API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Updated @code OpenAPI (Swagger) Editor extension now has QuickFixes helping you fix security issues in your @OpenApiSpec contracts with a few easy clicks.
https://marketplace.visualstudio.com/items?itemName=42Crunch.vscode-openapi

Input validation may need to be done at multiple levels. @__mn1__ from @ptswarm found a critical RCE in VMware vCenter: filenames inside uploaded .tar files were not validated and were simply concatenated with a folder name, thus enabling injections.
https://swarm.ptsecurity.com/unauth-rce-vmware/

APIs typically accept & exchange JSON payloads. However, JSON can be ambiguous. Different parsers (in microservices implemented on different stacks) can interpret the same structure differently thus exposing you to attacks. See report by @theBumbleSec:
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities

Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629

API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/

From the APISecurity.io Twitter

Updated @code OpenAPI (Swagger) Editor extension now has QuickFixes helping you fix security issues in your @OpenApiSpec contracts with a few easy clicks.
https://marketplace.visualstudio.com/items?itemName=42Crunch.vscode-openapi

Input validation may need to be done at multiple levels. @__mn1__ from @ptswarm found a critical RCE in VMware vCenter: filenames inside uploaded .tar files were not validated and were simply concatenated with a folder name, thus enabling injections.
https://swarm.ptsecurity.com/unauth-rce-vmware/

APIs typically accept & exchange JSON payloads. However, JSON can be ambiguous. Different parsers (in microservices implemented on different stacks) can interpret the same structure differently thus exposing you to attacks. See report by @theBumbleSec:
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities

Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629

API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/