Christian Wenz

Bullet-Proof APIs: The OWASP API Security Top Ten

An attacker changes an ID in the URL and steals another user's data. Learn how to prevent this common and critical API vulnerability.

Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes

Understanding the OWASP API Security Top Ten list

The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.

#2about 2 minutes

Preventing broken object level authorization vulnerabilities

Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.

#3about 5 minutes

Securing APIs against broken authentication flaws

Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.

#4about 3 minutes

Mitigating mass assignment and overposting attacks

Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.

#5about 3 minutes

Preventing unrestricted resource consumption and DoS

APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.

#6about 1 minute

Enforcing broken function level authorization

Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.

#7about 1 minute

Protecting sensitive business flows from API abuse

APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.

#8about 2 minutes

Understanding server side request forgery (SSRF)

An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.

#9about 3 minutes

Avoiding security misconfigurations with HTTP headers

Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.

#10about 1 minute

The importance of proper API inventory management

Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.

#11about 1 minute

Defending against unsafe consumption of third-party APIs

Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Understanding browser APIs that rely on company services
04:30 MIN

Understanding browser APIs that rely on company services

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The value of progressive enhancement and semantic HTML
03:31 MIN

The value of progressive enhancement and semantic HTML

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Solving date and time issues with the Temporal API
06:47 MIN

Solving date and time issues with the Temporal API

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Featured Partners

Related Videos

See all videos
Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Architecting API Security47:34

Architecting API Security

Philippe De Ryck

Lessons learned from observing a billion API requests23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

REST in Peace? What does the API protocol of the future look like? Or do we have it already?20:29

REST in Peace? What does the API protocol of the future look like? Or do we have it already?

Simon Auer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Related Articles

View all articles
DC
Daniel Cranney
Understanding and Mitigating Common Web Vulnerabilities
Vulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them. Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Understanding and Mitigating Common Web Vulnerabilities

From learning to earning

Jobs that call for the skills explored in this talk.