API Security Articles
The Latest API Security News, Vulnerabilities & Best Practices
APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.
API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.
Subscribe to the API Security newsletter
By clicking Subscribe you agree to our Data Policy
From the APISecurity.io Twitter
Updated @code OpenAPI (Swagger) Editor extension now has QuickFixes helping you fix security issues in your @OpenApiSpec contracts with a few easy clicks.
https://marketplace.visualstudio.com/items?itemName=42Crunch.vscode-openapi
Input validation may need to be done at multiple levels. @__mn1__ from @ptswarm found a critical RCE in VMware vCenter: filenames inside uploaded .tar files were not validated and were simply concatenated with a folder name, thus enabling injections.
https://swarm.ptsecurity.com/unauth-rce-vmware/
APIs typically accept & exchange JSON payloads. However, JSON can be ambiguous. Different parsers (in microservices implemented on different stacks) can interpret the same structure differently thus exposing you to attacks. See report by @theBumbleSec:
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities
Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629
API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/
API Security Newsletter Archive
- 4 March, 21
- 25 February, 21
- 18 February, 21
- 11 February, 21
- 4 February, 21
- 28 January, 21
- 21 January, 21
- 14 January, 21
- 7 January, 21
- 17 December, 20
From the APISecurity.io Twitter
Updated @code OpenAPI (Swagger) Editor extension now has QuickFixes helping you fix security issues in your @OpenApiSpec contracts with a few easy clicks.
https://marketplace.visualstudio.com/items?itemName=42Crunch.vscode-openapi
Input validation may need to be done at multiple levels. @__mn1__ from @ptswarm found a critical RCE in VMware vCenter: filenames inside uploaded .tar files were not validated and were simply concatenated with a folder name, thus enabling injections.
https://swarm.ptsecurity.com/unauth-rce-vmware/
APIs typically accept & exchange JSON payloads. However, JSON can be ambiguous. Different parsers (in microservices implemented on different stacks) can interpret the same structure differently thus exposing you to attacks. See report by @theBumbleSec:
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities
Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629
API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/
