2. APIs without
authen�ca�on
api/userID/20905
api/userID/20804
BOB
John
This is when API returns sensi�ve
data to a user who doesn’t have permission
to access that data
01 01 01 01
01 01 01 01
01 01 01 01
01 01 01 01
01 01 01 01
01 01 01 01
01 01 01 01
01 01 01 01
API1:2019 Broken Object-Level Authorization
3. This is when API returns sensi�ve data to a user
who doesn’t have permission to access that data
A�acker
API Endpoints
<>
<>
<>
<>
<>
<>
<>
<>
Uses creden�al
stuffing with stolen
password database
API2:2019 Broken User Authentication
4. This is when API is designed to expose
all sensi�ve data without proper filtering
Sam
GET /api/userprofile
Applica�on
Server
Database
Server
{ [Name: Sam..
Card No.: 1234
SSN: 709-99-789,
Name: John..
Card No.: 5467
SSN: 237-71-567,
...] }
709-99-7890
Sam
1234 5678 9012 3456
DOB 709-99-7890
API3:2019 Excessive Data Exposure
5. When there is no restric�on on
the number of requests made by
users, APIs can be vulnerable to
brute force and DDoS a�acks
!
API4:2019 Lack of Resources & Rate Limiting
9. An API component is
suscep�ble to a�ack
due to a nonsecure
configura�on op�on
Unhardened Images
HTTP headers
HTTP
CORS
Open files and folders
Verbose errors
API7:2019 Security Misconfiguration
10. A�ackers send malicious data to an
API that passes it into the database
User
A�acker
Server
Select * from users
WHERE userID =’1199’
and password = ‘secretpw’;
Select * from users
WHERE userID =’1199’
and password = “or 1=1;
User ID :
Password :
API8:2019 Injection
11. A�ackers may break into the current API by exploi�ng
the vulnerability on the staging API if le� unmanaged
Beta
API
Produc�on
API
API9:2019 Improper Assets Management
12. It occurs when there are no recording details about
auditable events inside an API
Properly Set Up Logging
New Threat Detected!
Insufficient Logging
All Good! ATTACK IN
PROGRESS
My User Name
LOG IN
Forgot Password
API10:2019 Insufficient Logging & Monitoring
13. Scan & Protect Your APIs Today!
API
Discovery
API Vulnerability
Scanning
DDoS & Bot
Mi�ga�on
API Pen
Tes�ng
Start your free trial at indusface.com/api
OWASP Top 10
Protec�on