Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/JBAhire/awesome-api-security-essentials

Awesome API Security: A Curated Collection of Resources for Bulletproof API Protection!
https://github.com/JBAhire/awesome-api-security-essentials

List: awesome-api-security-essentials

Last synced: about 1 month ago
JSON representation

Awesome API Security: A Curated Collection of Resources for Bulletproof API Protection!

Awesome Lists containing this project

README

        

Logo

# Awesome API Security Essentials

## πŸš€ About the Project
As more applications rely on APIs for communication and data exchange, ensuring their security is crucial to prevent unauthorized access, data breaches, and service disruptions. The "Awesome API Security Essentials" project aims to be a one-stop resource for developers, providing them with everything they need to implement comprehensive API security measures.

It provides:

- **Comprehensive API security resources** - articles, tutorials, and whitepapers
- **Curated tools, libraries, and frameworks** for implementation and testing
- **Best practices, guidelines, and recommendations** for secure API design
- **Community-driven contributions and updates** for continuous improvement
- **Detailed explanations and use cases** for better understanding and application

## πŸ’₯ News
> OWASP API Top 10 - 2023 Released.
> Find more about the release and updates here: https://owasp.org/API-Security/editions/2023/en/0x11-t10/

## 🎳 OWASP API Top 10 2023
| **OWASP API Top 10 - 2023** | **Why?** |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [API1:2023 - Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/) | API endpoints often expose object identifiers, which can be manipulated by unauthorized users. It's critical to verify permissions for each request. |
| [API2:2023 - Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/) | If authentication is implemented poorly, attackers can hijack user sessions or impersonate users. Always verify the user's identity in a secure way. |
| [API3:2023 - Broken Object Property Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/) | APIs must also verify permissions for individual object properties. Without this, attackers can access or manipulate data they shouldn't have access to. |
| [API4:2023 - Unrestricted Resource Consumption](https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/) | APIs need to handle resource limitations effectively. If not managed properly, excessive requests can lead to service outages or increased operational costs. |
| [API5:2023 - Broken Function Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/) | APIs must manage user roles and permissions correctly. If not, users could gain unauthorized access to certain functionalities. |
| [API6:2023 - Unrestricted Access to Sensitive Business Flows](https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/) | APIs should protect business operations. Without protection, automated or excessive usage of business functionalities could cause damage. |
| [API7:2023 - Server Side Request Forgery](https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/) | APIs must validate external resource requests to prevent attackers from forcing the server to send requests to unauthorized locations. |
| [API8:2023 - Security Misconfiguration](https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/) | API settings should be configured properly. Neglecting to do so can leave vulnerabilities that attackers can exploit. |
| [API9:2023 - Improper Inventory Management](https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/) | APIs must maintain accurate and updated documentation of all available endpoints to prevent the exposure of deprecated or debug endpoints. |
| [API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | Developers should be careful when using third-party APIs and not trust them blindly. Attackers could exploit these third-party services to compromise your API. |

