API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

API authentication 101: A breakdown of the pros and cons of OAuth, basic auth and mutual TLS by @tammysock at @BuiltIn
https://builtin.com/software-engineering-perspectives/api-security

APICheck by @ggdaniel / @bbva Innovation Security Labs has been donated to @owasp. It's an extensible pipeline for API check utilities that accept and produce JSON: @OpenApiSpec linters, request replay, JWT validator, sensitive data detector, proxy, acurl
https://owasp.org/www-project-apicheck/

An excessive data exposure flaw in the password reset API in @Grindr allowed full account takeover. The endpoint allowed unauthenticated access and returned reset token for any email address. Found by @wasbou and reported by @troyhunt here:
https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/

An API vulnerability in @gitlab allowed finding information in code & wikis of private groups by not authorized users. This happened for groups that used to be public but got moved into a private group. UI enforced sec but not API. Found by @rpadovani93
https://hackerone.com/reports/748375

API Security weekly newsletter issue #105 is out. Main stories by @_fel1x / #googleprojectzero / @HashiCorp, @polarply / @IntezerLabs / @Azure, @PenTestPartners, @InsiderPhD, @isamauny / @42crunch
https://apisecurity.io/issue-105-api-vulnerabilities-hashicorp-azure-app-services-qiui-adult-devices/

From the APISecurity.io Twitter

API authentication 101: A breakdown of the pros and cons of OAuth, basic auth and mutual TLS by @tammysock at @BuiltIn
https://builtin.com/software-engineering-perspectives/api-security

APICheck by @ggdaniel / @bbva Innovation Security Labs has been donated to @owasp. It's an extensible pipeline for API check utilities that accept and produce JSON: @OpenApiSpec linters, request replay, JWT validator, sensitive data detector, proxy, acurl
https://owasp.org/www-project-apicheck/

An excessive data exposure flaw in the password reset API in @Grindr allowed full account takeover. The endpoint allowed unauthenticated access and returned reset token for any email address. Found by @wasbou and reported by @troyhunt here:
https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/

An API vulnerability in @gitlab allowed finding information in code & wikis of private groups by not authorized users. This happened for groups that used to be public but got moved into a private group. UI enforced sec but not API. Found by @rpadovani93
https://hackerone.com/reports/748375

API Security weekly newsletter issue #105 is out. Main stories by @_fel1x / #googleprojectzero / @HashiCorp, @polarply / @IntezerLabs / @Azure, @PenTestPartners, @InsiderPhD, @isamauny / @42crunch
https://apisecurity.io/issue-105-api-vulnerabilities-hashicorp-azure-app-services-qiui-adult-devices/