API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

.@42crunch added native API firewall protection for microservices in #Kubernetes. Now instead of gateway mode, each and every #microservice can be protected in the API level (payloads, responses, etc.) within its pod. Details and video: https://t.co/o500FeNMhz

#Instagram's mobile password reset API had rate-limiting by IP address only. This allowed @laxmanmuthiyah to brute-force it with 1000 AWS EC2 instances used for 10 minutes (~ $150 total cost). Proper protection? Rate-limit by account id too. https://t.co/zdHOxmkTXw

Researchers @CharlesDardaman and @INIT_3 found API vulnerabilities in #Zipato IoT hubs that allowed to remotely open smartlocks including apartment complexes. These had hardcoded root SSH keys and pass-the-hash vulnerability in APIs: https://t.co/rPusgd0DRL via @blackmarblesh

7-Eleven Japan's payment app #7pay had vulnerable password reset API that allowed attackers to hijack accounts by iterating records. About $510K got stolen from 900 customers in 3 days of the app being on the market. https://t.co/moYiJxCeij report by @mikamiyoh

Developing #REST APIs in @code? #OpenAPI (Swagger) Editor extension makes working with @OpenApiSpec files (#JSON and #YAML, v2 and v3) a breeze. Functionality includes new API templates, navigation, code snippets, IntelliSense, Go to definition, linting. https://t.co/8qGSmiPKqD

From the APISecurity.io Twitter

.@42crunch added native API firewall protection for microservices in #Kubernetes. Now instead of gateway mode, each and every #microservice can be protected in the API level (payloads, responses, etc.) within its pod. Details and video: https://t.co/o500FeNMhz

#Instagram's mobile password reset API had rate-limiting by IP address only. This allowed @laxmanmuthiyah to brute-force it with 1000 AWS EC2 instances used for 10 minutes (~ $150 total cost). Proper protection? Rate-limit by account id too. https://t.co/zdHOxmkTXw

Researchers @CharlesDardaman and @INIT_3 found API vulnerabilities in #Zipato IoT hubs that allowed to remotely open smartlocks including apartment complexes. These had hardcoded root SSH keys and pass-the-hash vulnerability in APIs: https://t.co/rPusgd0DRL via @blackmarblesh

7-Eleven Japan's payment app #7pay had vulnerable password reset API that allowed attackers to hijack accounts by iterating records. About $510K got stolen from 900 customers in 3 days of the app being on the market. https://t.co/moYiJxCeij report by @mikamiyoh

Developing #REST APIs in @code? #OpenAPI (Swagger) Editor extension makes working with @OpenApiSpec files (#JSON and #YAML, v2 and v3) a breeze. Functionality includes new API templates, navigation, code snippets, IntelliSense, Go to definition, linting. https://t.co/8qGSmiPKqD