Search Results

Your search for API security found 15 results

API10:2019 Insufficient Logging & Monitoring

One of the challenges for bad actors, apart from finding an exploitable flaw, is to pass unnoticed not only during the research process but also during the exploitation phase. Insufficient logging and monitoring make it hard or even impossible to detect and mitigate suspicious activity or attacks...


API9:2019 Improper Assets Management

Introducing breaking changes to a live API with hundreds, thousands, or even millions of active users is (usually) not an option. Releasing a new API version gives a chance to existing users to work on their integrations to migrate to the latest version, without interrupting the service. Neverthel...


API8:2019 Injection

Given their role, APIs interact with several other (software) components such as filesystem, databases, LDAP, or other internal and external APIs. Not all these components are capable of validating and sanitizing the input they receive. When APIs neglect this responsibility, properly validate and...


API7:2019 Security Misconfiguration

Security Misconfiguration is a broad category in which everything that could have been done to improve the API overall security but that wasn't, fall. Usually, security misconfigurations are a consequence of insecure defaults such as a database without authentication or a permissive Cross- Origin...


API6:2019 Mass Assignment

Fast pace development environments or unclear business or functional requirements make developers choose generic implementations: binding client-provided data (e.g. JSON objects) to data models (e.g. those provided by popular ORM/ODM libraries) is, unfortunately, a common pattern that leaves the d...


API5:2019 Broken Function Level Authorization

If you have been following our OWASP API Security Top 10 series, you know that we have already covered a specific type of authorization issue: Broken Object Level Authorization. Broken Function Level Authorization issues are not that different. Instead of getting access to a user's object, b...


API4:2019 Lack of Resources and Rate Limiting

API clients' requests cost, at least bandwidth, computation cycles, memory, and storage, not only from the API back-end server but, in most cases several other systems, such as database servers. API requests compete for these resources to be fulfilled as quickly as possible but, improper resources...


API3:2019 Excessive Data Exposure

Either looking forward to generic implementations or due to short time-to-market, developers tend to expose all object properties (e.g. JSON), relying on clients (e.g. web front-end or mobile application) to filter relevant data to render. Quite often such data exposes system internals or personal...


API2:2019 Broken User Authentication

In case you're not aware of our OWASP API Security Top 10 series, you can find the articles here. Most APIs, special those that support web front-ends or mobile applications, include several authentication-related endpoints. Based on our experience, quite often APIs fail to tackle brute force at...


API1:2019 Broken Object Level Authorization

In case you're landing here coming from a search engine or a referral article, you may want to read our OWASP API Security Top 10 series debut article first. This is the first article in this series because it was, and probably still is, the most critical API security risk at the time the document...


OWASP API Security Top 10

This is not the first time we write about the OWASP API Security TOP 10 and it won’t be the last. On our “Hunting the OWASP API Security Top 10” article, we did a quick introduction to this OWASP project, explaining a bit our involvement and contributions to it. Because we find more and more vul...


Char49 COO David Sopas presents at C-DAYS 2021

C-DAYS is a conference organized annually by the National Cybersecurity Center (CNCS), the Portuguese authority on cybersecurity and aims to promote and debate this topic. This is the year of the 7th edition of the event, where professionals, academics, decision-makers and interested parties in gen...


Hunting the OWASP API Security Top 10

Early 2019 we, at Char49, were challenged to research the most common API security issues. At that time API security was not exactly on the news, but APIs were becoming a fast-paced critical piece of modern applications architecture. We followed this technological change since its early days either due to our penetration testing services or responsible disclosure programs. That had given us a great understanding and experience on the API security scene, but we’ve dug deeper into API-related publicly available security incidents data. Our contribution was released later that year as part of the OWASP API Security Top 10 2019.


RSA Conference 2021 with the presence of Char49 specialists

For almost 30 years, the RSA Conference has been an important meeting point in the cybersecurity community to share, learn and growth. A space for innovation and partnerships where, from the 17th to the 20th of May 2021, another edition takes place with the presence of specialists in cybersecurity from all over the world.

In this year's edition, the conference will be attended by two Char49 specialists, David Sopas (COO) and Pedro Umbelino (Senior Security Researcher), this in partnership with Erez Yalon (Director of Security Research, Checkmarx), Luis Gomes (Global Head of Information Security, OLX Group) and Tanya Janca (Founder & CEO, We Hack Purple Academy, Community and Podcast).


RSA Conference 2021 with the presence of Char49 specialists

For almost 30 years, the RSA Conference has been an important meeting point in the cybersecurity community to share, learn and growth. A space for innovation and partnerships where, from the 17th to the 20th of May 2021, another edition takes place with the presence of specialists in cybersecurity from all over the world.

In this year's edition, the conference will be attended by two Char49 specialists, David Sopas (COO) and Pedro Humbelino (Senior Security Researcher), this in partnership with Erez Yalon (Director of Security Research, Checkmarx), Luis Gomes (Global Head of Information Security, OLX Group) and Tanya Janca (Founder & CEO, We Hack Purple Academy, Community and Podcast).