## πŸ“š Books
| **Book Name** | **Description** | **Short Summary** |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [API Security in Action](https://www.manning.com/books/api-security-in-action) | A comprehensive guide to API security principles and techniques by Neil Madden. | This book provides a comprehensive exploration of API security principles and practices, with a focus on securing RESTful and GraphQL APIs. It covers a wide range of topics, including handling authentication, authorization, and audit, as well as protecting data at rest and in transit. Through detailed examples and case studies, readers will gain a deep understanding of how to implement robust security measures for their APIs. |
| [Hacking APIs](https://www.google.co.in/books/edition/Hacking_APIs/gHpPEAAAQBAJ?hl=en&gbpv=0) | A practical guide on Breaking Web Application Programming Interfaces. | Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. |
| [RESTful API Design: Best Practices in API Design with REST](https://www.amazon.in/dp/B01L6STMVW?ref=KC_GS_GB_IN) | A book focusing on RESTful API design principles, including security considerations, by Matthias Biehl. | Focusing on the principles of designing scalable, maintainable, and high-performing RESTful APIs, this book provides guidance on versioning, pagination, and error handling. It also presents industry-proven patterns and anti-patterns to help readers avoid common pitfalls. With practical examples, readers will be able to apply these principles to their own API design projects. |
| [OAuth 2.0: Getting Started in API Security](https://www.amazon.in/OAuth-2-0-Getting-Security-University/dp/1507800916) | A practical guide to OAuth 2.0 and API security by Matthias Biehl. | An introductory guide to OAuth 2.0 and its role in API security, this book offers an overview of various OAuth 2.0 flows and use cases. It provides step-by-step guidance on implementing OAuth 2.0 and shares tips for maintaining security and performance. With this book, readers can confidently apply OAuth 2.0 to protect their APIs. |
| [GraphQL in Action](https://www.manning.com/books/graphql-in-action) | A book covering GraphQL API design, development, and security best practices by Samer Buna. | This comprehensive guide to GraphQL implementation explores the GraphQL query language and schema design, along with strategies for securing GraphQL APIs. Through real-world case studies and examples, readers will gain a thorough understanding of how to use GraphQL in their projects while ensuring robust security measures are in place. |
| [Practical API Architecture and Development with Azure and AWS](https://www.amazon.in/Practical-Architecture-Development-Azure-Implementation/dp/1484235541) | A book on API architecture and development, including security considerations, for both Azure and AWS by Thurupathan Vijayakumar. | This book offers a hands-on approach to API architecture and development using Azure and AWS platforms. It covers topics such as API design, development, deployment, and management, with a focus on integrating cloud-based services. Readers will learn how to leverage the capabilities of these platforms to create efficient, secure, and scalable APIs. |
| [API Management: An Architect's Guide to Developing and Managing APIs for Your Organization](https://www.amazon.com/API-Management-Architects-Developing-Organization/dp/1484213068) | A book by Brajesh De that includes API security aspects and best practices. | This book offers valuable insights into developing and managing APIs for organizations, with a focus on the architectural aspects of API management. It covers topics such as API design, development, security, and governance, providing practical guidance on creating efficient and secure APIs that align with organizational goals. |
| [Advanced API Security: OAuth 2.0 and Beyon](https://www.amazon.in/Advanced-API-Security-OAuth-Beyond-ebook/dp/B082WRYJJM/ref=sr_1_2?qid=1683721842&s=books&sr=1-2) | A book by Prabath Siriwardena that focuses on OAuth 2.0 and OpenID Connect protocols for API security. | This book provides an in-depth exploration of API security, with a focus on OAuth 2.0 and OpenID Connect protocols. It offers a detailed understanding of these protocols and their implementation, helping readers master the intricacies of API security. By the end of this book, readers will be well-versed in using OAuth |

