API-Security
API-Security copied to clipboard
OWASP
OWASP API Security Project
> Authorization: Why are there 6 of 10 issues related to authorization. 1, 3, 4, 5, 8, and 10 are all problems with authorization. Can we combine these? It doesn't...
The first bullet of How to Prevent is "Use container-based solutions that make it easy to limit memory, CPU, ...". Containers is only one way of achieving limits, you could...
The initial table (middle raw) states that "Detection relies on proper logging and monitoring.". Without going into specific vendor solutions and detections (which I do not believe should be encouraged...
Under the "Is the API Vulnerable?" section, two examples appear that IMO is out-of-scope for this category: 1. Interacts with other APIs over an unencrypted channel This conflicts with API7:2023...
API underlying configuration should be protected and should not be left open with spring Actuator as example. for ex - heapdump, threadump will result into dump of credentials, history. this...
Assuming scores are based on the way previous top 10's have worked: ((Exploitability + Prevalence + Detectability)/3) * Technical impact The entries aren't in the correct order
in the “How to Prevent” section there is a bullet around Human detection. This prevention I don’t believe to be a viable option in an API as ultimately it is...
While the **How to Prevent** section in the documentation calls out the use of allowlists, in practice it is often infeasible to "lockdown" network access due to the possibility of...
