API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Multiple API vulnerabilities in electric vehicle charging stations found & reported by @PenTestPartners: account takeovers via poor or no authentication or authorization, privilege escalation via mass assignment, insecure GraphQL with customer data.
https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/

Learn #OAuth from one of its creators! @aaronpk has released his "The Nuts and Bolts of OAuth 2.0" class on @udemy.
Covering OAuth 2.0, OpenID, PKCE, deprecated flows, JWTs, API Gateways, and scopes. No programming knowledge needed.
https://www.udemy.com/course/oauth-2-simplified/

API Security weekly newsletter issue #144 is out. Main stories by @dftrace / @bsidesvancouver, @daffainfo, @aaronpk / @APIdaysGlobal, @rajaharia
https://apisecurity.io/issue-144-justdial-api-vulnerability-re-emerges-api-key-checker-state-oauth/

JustDial (India's local search, delivery, reservation app) accidentally re-introduced the vulnerable API surfacing PII of 100 million+ customers. We covered this flaw back in 2019 in our issue #28. Back then and just now it got reported by @rajaharia. https://apisecurity.io/issue-28-breaches-tchap-shopify-justdial/

"The State of OAuth" @apidaysglobal recorded session by @aaronpk:
https://www.youtube.com/watch?v=W5ajhfWmvHE
Origins & goals of OAuth, OAuth 2.0 and 2.1, RFCs, adjacent technologies, tokens & their security, upcoming standards and extensions, Grant Negotiation and Authorization Protocol (GNAP)

From the APISecurity.io Twitter

Multiple API vulnerabilities in electric vehicle charging stations found & reported by @PenTestPartners: account takeovers via poor or no authentication or authorization, privilege escalation via mass assignment, insecure GraphQL with customer data.
https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/

Learn #OAuth from one of its creators! @aaronpk has released his "The Nuts and Bolts of OAuth 2.0" class on @udemy.
Covering OAuth 2.0, OpenID, PKCE, deprecated flows, JWTs, API Gateways, and scopes. No programming knowledge needed.
https://www.udemy.com/course/oauth-2-simplified/

API Security weekly newsletter issue #144 is out. Main stories by @dftrace / @bsidesvancouver, @daffainfo, @aaronpk / @APIdaysGlobal, @rajaharia
https://apisecurity.io/issue-144-justdial-api-vulnerability-re-emerges-api-key-checker-state-oauth/

JustDial (India's local search, delivery, reservation app) accidentally re-introduced the vulnerable API surfacing PII of 100 million+ customers. We covered this flaw back in 2019 in our issue #28. Back then and just now it got reported by @rajaharia. https://apisecurity.io/issue-28-breaches-tchap-shopify-justdial/

"The State of OAuth" @apidaysglobal recorded session by @aaronpk:
https://www.youtube.com/watch?v=W5ajhfWmvHE
Origins & goals of OAuth, OAuth 2.0 and 2.1, RFCs, adjacent technologies, tokens & their security, upcoming standards and extensions, Grant Negotiation and Authorization Protocol (GNAP)