## πŸ‘» Breaches

| # | Incident | Year | Impacted Users | Primary Reason | Vulnerability | Remediation | Avoidance | Source |
| -- | --------------------- | ----------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1 | Parler API hack | 2021 | Millions | Lack of authentication for the API | Unauthenticated access to sensitive data | Reimburse affected users and implement proper authentication mechanisms for the API | Use tokens or passwords to secure the API | [The Parler Hack Is a Reminder: The End-to-End Encryption Debate Isn’t Going Away](https://www.wired.com/story/parler-hack-end-to-end-encryption-debate/) |
| 2 | Peloton breach | 2021 | Millions | Misconfigured API that did not enforce proper access control policies for user data | Unauthorized access to user data without authentication | Notify affected users and implement authentication and authorization mechanisms for the API | Use tokens or roles to secure the API | [Peloton’s leaky API let anyone grab riders’ private account data](https://techcrunch.com/2021/05/05/peloton-api-account-data-leak/) |
| 3 | Experian breach | 2020 (reported in 2021) | Millions | Lack of validation for the API requests that enabled unauthorized access to credit scores | Unauthorized access to credit scores by entering a name and an address | Notify affected users and implement validation mechanisms for the API requests | Verify identity or require additional information to access the API | [Experian’s Credit Freeze Security is Still a Joke](https://krebsonsecurity.com/2020/08/experians-credit-freeze-security-is-still-a-joke/) |
| 4 | John Deere breach | 2021 (reported in 2022) | Thousands | Lack of authorization for the API requests that enabled unauthorized access to customer data | Unauthorized access to customer data by entering a serial number of a John Deere product | Notify affected customers and implement authorization mechanisms for the API requests | Verify ownership or require authentication tokens to access the API | [John Deere security flaw lets anyone download sensitive files from its site](https://www.vice.com/en/article/epn5jw/john-deere-security-flaw-lets-anyone-download-sensitive-files-from-its-site) |
| 5 | Microsoft breach | 2022 | Millions | Flaw in the authentication system that enabled unauthorized access to the API. Accessing Microsoft’s API and downloading data from various products using stolen credentials obtained from phishing emails. | Unautheticated access | Implement a more robust authentication system, such as using multi-factor authentication or passwordless authentication. Encrypt data in transit and at rest. | Validate all requests and responses. Limit the number and frequency of requests. Log all API activity and audit regularly. Educate users about phishing and how to protect their accounts. | [Microsoft says it thwarted recent cyberattack from group it calls β€˜Lapsus$’](https://www.cnn.com/2022/03/20/tech/microsoft-cyberattack/index.html) |
| 6 | Clubhouse | 2021 | Unknown | Public API access | Exposed user data | Implemented rate limits and added additional security measures | Regularly review and restrict API access | [Cybernews]([https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free/](https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free/)) |
| 7 | Twitter | 2020 | 130 accounts | Social engineering attack | Insufficient internal control | Improved internal security measures and employee training | Implement strong access control and employee training | [Twitter Blog](https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html) |
| 8 | Robinhood | 2020 | 2,000 | Unauthorized access | Compromised API tokens | Investigated the issue and implemented additional security measures | Properly secure sensitive data, including API tokens | [Bloomberg](https://www.bloomberg.com/news/articles/2020-10-15/robinhood-says-some-customer-accounts-may-have-become-target) |
| 9 | Garmin | 2020 | Unknown | Ransomware attack | Compromised API access | Garmin reportedly paid the ransom to restore their services and regain access to their data. | Regularly update and patch software, monitor API access, and implement strong authentication and encryption mechanisms. | [ZDNet](https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/) |
| 10 | MGM Resorts | 2020 | 10.6 million | Unauthorized access | Exposed API keys | MGM Resorts notified affected users, offered credit monitoring services, and improved network security. | Implement network segmentation, regular security audits, and use strong API access controls. | [ZDNet](https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/) |
| 11 | SolarWinds | 2020 | Unknown | Supply chain attack | Compromised API access | SolarWinds released a series of patches and updates to secure their software and network. | Regularly audit and monitor third-party software, implement strong authentication, and use the principle of least privilege. | [SolarWinds](https://www.solarwinds.com/securityadvisory) |
| 12 | EasyJet | 2020 | 9 million | Unauthorized access | Exposed API keys | EasyJet notified affected customers, advised them to change their passwords, and increased security measures. | Monitor API usage, implement multi-factor authentication, and conduct regular security audits. | [BBC](https://www.bbc.com/news/technology-52722626) |
| 13 | Marriott | 2020 | 5.2 million | Unauthorized access | Compromised API access | Marriott disabled the affected API and notified affected customers, offering identity protection services. | Regularly monitor and audit API access, implement strong authentication mechanisms, and encrypt sensitive data.
| [Marriott](https://marriott.gcs-web.com/news-releases/news-release-details/marriott-international-update-on-property-system-security) |
