Security Misconfiguration is a broad category in which everything that could have been done to improve the API overall security but that wasn't, fall. Usually, security misconfigurations are a consequence of insecure defaults such as a database without authentication or a permissive Cross- Origin Re...
Fast pace development environments or unclear business or functional requirements make developers choose generic implementations: binding client-provided data (e.g. JSON objects) to data models (e.g. those provided by popular ORM/ODM libraries) is, unfortunately, a common pattern that leaves the doo...
If you have been following our OWASP API Security Top 10 series, you know that we have already covered a specific type of authorization issue: Broken Object Level Authorization. Broken Function Level Authorization issues are not that different. Instead of getting access to a user's object, bad...
API clients' requests cost, at least bandwidth, computation cycles, memory, and storage, not only from the API back-end server but, in most cases several other systems, such as database servers. API requests compete for these resources to be fulfilled as quickly as possible but, improper resources m...
Either looking forward to generic implementations or due to short time-to-market, developers tend to expose all object properties (e.g. JSON), relying on clients (e.g. web front-end or mobile application) to filter relevant data to render. Quite often such data exposes system internals or personally...
In case you're not aware of our OWASP API Security Top 10 series, you can find the articles here. Most APIs, special those that support web front-ends or mobile applications, include several authentication-related endpoints. Based on our experience, quite often APIs fail to tackle brute force atta...
