The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.
Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.
Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.
Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.
APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.
Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.
APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.
An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.
Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.
Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.
Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.
Bitpanda
Vienna, Austria
47:34Philippe De Ryck
26:59Jakub Andrzejewski
23:47Pratim Bhosale
58:19Michael Koppmann
28:41Alexander Pirker
20:29Simon Auer
28:55James Seconde
29:50Kevin Lewis
Jobs that call for the skills explored in this talk.
