @wasbou and reported by @troyhunt here:
https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/
An API vulnerability in @gitlab allowed finding information in code & wikis of private groups by not authorized users. This happened for groups that used to be public but got moved into a private group. UI enforced sec but not API. Found by @rpadovani93
https://hackerone.com/reports/748375
API Security weekly newsletter issue #105 is out. Main stories by @_fel1x / #googleprojectzero / @HashiCorp, @polarply / @IntezerLabs / @Azure, @PenTestPartners, @InsiderPhD, @isamauny / @42crunch
https://apisecurity.io/issue-105-api-vulnerabilities-hashicorp-azure-app-services-qiui-adult-devices/
API Security Newsletter Archive
- 22 October, 20
- 15 October, 20
- 8 October, 20
- 1 October, 20
- 24 September, 20
- 17 September, 20
- 10 September, 20
- 3 September, 20
- 27 August, 20
- 20 August, 20
From the APISecurity.io Twitter
API authentication 101: A breakdown of the pros and cons of OAuth, basic auth and mutual TLS by @tammysock at @BuiltIn
https://builtin.com/software-engineering-perspectives/api-security
APICheck by @ggdaniel / @bbva Innovation Security Labs has been donated to @owasp. It's an extensible pipeline for API check utilities that accept and produce JSON: @OpenApiSpec linters, request replay, JWT validator, sensitive data detector, proxy, acurl
https://owasp.org/www-project-apicheck/
An excessive data exposure flaw in the password reset API in @Grindr allowed full account takeover. The endpoint allowed unauthenticated access and returned reset token for any email address. Found by @wasbou and reported by @troyhunt here:
https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/
An API vulnerability in @gitlab allowed finding information in code & wikis of private groups by not authorized users. This happened for groups that used to be public but got moved into a private group. UI enforced sec but not API. Found by @rpadovani93
https://hackerone.com/reports/748375
API Security weekly newsletter issue #105 is out. Main stories by @_fel1x / #googleprojectzero / @HashiCorp, @polarply / @IntezerLabs / @Azure, @PenTestPartners, @InsiderPhD, @isamauny / @42crunch
https://apisecurity.io/issue-105-api-vulnerabilities-hashicorp-azure-app-services-qiui-adult-devices/
