Christian Wenz

Bullet-Proof APIs: The OWASP API Security Top Ten

An attacker changes an ID in the URL and steals another user's data. Learn how to prevent this common and critical API vulnerability.

Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes

Understanding the OWASP API Security Top Ten list

The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.

#2about 2 minutes

Preventing broken object level authorization vulnerabilities

Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.

#3about 5 minutes

Securing APIs against broken authentication flaws

Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.

#4about 3 minutes

Mitigating mass assignment and overposting attacks

Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.

#5about 3 minutes

Preventing unrestricted resource consumption and DoS

APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.

#6about 1 minute

Enforcing broken function level authorization

Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.

#7about 1 minute

Protecting sensitive business flows from API abuse

APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.

#8about 2 minutes

Understanding server side request forgery (SSRF)

An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.

#9about 3 minutes

Avoiding security misconfigurations with HTTP headers

Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.

#10about 1 minute

The importance of proper API inventory management

Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.

#11about 1 minute

Defending against unsafe consumption of third-party APIs

Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Increasing the value of talk recordings post-event
04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

Establishing a single source of truth for all data
02:39 MIN

Establishing a single source of truth for all data

Cat Herding with Lions and Tigers - Christian Heilmann

Balancing the trade-off between efficiency and resilience
03:38 MIN

Balancing the trade-off between efficiency and resilience

What 2025 Taught Us: A Year-End Special with Hung Lee

Proactively managing the risks of employee personal branding
03:14 MIN

Proactively managing the risks of employee personal branding

Leveraging Leaders’ Voices: The Business Power of Personal Branding

Why HR struggles with technology implementation and adoption
04:22 MIN

Why HR struggles with technology implementation and adoption

What 2025 Taught Us: A Year-End Special with Hung Lee

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Featured Partners

Related Videos

See all videos
Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Architecting API Security47:34

Architecting API Security

Philippe De Ryck

Lessons learned from observing a billion API requests23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

REST in Peace? What does the API protocol of the future look like? Or do we have it already?20:29

REST in Peace? What does the API protocol of the future look like? Or do we have it already?

Simon Auer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Related Articles

View all articles
DC
Daniel Cranney
Understanding and Mitigating Common Web Vulnerabilities
Vulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them. Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Understanding and Mitigating Common Web Vulnerabilities

From learning to earning

Jobs that call for the skills explored in this talk.