API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

API Security weekly newsletter issue #130 is out. Main stories by @yeswehack, @github, @dsopas, @PauloASilva, @s4nkx0k, @infosec_au, @InsiderPhD
https://apisecurity.io/issue-130-githubs-new-token-format-mindapi-kiterunner/

More #GraphQL penetration testing advice. This time in a detailed blog post from @yeswehack. They cover:
* Introspection
* Fuzzing (when introspection is off)
* Query flaws
* Mutation flaws
* SQL injections
* Debug information
* batching attacks
* Tools
https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

GitHub's new authentication tokens have prefixes and checksums to they are easy to detect (grep, etc.) with virtually no chance of a false positive. Great step to prevent accidental token leakage!
https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

MindAPI is a mindmap on REST API reconnaissance and @owasp API Security Top 10 vulnerability testing. Created by @dsopas, with help from @PauloASilva, @s4nkx0k, Miguel Freitas, Xavier Pinho.
Interactive mindmap: https://dsopas.github.io/MindAPI/play/
Repo: https://github.com/dsopas/MindAPI

Kiterunner is the new open-source reconnaissance tool for REST APIs. It uses patterns deducted from 67.5K @OpenApiSpec files processed!
See @infosec_au's (@assetnote) blog: https://blog.assetnote.io/2021/04/05/contextual-content-discovery/
Repo: https://github.com/assetnote/kiterunner
Demo by @InsiderPhD: https://youtu.be/hNs8fpWfcyU

From the APISecurity.io Twitter

API Security weekly newsletter issue #130 is out. Main stories by @yeswehack, @github, @dsopas, @PauloASilva, @s4nkx0k, @infosec_au, @InsiderPhD
https://apisecurity.io/issue-130-githubs-new-token-format-mindapi-kiterunner/

More #GraphQL penetration testing advice. This time in a detailed blog post from @yeswehack. They cover:
* Introspection
* Fuzzing (when introspection is off)
* Query flaws
* Mutation flaws
* SQL injections
* Debug information
* batching attacks
* Tools
https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

GitHub's new authentication tokens have prefixes and checksums to they are easy to detect (grep, etc.) with virtually no chance of a false positive. Great step to prevent accidental token leakage!
https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

MindAPI is a mindmap on REST API reconnaissance and @owasp API Security Top 10 vulnerability testing. Created by @dsopas, with help from @PauloASilva, @s4nkx0k, Miguel Freitas, Xavier Pinho.
Interactive mindmap: https://dsopas.github.io/MindAPI/play/
Repo: https://github.com/dsopas/MindAPI

Kiterunner is the new open-source reconnaissance tool for REST APIs. It uses patterns deducted from 67.5K @OpenApiSpec files processed!
See @infosec_au's (@assetnote) blog: https://blog.assetnote.io/2021/04/05/contextual-content-discovery/
Repo: https://github.com/assetnote/kiterunner
Demo by @InsiderPhD: https://youtu.be/hNs8fpWfcyU