Christian Wenz

Bullet-Proof APIs: The OWASP API Security Top Ten

An attacker changes an ID in the URL and steals another user's data. Learn how to prevent this common and critical API vulnerability.

Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes

Understanding the OWASP API Security Top Ten list

The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.

#2about 2 minutes

Preventing broken object level authorization vulnerabilities

Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.

#3about 5 minutes

Securing APIs against broken authentication flaws

Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.

#4about 3 minutes

Mitigating mass assignment and overposting attacks

Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.

#5about 3 minutes

Preventing unrestricted resource consumption and DoS

APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.

#6about 1 minute

Enforcing broken function level authorization

Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.

#7about 1 minute

Protecting sensitive business flows from API abuse

APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.

#8about 2 minutes

Understanding server side request forgery (SSRF)

An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.

#9about 3 minutes

Avoiding security misconfigurations with HTTP headers

Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.

#10about 1 minute

The importance of proper API inventory management

Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.

#11about 1 minute

Defending against unsafe consumption of third-party APIs

Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Identifying top security risks with the OWASP Top 10
05:12 MIN

Identifying top security risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Understanding risks with the OWASP Top 10
06:01 MIN

Understanding risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Understanding common web and API vulnerability classes
1:15:27 MIN

Understanding common web and API vulnerability classes

Software Security 101: Secure Coding Basics

Focusing on the top three OWASP security threats
05:11 MIN

Focusing on the top three OWASP security threats

It's a (testing) trap! - Common testing pitfalls and how to solve them

Understanding the OWASP Top 10 for web security
05:47 MIN

Understanding the OWASP Top 10 for web security

Security in modern Web Applications - OWASP to the rescue!

Focusing on secure architecture over just code
02:06 MIN

Focusing on secure architecture over just code

Architecting API Security

Focusing on key OWASP Top 10 risks for developers
04:13 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Applying typed security to OWASP vulnerabilities
21:01 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

Featured Partners

Related Videos

See all videos
Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Architecting API Security47:34

Architecting API Security

Philippe De Ryck

Lessons learned from observing a billion API requests23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

REST in Peace? What does the API protocol of the future look like? Or do we have it already?20:29

REST in Peace? What does the API protocol of the future look like? Or do we have it already?

Simon Auer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

Related Articles

View all articles
DC
Daniel Cranney
Understanding and Mitigating Common Web Vulnerabilities
Vulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them. Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Understanding and Mitigating Common Web Vulnerabilities
CH
Chris Heilmann
Dev Digest 116 - WWWAI?
This time, learn how to un-AI Google's search results, what's new on the web, avoid a new security hole and go back to BASICS with us. News and ArticlesWhat a week. Google, Microsoft, OpenAI and many others had their big flagship events announcing th...
Dev Digest 116 - WWWAI?
CH
Chris Heilmann
With AIs wide open - WeAreDevelopers at All Things Open 2025
Last week our VP of Developer Relations, Chris Heilmann, flew to Raleigh, North Carolina to present at All Things Open . An excellent event he had spoken at a few times in the past and this being the “Lucky 13” edition, he didn’t hesitate to come and...
With AIs wide open - WeAreDevelopers at All Things Open 2025

From learning to earning

Jobs that call for the skills explored in this talk.