API Security Articles
The Latest API Security News, Vulnerabilities & Best Practices
APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.
API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.
Subscribe to the API Security newsletter
By clicking Subscribe you agree to our Data Policy
From the APISecurity.io Twitter
IETF #OAuth Working Group formally published standard proposal by Karsten Meyer zu Selhausen and @dfett42 on using the "iss" parameter for OAuth Authorization Responses to prevent Mix-Up Attacks: https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-00.html
Here's a much better coverage of the Parler API vulnerabilities and @donk_enby scripts that scraped the system. Basically, there was no account takeover. APIs to access public posts had no security, no rate-limiting, sequential IDs https://www.wired.com/story/parler-hack-data-public-posts-images-video/
by @a_greenberg / @WIRED
API Security weekly newsletter issue #116 is out. Main stories by @Pouyadarabi, @donk_enby, @_nikitastupin, @scuttleph1sh, @mattatkinson42 / @PortSwigger
https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/
clairvoyance by @_nikitastupin allows to discover #GraphQL schema even if retrospection is disabled: https://github.com/nikitastupin/clairvoyance
See the demo in the recording of his OWASP AppSec Israel talk: https://youtu.be/nPB8o0cSnvM?t=794
70 TB of Parler data scraped via insecure APIs. Looks like when removing Twilio dependency Parler accidentally enabled admin account takeover via password reset. Post IDs were sequential & could be enumerated. "Deleted" post were still available via APIs https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/
API Security Newsletter Archive
- 14 January, 21
- 7 January, 21
- 17 December, 20
- 10 December, 20
- 3 December, 20
- 26 November, 20
- 19 November, 20
- 12 November, 20
- 5 November, 20
- 29 October, 20
From the APISecurity.io Twitter
IETF #OAuth Working Group formally published standard proposal by Karsten Meyer zu Selhausen and @dfett42 on using the "iss" parameter for OAuth Authorization Responses to prevent Mix-Up Attacks: https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-00.html
Here's a much better coverage of the Parler API vulnerabilities and @donk_enby scripts that scraped the system. Basically, there was no account takeover. APIs to access public posts had no security, no rate-limiting, sequential IDs https://www.wired.com/story/parler-hack-data-public-posts-images-video/
by @a_greenberg / @WIRED
API Security weekly newsletter issue #116 is out. Main stories by @Pouyadarabi, @donk_enby, @_nikitastupin, @scuttleph1sh, @mattatkinson42 / @PortSwigger
https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/
clairvoyance by @_nikitastupin allows to discover #GraphQL schema even if retrospection is disabled: https://github.com/nikitastupin/clairvoyance
See the demo in the recording of his OWASP AppSec Israel talk: https://youtu.be/nPB8o0cSnvM?t=794
70 TB of Parler data scraped via insecure APIs. Looks like when removing Twilio dependency Parler accidentally enabled admin account takeover via password reset. Post IDs were sequential & could be enumerated. "Deleted" post were still available via APIs https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/
