API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Did you know that you can find API paths used by a webapp on the Memory tab on browser Developer Tools? See this and other Dev Tools pentesting tips in this video by @filedescriptor https://www.youtube.com/watch?v=Y1S5s3FmFsI&t=204s

Interested in #GraphQL pentesting? See this video by @farah_hawa01 covering the basics of GraphQL, data schema discovery with Introspection, and a couple attack examples: IDOR/BOLA and SQL injections.
https://youtu.be/OQCgmftU-Og

Details of 142 mln guest record MGM breach: "Data Viper... lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document." ( Matt Keil / @cequenceai)
https://www.cpomagazine.com/cyber-security/new-details-indicate-that-scope-of-the-2019-mgm-data-breach-is-much-bigger-than-expected/ via @cpomagazine

Cisco just patched a critical API flaw #CVE-2020-3382 in their Data Center Network Manager (DCNM) management platform. Just like back in January this year, the product was using shared hardcoded API keys.
https://threatpost.com/critical-high-severity-cisco-flaws-fixed-data-center-network-manager/157861/ via @LindseyOD123 / @threatpost

API Security weekly newsletter issue #95 is out. Main stories by @_CPResearch_ , @aaronpk, @TomAnthonySEO / @SearchPilot, @thecybermentor
https://apisecurity.io/issue-95-vulnerabilities-zoom-okcupid-progress-oauth-2-1-api-information-disclosure/

From the APISecurity.io Twitter

Did you know that you can find API paths used by a webapp on the Memory tab on browser Developer Tools? See this and other Dev Tools pentesting tips in this video by @filedescriptor https://www.youtube.com/watch?v=Y1S5s3FmFsI&t=204s

Interested in #GraphQL pentesting? See this video by @farah_hawa01 covering the basics of GraphQL, data schema discovery with Introspection, and a couple attack examples: IDOR/BOLA and SQL injections.
https://youtu.be/OQCgmftU-Og

Details of 142 mln guest record MGM breach: "Data Viper... lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document." ( Matt Keil / @cequenceai)
https://www.cpomagazine.com/cyber-security/new-details-indicate-that-scope-of-the-2019-mgm-data-breach-is-much-bigger-than-expected/ via @cpomagazine

Cisco just patched a critical API flaw #CVE-2020-3382 in their Data Center Network Manager (DCNM) management platform. Just like back in January this year, the product was using shared hardcoded API keys.
https://threatpost.com/critical-high-severity-cisco-flaws-fixed-data-center-network-manager/157861/ via @LindseyOD123 / @threatpost

API Security weekly newsletter issue #95 is out. Main stories by @_CPResearch_ , @aaronpk, @TomAnthonySEO / @SearchPilot, @thecybermentor
https://apisecurity.io/issue-95-vulnerabilities-zoom-okcupid-progress-oauth-2-1-api-information-disclosure/