API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

JustDial (India's local search, delivery, reservation app) accidentally re-introduced the vulnerable API surfacing PII of 100 million+ customers. We covered this flaw back in 2019 in our issue #28. Back then and just now it got reported by @rajaharia. https://apisecurity.io/issue-28-breaches-tchap-shopify-justdial/

"The State of OAuth" @apidaysglobal recorded session by @aaronpk:
https://www.youtube.com/watch?v=W5ajhfWmvHE
Origins & goals of OAuth, OAuth 2.0 and 2.1, RFCs, adjacent technologies, tokens & their security, upcoming standards and extensions, Grant Negotiation and Authorization Protocol (GNAP)

This collection of Go scripts from @daffainfo let you check validity of various API tokens (from 37 different systems!) that you may find in your #pentesting efforts: https://github.com/daffainfo/Key-Checker

From @bsidesvancouver, a recording of @dftrace explaining the attack surface of #GraphQL, the measures that API providers need to take, his DVGA GraphQL vulnerability sandbox, and bringing down a Wordpress server with a simple GraphQL request! ;)
https://www.youtube.com/watch?v=EVRf708-zq4

API Security weekly newsletter issue #143 is out. Main stories by @harshbothra_, @CraigHays / @InfoSecComm, @adamtlangley / @Hacker0x01, @_shivambathla / @SecurityTube
https://apisecurity.io/issue-143-graphql-api-leaking-credit-cards-sqli-jwt-xml-attacks-mind-map/

From the APISecurity.io Twitter

JustDial (India's local search, delivery, reservation app) accidentally re-introduced the vulnerable API surfacing PII of 100 million+ customers. We covered this flaw back in 2019 in our issue #28. Back then and just now it got reported by @rajaharia. https://apisecurity.io/issue-28-breaches-tchap-shopify-justdial/

"The State of OAuth" @apidaysglobal recorded session by @aaronpk:
https://www.youtube.com/watch?v=W5ajhfWmvHE
Origins & goals of OAuth, OAuth 2.0 and 2.1, RFCs, adjacent technologies, tokens & their security, upcoming standards and extensions, Grant Negotiation and Authorization Protocol (GNAP)

This collection of Go scripts from @daffainfo let you check validity of various API tokens (from 37 different systems!) that you may find in your #pentesting efforts: https://github.com/daffainfo/Key-Checker

From @bsidesvancouver, a recording of @dftrace explaining the attack surface of #GraphQL, the measures that API providers need to take, his DVGA GraphQL vulnerability sandbox, and bringing down a Wordpress server with a simple GraphQL request! ;)
https://www.youtube.com/watch?v=EVRf708-zq4

API Security weekly newsletter issue #143 is out. Main stories by @harshbothra_, @CraigHays / @InfoSecComm, @adamtlangley / @Hacker0x01, @_shivambathla / @SecurityTube
https://apisecurity.io/issue-143-graphql-api-leaking-credit-cards-sqli-jwt-xml-attacks-mind-map/