Christian Wenz

Bullet-Proof APIs: The OWASP API Security Top Ten

An attacker changes an ID in the URL and steals another user's data. Learn how to prevent this common and critical API vulnerability.

Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes

Understanding the OWASP API Security Top Ten list

The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.

#2about 2 minutes

Preventing broken object level authorization vulnerabilities

Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.

#3about 5 minutes

Securing APIs against broken authentication flaws

Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.

#4about 3 minutes

Mitigating mass assignment and overposting attacks

Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.

#5about 3 minutes

Preventing unrestricted resource consumption and DoS

APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.

#6about 1 minute

Enforcing broken function level authorization

Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.

#7about 1 minute

Protecting sensitive business flows from API abuse

APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.

#8about 2 minutes

Understanding server side request forgery (SSRF)

An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.

#9about 3 minutes

Avoiding security misconfigurations with HTTP headers

Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.

#10about 1 minute

The importance of proper API inventory management

Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.

#11about 1 minute

Defending against unsafe consumption of third-party APIs

Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Architecting API Security47:34

Architecting API Security

Philippe De Ryck

Lessons learned from observing a billion API requests23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

REST in Peace? What does the API protocol of the future look like? Or do we have it already?20:29

REST in Peace? What does the API protocol of the future look like? Or do we have it already?

Simon Auer

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

From learning to earning

Jobs that call for the skills explored in this talk.