DescriptionModern application frameworks encourage developers to use functions that automatically bind input from the client into code variables and internal objects in order to help simplify and speed up development within the framework. Attackers can use this side effect of frameworks to their advantage by updating or overwriting properties of ... Read More

DescriptionAuthorization flaws are often the result of improperly implemented or misconfigured authorization. Implementing adequate authorization mechanisms is a complex task, since modern applications can contain many types of roles, groups, and user hierarchy such as sub-users and users with more than one role. This is further complicated with distributed application ... Read More

Shift-left security philosophy promotes the notion that organizations should push more of security processes earlier into the design and development phases of software development lifecycles. This ideal is promoted heavily in DevOps and DevSecOps programs as a way to detect quality or security issues early and remediate those problems before ... Read More

DescriptionAuthentication in APIs is a complex and confusing topic. Software and security engineers might have misconceptions about what the boundaries of authentication are and how to correctly implement it. Prompting users or machines for credentials and additional authentication factors may also not be possible in direct API communication. In addition, ... Read More

DescriptionExploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.APIs rely on clients to perform the data filtering. Since APIs are used as data sources, sometimes developers ... Read More

DescriptionAPI requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint. APIs do not always impose restrictions on the size or number of resources that can ... Read More

By all accounts, the rate of API consumption has exploded. Many changes in modern IT – including cloud-native design, microservices architecture, DevOps practices, and a universal drive towards automation – have resulted in a growing number of APIs to manage for all organizations. Unfortunately, APIs have also become one of ... Read More

Yes, that’s a vain attempt at an API joke and not your browser having issues. I wanted to draft this post to shed some light on why I chose to leave Gartner and evangelize API security with Salt Security. I’ve tried to keep the TL;DR to a minimum and have ... Read More

As API-related security incidents and breaches increased in recent years, the Open Web Application Security Project (OWASP) released the first-ever API Security Top 10 at the end of 2019 to raise awareness about the most common API security problems plaguing organizations. In this blog series, I dig into each of ... Read More

DescriptionThis issue is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently. Some examples of security misconfigurations include insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, overly permissive Cross-Origin ... Read More