API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

. @semrush fixed an #OAuth `redirect_uri` bypass reported by @Yassineaboukir. Attacker could use an IDN homograph like https://t.co/Xj1019NwpV instead of https://t.co/GdSQgRAPsg thus redirecting to malicious domain and gaining user access token
https://t.co/fYYKGk4A2m

API Security newsletter issue #90 is out. Main stories by @amirshaked / @perimeterx, @Ax_Sharma / @BleepinComputer, @neilmaddog / @ManningBooks, @InsiderPhD
https://t.co/LB0P7nTl3A

A live recording from @InsiderPhD: API Hacking Demo with her using @Burp_Suite to discover APIs on a server, enumerating paths, finding IDOR/BOLA, taking over an account, escalating privileges, etc. She also shows what these bugs look like in the code.
https://t.co/4IsxTo9o64

"API Security in Action" by @neilmaddog is available for early access and you can get 42% off by using the 42Crunch40 coupon code. @ManningBooks made 4 parts already available, chapters get sent to you as they get out, print book sent upon publishing.
https://t.co/QeRzr2I2yE

Twitter didn't have cache-control:no-store header set on one of their APIs. This led to sensitive billing information for Twitter advertisers stored in browser cache and potentially leaking.
https://t.co/SUAO6ZYaqV via @Ax_Sharma / @BleepinComputer

From the APISecurity.io Twitter

. @semrush fixed an #OAuth `redirect_uri` bypass reported by @Yassineaboukir. Attacker could use an IDN homograph like https://t.co/Xj1019NwpV instead of https://t.co/GdSQgRAPsg thus redirecting to malicious domain and gaining user access token
https://t.co/fYYKGk4A2m

API Security newsletter issue #90 is out. Main stories by @amirshaked / @perimeterx, @Ax_Sharma / @BleepinComputer, @neilmaddog / @ManningBooks, @InsiderPhD
https://t.co/LB0P7nTl3A

A live recording from @InsiderPhD: API Hacking Demo with her using @Burp_Suite to discover APIs on a server, enumerating paths, finding IDOR/BOLA, taking over an account, escalating privileges, etc. She also shows what these bugs look like in the code.
https://t.co/4IsxTo9o64

"API Security in Action" by @neilmaddog is available for early access and you can get 42% off by using the 42Crunch40 coupon code. @ManningBooks made 4 parts already available, chapters get sent to you as they get out, print book sent upon publishing.
https://t.co/QeRzr2I2yE

Twitter didn't have cache-control:no-store header set on one of their APIs. This led to sensitive billing information for Twitter advertisers stored in browser cache and potentially leaking.
https://t.co/SUAO6ZYaqV via @Ax_Sharma / @BleepinComputer