Exposure x threat5/1/2023 For example, see how Venmo data was scraped here.Ī naive protection mechanism would be to check the take count and throw an error if greater than 100 or 1000. This could be most dangerous if those entities accidentally exposed PII or other sensitive information, but could also be hazardous in providing competitors or others with adoption and usage stats for your business or give scammers a way to access large email lists. However, if that entity has any PII or other information, then a hacker could scrape that endpoint to get a dump of all entities in your database. A client such as a browser would typically filter and paginate through this list to limit the number of items returned to a client like so: First Call: GET /items?skip=0&take=10 ![]() Most APIs provide access to resources that are lists of entities such as /users or /widgets. Some of these are on the OWASP Security API list, but not all. Then, instrument your APIs to detect and block common attacks along with unknowns for zero-day exploits.īelow, we’ll cover nine of the most common API threats, and discuss how to avoid them altogether. So, where do you start? The first thing is to put yourself in the shoes of a hacker. Typical prevention mechanisms like Captchas and browser fingerprinting won’t work, since by design, APIs must handle a vast number of API calls for each consumer. Instead, you should be concerned with bad actors who can paginate through all of your customers’ records and their associated data. No longer is it sufficient to focus on SQL injection and XSS issues. ![]() ![]() By their very nature, APIs enable access to large amounts of data, potentially sensitive customer data, while bypassing browser precautions.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |