API Vulnerabilities
In a follow-up to our recent blogpost which explored the OWASP API Authorization risks, this week we share highlights of our webinar which featured Philippe De Ryck and Isabelle Mauny talking about the Authentication challenges encountered when protecting your APIs.ย They explored just how potentially dangerous the combination of the two OWASP API Top 10 […]
Colin Domoney reviews some of the major API breaches that occurred in the second half of 2022. In the webinar, he outlines the API vulnerabilities that were compromised during the attacks and shows how to protect against them.
This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The first session described the breaches at a high level (recording below) and the second describes how to defend against them.
This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The second part of this webinar series explores how to defend against common API security breaches covered in the first part of the series. Join Colin Domoney (42Crunch security researcher and curator of the APISecurity.io newsletter) to understand how to use defensive techniques to protect APIs. This practical and interactive webinar will illuminate how APIs can be protected against common attack types and real-world exploits.
Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, itโs time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can […]
In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix and secure their APIs in the face of these identified threats.
Ce webinaire, dรฉdiรฉ ร la sรฉcuritรฉ des APIs, traite des menaces listรฉes par l’OWASP API Security top 10. Vous assisterez ร l’explication dรฉtaillรฉe de chaque menace, son exploitation possible, des exemples d’attaques rรฉussies et comment, grรขce ร la technologie 42crunch il est possible de s’en prรฉmunir.
THREE-PART WEBINAR SERIES May 4th, 2022 | 8am PST | 4pm BST Watch the Webinar Browse the Deck In this first episode in the webinar series, Dr Philippe de Ryck and Colin Domoney discuss API security today and the challenges presented by the OWASP API security top 10. Questions from attendees were addressed throughout the […]
On December 9th, 2021, the log4shell vulnerability hit the news and it has since been every security team’s worst nightmare: trivially exploitable, huge impact with RCE (Remote Code Execution), on a component widely used across traditional enterprise technological stacks, both in in-house and third-party software. All this combined explains its CVSS rating of 10 โ […]
In this first episode in the webinar series, Dr Philippe de Ryck and Colin Domoney discuss API security today and the challenges presented by the OWASP API security top 10. Questions from attendees were addressed throughout the webinar.
Dec 22nd 2021. ย Author: Dr. Philippe de Ryck, Pragmatic Web Security, Like them or hate them, JSON Web Tokens (JWT) are everywhere. OAuth 2.0 and OpenID Connect rely heavily on JWTs. Many applications use JWTs to implement custom security mechanisms. And every language or framework offers plenty of support for JWTs. Unfortunately, JWTs also lie […]
API Security can be hard and confusing, but learning from someone else’s mistakes is the best way to learn!
You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “How to Best Leverage JWTs or API Security” We were unable to get to your questions, so below are all the answers to the questions that were asked! If you’d like more information please feel free to contact […]
This tutorial illustrates how to fix issues found in the API security audit and shows you how to iteratively update your OpenAPI definition.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Top API Security Issues Found During POCs” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us. Is there a way to add […]
Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. “This is an eye opener” is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “The Anatomy of Four API Breaches” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”Anatomy-API-Breach”] Does the implementation […]
Securing APIs implies securing the infrastructure but also the APIs themselves. Unfortunately, having all possible infrastructure protections in place is only one aspect of the recent OWASP Top10 for API Security. Other issues such as data leakage, mass assignment or broken authentication/authorization must be handled at the application level.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Are you properly using JWTs?” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”Jwt-webinar”] Is it considered safe if the […]
Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering […]
A couple days ago, I gave an API security workshop to highlight the OWASP Top 10 issues for APIs and some of the mistakes we keep doing at development time and pay for at runtime. Many of the issues related to data, such as improper data filtering, mass assignment or excessive data exposure, could be […]
Last week, a new OWASP project was launched at the Global AppSec conference in Tel Aviv: the API Security Top 10 list. The project information and initial Top 10 list were presented by Erez Yalon (Checkmarx) and Inon Shkedy and you can download the presentation PDF. We have also created an OWASP API Security Top […]