Subscribe to the Salt blog

Privacy Policy

Get the latest API security research and see how you compare

Learn more
Posts Tagged

API Attack Methodology

Subscribe to Salt blog

API10:2023 Unsafe Consumption of APIs

The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.

Stephanie Best
Stephanie Best
June 6, 2023

API9:2023 Improper Inventory Management

Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.

Stephanie Best
Stephanie Best
June 6, 2023

API8:2023 Security Misconfiguration

There are certainly cases where security misconfiguration can be the result of something basic like a missing patch, but some misconfigurations are far stealthier and can be obscured by complex architectures.

Stephanie Best
Stephanie Best
June 6, 2023

API7:2023 Server Side Request Forgery

A Server Side Request Forgery (SSRF) API attack occurs when an attacker manipulates an API endpoint to make the targeted server perform unintended requests on behalf of the attacker.

Stephanie Best
Stephanie Best
June 6, 2023

API6:2023 Unrestricted Access to Sensitive Business Flows

This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list. It occurs when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation.

Stephanie Best
Stephanie Best
June 6, 2023

API5:2023 Broken Function Level Authorization

Broken function level authorization (BFLA) has been identified as the fifth most critical threat to APIs in the OWASP API Security Top 10, and for good reason.

Stephanie Best
Stephanie Best
June 6, 2023

API4:2023 Unrestricted Resource Consumption

API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.

Stephanie Best
Stephanie Best
June 6, 2023

API3:2023 Broken Object Property Level Authorization

An API security solution must be able to identify and report on the large variety of sensitive data types that can be sent in API requests and responses, as well as any anomalous activity where attackers send manipulated API requests with unauthorized parameters.

Stephanie Best
Stephanie Best
June 6, 2023

API2:2023 Broken Authentication

Broken authentication is the second most critical API security threat listed in the OWASP API Security Top 10. Common examples of attacks targeting broken authentication include API enumeration and brute-forcing attacks that make high volumes of API requests with minor changes.

Stephanie Best
Stephanie Best
June 6, 2023

API1:2023 Broken Object Level Authorization (BOLA)

Failure to enforce authorization at the object level can lead to data exfiltration as well as unauthorized viewing, modification, or destruction of data.

Stephanie Best
Stephanie Best
June 6, 2023

OWASP API Security Top 10 2023 Explained

In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.

Stephanie Best
Stephanie Best
June 6, 2023

T-Mobile API Breach – What Went Wrong?

In general, most API data breaches are usually the result of one or a combination of four different attack scenarios.

Nick Rago
Nick Rago
January 24, 2023

Successful SQLi WAF Bypass Shows (Again) how WAFs Cannot Stop API-based Attacks

Over the last several years, attackers have changed their tactics, focused on identifying and exploiting business logic gaps by manipulating and abusing APIs.

Eran Atias
Eran Atias
December 20, 2022

What are API Attacks, Why They’re Different, and How to Stop Them

Why are we seeing such a constant stream of API-based attacks? Quite simply, APIs are lucrative for attackers.

Stephanie Best
Stephanie Best
October 31, 2022

API Threat Research: GraphQL Authorization Flaws in Financial Technology Platform

Salt Labs researchers investigated a large B2B FinTech platform that offers financial services in the form of API-based mobile apps and SaaS to SMB and commercial brands.

Salt Labs
Salt Labs
December 8, 2021

API Threat Research: Elastic Stack Misconfiguration Allows Data Extraction

Salt Labs researchers investigated a large business-to-consumer (B2C) online platform that provides API-based mobile applications and software as a service to millions of users globally. 

Salt Labs
Salt Labs
September 29, 2021

What Can Attackers Do With API Vulnerabilities?

Episode number 4 of API Security With A Pinch Of Salt is here. In this episode Chris and Ran talk about what attackers are going after when they target APIs and what they can do if they find and successfully exploit a vulnerability.

Chris Westphal
Chris Westphal
August 4, 2020

Testing and Hacking APIs + OWASP TLV Sessions

If you didn’t make it to OWASP Global AppSec Tel Aviv last month I wanted to share that the team recently published videos from the event...…you can check out the entire lineup of 44 videos in the playlist here.

Salt
Salt
July 23, 2019

What Moving To the Bay Area Taught Me About Loving My Pentesting Tools

Most app security engineers I’ve met have settled down and found their special one. They stick with that one, stay committed, and never have a second thought about another. I’m talking about Burp and Fiddler.

Salt
Salt
December 6, 2018

Tags

API Attack Analysis
API Attack Methodology
API Attack Prevention
API Security 101
API Security Strategy
API Vulnerability Analysis
Awards
CISO
Company Updates
Compliance
Customers
Events
Financial Services
OWASP API Top 10
Product Updates
Research
Salt Labs
Technology Partners
Video
Webinar
Clear filters

Posts by

Adam Fisher
Ahuvy Mrad
Aviad Carmel
Brett Robinson
Chris Westphal
Elad Koren
Eran Atias
Gilad Barzilay
Gilad Gruber
Hadar Freehling
Jennifer Dignum
Jon Peppler
Mandy Kelley
Michael Isbitski
Michael Nicosia
Michelle McLean
Nick Rago
Ran Barth
Renee Hollinger
Roey Eliyahu
Salt
Salt Labs
Sara Tierno
Shiran Yodev
Stephanie Best
Sunil Dutt
Yaniv Balmas