Introducing breaking changes to a live API with hundreds, thousands, or even millions of active users is (usually) not an option. Releasing a new API version gives a chance to existing users to work on their integrations to migrate to the latest version, without interrupting the service. Nevertheles...
Given their role, APIs interact with several other (software) components such as filesystem, databases, LDAP, or other internal and external APIs. Not all these components are capable of validating and sanitizing the input they receive. When APIs neglect this responsibility, properly validate and sa...
Security Misconfiguration is a broad category in which everything that could have been done to improve the API overall security but that wasn't, fall. Usually, security misconfigurations are a consequence of insecure defaults such as a database without authentication or a permissive Cross- Origin Re...
Fast pace development environments or unclear business or functional requirements make developers choose generic implementations: binding client-provided data (e.g. JSON objects) to data models (e.g. those provided by popular ORM/ODM libraries) is, unfortunately, a common pattern that leaves the doo...
If you have been following our OWASP API Security Top 10 series, you know that we have already covered a specific type of authorization issue: Broken Object Level Authorization. Broken Function Level Authorization issues are not that different. Instead of getting access to a user's object, bad...
API clients' requests cost, at least bandwidth, computation cycles, memory, and storage, not only from the API back-end server but, in most cases several other systems, such as database servers. API requests compete for these resources to be fulfilled as quickly as possible but, improper resources m...
