API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Cisco just patched a critical API flaw #CVE-2020-3382 in their Data Center Network Manager (DCNM) management platform. Just like back in January this year, the product was using shared hardcoded API keys.
https://threatpost.com/critical-high-severity-cisco-flaws-fixed-data-center-network-manager/157861/ via @LindseyOD123 / @threatpost

API Security weekly newsletter issue #95 is out. Main stories by @_CPResearch_ , @aaronpk, @TomAnthonySEO / @SearchPilot, @thecybermentor
https://apisecurity.io/issue-95-vulnerabilities-zoom-okcupid-progress-oauth-2-1-api-information-disclosure/

A great quick video by @thecybermentor on locating an API leaking personal data. He is using @Burp_Suite, google, @OpenApiSpec and other docs, wayback, and Burp Intruder to fuzz and API URL and find undocumented APIs leaking data.
https://youtu.be/X_JTdIkfKow

Lack of rate limiting on an endpoint allowed @TomAnthonySEO / @SearchPilot to bruteforce passwords to any private meetings in Zoom (these were just 6-digit numbers so he only had to try 1 mln combinations.)
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/

OAuth 2.1 is now an official IETF OAuth working group draft: https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00
OAuth 2.1 is not a new standard but rather security best practices for #OAuth2. So no risk breaking compat, can be adopted right away.
See @aaronpk talking about it here: https://youtu.be/sUEBatNmsbY

From the APISecurity.io Twitter

Cisco just patched a critical API flaw #CVE-2020-3382 in their Data Center Network Manager (DCNM) management platform. Just like back in January this year, the product was using shared hardcoded API keys.
https://threatpost.com/critical-high-severity-cisco-flaws-fixed-data-center-network-manager/157861/ via @LindseyOD123 / @threatpost

API Security weekly newsletter issue #95 is out. Main stories by @_CPResearch_ , @aaronpk, @TomAnthonySEO / @SearchPilot, @thecybermentor
https://apisecurity.io/issue-95-vulnerabilities-zoom-okcupid-progress-oauth-2-1-api-information-disclosure/

A great quick video by @thecybermentor on locating an API leaking personal data. He is using @Burp_Suite, google, @OpenApiSpec and other docs, wayback, and Burp Intruder to fuzz and API URL and find undocumented APIs leaking data.
https://youtu.be/X_JTdIkfKow

Lack of rate limiting on an endpoint allowed @TomAnthonySEO / @SearchPilot to bruteforce passwords to any private meetings in Zoom (these were just 6-digit numbers so he only had to try 1 mln combinations.)
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/

OAuth 2.1 is now an official IETF OAuth working group draft: https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00
OAuth 2.1 is not a new standard but rather security best practices for #OAuth2. So no risk breaking compat, can be adopted right away.
See @aaronpk talking about it here: https://youtu.be/sUEBatNmsbY