Christian Wenz

Bullet-Proof APIs: The OWASP API Security Top Ten

An attacker changes an ID in the URL and steals another user's data. Learn how to prevent this common and critical API vulnerability.

Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes

Understanding the OWASP API Security Top Ten list

The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.

#2about 2 minutes

Preventing broken object level authorization vulnerabilities

Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.

#3about 5 minutes

Securing APIs against broken authentication flaws

Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.

#4about 3 minutes

Mitigating mass assignment and overposting attacks

Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.

#5about 3 minutes

Preventing unrestricted resource consumption and DoS

APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.

#6about 1 minute

Enforcing broken function level authorization

Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.

#7about 1 minute

Protecting sensitive business flows from API abuse

APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.

#8about 2 minutes

Understanding server side request forgery (SSRF)

An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.

#9about 3 minutes

Avoiding security misconfigurations with HTTP headers

Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.

#10about 1 minute

The importance of proper API inventory management

Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.

#11about 1 minute

Defending against unsafe consumption of third-party APIs

Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Focusing on the top three OWASP security threats
04:01 MIN

Focusing on the top three OWASP security threats

It's a (testing) trap! - Common testing pitfalls and how to solve them

Identifying top security risks with the OWASP Top 10
02:56 MIN

Identifying top security risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Focusing on secure architecture over just code
01:20 MIN

Focusing on secure architecture over just code

Architecting API Security

Understanding risks with the OWASP Top 10
02:07 MIN

Understanding risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Understanding common web and API vulnerability classes
12:11 MIN

Understanding common web and API vulnerability classes

Software Security 101: Secure Coding Basics

Understanding the OWASP Top 10 for web security
01:46 MIN

Understanding the OWASP Top 10 for web security

Security in modern Web Applications - OWASP to the rescue!

Focusing on key OWASP Top 10 risks for developers
02:39 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Applying typed security to OWASP vulnerabilities
01:42 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

Featured Partners

Related Videos

See all videos
Architecting API Security
47:34

Architecting API Security

Philippe De Ryck

Security in modern Web Applications - OWASP to the rescue!
26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Lessons learned from observing a billion API requests
23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design
58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Awful APIs: A History Lesson in Industry Mistakes and Mishaps
28:55

Awful APIs: A History Lesson in Industry Mistakes and Mishaps

James Seconde

Real-World Security for Busy Developers
29:50

Real-World Security for Busy Developers

Kevin Lewis

101 Typical Security Pitfalls
28:41

101 Typical Security Pitfalls

Alexander Pirker

REST in Peace? What does the API protocol of the future look like? Or do we have it already?
20:29

REST in Peace? What does the API protocol of the future look like? Or do we have it already?

Simon Auer

Related Articles

View all articles
Daniel Cranney
The Overflow: 5 Security and Privacy Tools for Developers
We’re back again with another edition of the Overflow, where we share some of the best tools we’ve found from around the web that we just couldn’t cram into the already jam-packed editions of the Dev Digest. So let’s take a look at five security and ...
The Overflow: 5 Security and Privacy Tools for Developers

From learning to earning

Jobs that call for the skills explored in this talk.