API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629

API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/

Research from @alissaknight and @approov_io looked at 30 different mobile healthcare apps. 100% had API vulnerabilities exposing PII/PHI, all had #BOLA, 77% had hardcoded keys/tokens/creds, etc. See summary: https://www.businesswire.com/news/home/20210209005461/en/
And full report: https://approov.io/mhealth/hacking/

Clubhouse got hacked with room audio getting streamed. Attackers scripted acquisition of long-lived API tokens for room access in backend (Agora) infrastructure, then used these tokens to get the streams from Agora.
See @_DanielSinclair for details:

Scope Based Recon Methodology by @harshbothra_ / @cobalt_io is a nice summary of reconnaissance steps and directions, with lists of tools provided for each of them.
https://blog.cobalt.io/scope-based-recon-smart-recon-tactics-7e72d590eae5

From the APISecurity.io Twitter

Never pass API tokens or other confidential information in the URL (as path or query parameters). These can get cached on the server and the cache can be exploited to retrieve the URLs. See how @Samm0uda found such vulnerability at Facebook: https://ysamm.com/?p=629

API Security weekly newsletter issue #122 is out. Main stories by @OpenApiSpec, @jsonschema, @harshbothra_ / @cobalt_io, @_DanielSinclair, @alissaknight, @approov_io
https://apisecurity.io/issue-122-api-issues-clubhouse-healthcare-apps-scope-based-recon-oas-v3-1-0/

Research from @alissaknight and @approov_io looked at 30 different mobile healthcare apps. 100% had API vulnerabilities exposing PII/PHI, all had #BOLA, 77% had hardcoded keys/tokens/creds, etc. See summary: https://www.businesswire.com/news/home/20210209005461/en/
And full report: https://approov.io/mhealth/hacking/

Clubhouse got hacked with room audio getting streamed. Attackers scripted acquisition of long-lived API tokens for room access in backend (Agora) infrastructure, then used these tokens to get the streams from Agora.
See @_DanielSinclair for details:

Scope Based Recon Methodology by @harshbothra_ / @cobalt_io is a nice summary of reconnaissance steps and directions, with lists of tools provided for each of them.
https://blog.cobalt.io/scope-based-recon-smart-recon-tactics-7e72d590eae5