API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

API Security content at the #DevSecCon24: @isamauny's "It's Time for API Security as Code!" Thursday Jun 24, 10:35 AM - 11:15 AM GMT +1 | Read the abstract and register now for free here:
https://events.bizzabo.com/308842/agenda/speakers/1185116
cc @devseccon

API Security weekly newsletter issue #137 is out. Main stories by @bendee983 / @PortSwigger, @alissaknight, @dangoodin001 / @arstechnica, @furyz1_ & @njoyneerat / @Doyensec, @kinlane / @getpostman, @isamauny / @42crunch, @DSotnikov / @DZoneInc
https://apisecurity.io/issue-137-vulnerabilities-vmware-vcenter-apache-pulsar-graphql-csrf-attacks/

#GraphQL can still be vulnerable to #CSRF attacks. See this report by @furyz1_ and @njoyneer at @Doyensec for details on the attack scenarios, ways to prevent them, and tooling available. https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Recently patched VMware vCenter vulnerability is now actively exploited. This is critical: 9.8/10 sev. Root cause: lack of input validation on JSON payloads. A PoC is a series of 6 POST calls & is publicly available. Attackers only need HTTPS (443) access.
https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/

Trying to get through API security vendors' pitches and want a researcher opinion? Check out @alissaknight's "API Threat Management Buyers Guide" (fast forward the first 10 minutes to get to the actual start): https://twitter.com/i/broadcasts/1dRKZNLbDwbKB

From the APISecurity.io Twitter

API Security content at the #DevSecCon24: @isamauny's "It's Time for API Security as Code!" Thursday Jun 24, 10:35 AM - 11:15 AM GMT +1 | Read the abstract and register now for free here:
https://events.bizzabo.com/308842/agenda/speakers/1185116
cc @devseccon

API Security weekly newsletter issue #137 is out. Main stories by @bendee983 / @PortSwigger, @alissaknight, @dangoodin001 / @arstechnica, @furyz1_ & @njoyneerat / @Doyensec, @kinlane / @getpostman, @isamauny / @42crunch, @DSotnikov / @DZoneInc
https://apisecurity.io/issue-137-vulnerabilities-vmware-vcenter-apache-pulsar-graphql-csrf-attacks/

#GraphQL can still be vulnerable to #CSRF attacks. See this report by @furyz1_ and @njoyneer at @Doyensec for details on the attack scenarios, ways to prevent them, and tooling available. https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Recently patched VMware vCenter vulnerability is now actively exploited. This is critical: 9.8/10 sev. Root cause: lack of input validation on JSON payloads. A PoC is a series of 6 POST calls & is publicly available. Attackers only need HTTPS (443) access.
https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/

Trying to get through API security vendors' pitches and want a researcher opinion? Check out @alissaknight's "API Threat Management Buyers Guide" (fast forward the first 10 minutes to get to the actual start): https://twitter.com/i/broadcasts/1dRKZNLbDwbKB