Fast pace development environments or unclear business or functional requirements make developers choose generic implementations: binding client-provided data (e.g. JSON objects) to data models (e.g. those provided by popular ORM/ODM libraries) is, unfortunately, a common pattern that leaves the doo...
If you have been following our OWASP API Security Top 10 series, you know that we have already covered a specific type of authorization issue: Broken Object Level Authorization. Broken Function Level Authorization issues are not that different. Instead of getting access to a user's object, bad...
API clients' requests cost, at least bandwidth, computation cycles, memory, and storage, not only from the API back-end server but, in most cases several other systems, such as database servers. API requests compete for these resources to be fulfilled as quickly as possible but, improper resources m...
Either looking forward to generic implementations or due to short time-to-market, developers tend to expose all object properties (e.g. JSON), relying on clients (e.g. web front-end or mobile application) to filter relevant data to render. Quite often such data exposes system internals or personally...
In case you're not aware of our OWASP API Security Top 10 series, you can find the articles here. Most APIs, special those that support web front-ends or mobile applications, include several authentication-related endpoints. Based on our experience, quite often APIs fail to tackle brute force atta...
In case you're landing here coming from a search engine or a referral article, you may want to read our OWASP API Security Top 10 series debut article first. This is the first article in this series because it was, and probably still is, the most critical API security risk at the time the document...