| 14 | Nintendo | 2020 | 300,000 | Unauthorized access | Exposed API keys | Nintendo reset passwords for affected accounts and advised users to enable two-factor authentication. | Implement strong authentication measures, monitor API usage, and educate users about password security. | [Nintendo](https://en-americas-support.nintendo.com/app/answers/detail/a_id/49167/) |
| 15 | Zoom | 2020 | 500,000 | Unauthorized access | Exposed API keys | Zoom disabled the affected API and increased security measures. | Regularly audit API access, encrypt sensitive data, and implement strong authentication mechanisms. | [Bleeping Computer](https://www.bleepingcomputer.com/news/security/500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/) |
| 16 | First American Corp | 2019 | 885 million | Misconfiguration of API | IDOR | Fixed the misconfiguration and conducted a thorough investigation | Regular security audits and testing for misconfigurations | [KrebsOnSecurity](https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/) |
| 17 | JustDial | 2019 | 100 million | Unsecured API | Lack of authentication | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [The Economic Times](https://economictimes.indiatimes.com/tech/internet/justdial-affected-by-data-breach-of-100-million-users/articleshow/68883453.cms) |
| 18 | Capital One | 2019 | 106 million | Unauthorized access | Misconfigured firewall | Fixed the misconfiguration and conducted a thorough investigation | Regular security audits and testing for misconfigurations | [Capital One](https://www.capitalone.com/facts2019/) |
| 19 | DoorDash | 2019 | 4.9 million | Unauthorized access | Exposed API keys | DoorDash added protective security layers and improved security protocols. | Regularly audit API access, implement strong authentication mechanisms, and encrypt sensitive data. | [DoorDash Blog](https://blog.doordash.com/important-security-notice-about-your-doordash-account-34b2b7d89a58) |
| 20 | Canva | 2019 | 137 million | Unauthorized access | Exposed API keys | Canva notified affected users and reset their passwords, enhancing security measures. | Implement multi-factor authentication, monitor API access for unusual activity, and encrypt sensitive data. | [ZDNet](https://www.zdnet.com/article/data-for-roughly-139-million-users-has-been-taken-from-canva/) |
| 21 | Zynga | 2019 | 218 million | Unauthorized access | Exposed API keys | Zynga notified affected users, reset their passwords, and enhanced security measures.
| Regularly audit API access, implement strong authentication mechanisms, and encrypt sensitive data. | [The Hacker News](https://thehackernews.com/2019/09/zynga-game-data-breach.html) |
| 22 | Facebook | 2018 | 87 million | Misuse of API | Inadequate API access control | Facebook tightened API access and implemented regular audits | Regularly review and restrict API access for third-party apps | [Facebook Newsroom](https://about.fb.com/news/2018/04/restricting-data-access/) |
| 23 | Instagram | 2018 | 14 million | API vulnerability | Exposed user data | Patched the vulnerability and notified affected users | Regular security testing and monitoring of API endpoints | [The Information](https://www.theinformation.com/articles/instagram-exposed-data-on-millions-of-users) |
| 24 | T-Mobile | 2018 | 2 million | API vulnerability | Insecure API endpoint | Patched the vulnerability and notified affected customers | Regular security testing and monitoring of API endpoints | [T-Mobile](https://www.t-mobile.com/customers/6305378827) |
| 25 | Panera Bread | 2018 | 37 million | Unsecured API | Exposed customer data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [KrebsOnSecurity](https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/) |
| 26 | Venmo | 2018 | 207 million | Public API access | Exposed transaction data | Limited API access and updated privacy settings | Regularly review and restrict API access | [Wired](https://www.wired.com/story/venmo-transaction-public-by-default/) |
| 27 | Exactis | 2018 | 340 million | Unsecured API | Exposed personal data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [Wired](https://www.wired.com/story/exactis-database-leak-340-million-records/) |
| 28 | Google+ | 2018 | 500,000 | API vulnerability | Exposed user data | Patched the vulnerability and shut down Google+ | Regular security testing and monitoring of API endpoints | [Google Blog](https://www.blog.google/technology/safety-security/project-strobe/) |
| 29 | HealthEngine | 2018 | 59,600 | API vulnerability | Exposed patient data | Patched the vulnerability and notified affected users | Regular security testing and monitoring of API endpoints | [ABC News](https://www.abc.net.au/news/2018-06-25/healthengine-sharing-patients-information-with-lawyers/9905554) |
| 30 | USPS | 2018 | 60 million | Unsecured API | Exposed user data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [KrebsOnSecurity](https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/) |
| 31 | Strava | 2018 | Unknown | Public API access | Exposed user location data | Updated privacy settings and restricted API access | Regularly review and restrict API access | [The Guardian](https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases) |
| 32 | British Airways | 2018 | 380,000 | Unauthorized access | Compromised API access | British Airways notified affected customers, offered credit monitoring services, and improved security measures. | Implement strong API access controls, use encryption, and conduct regular security audits and assessments. | [ICO](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/british-airways-update/) |
| 33 | Uber | 2016 | 57 million | Unauthorized access | Exposed API keys | Secured API keys and implemented stronger access controls | Properly secure sensitive data, including API keys | [Uber Newsroom](https://www.uber.com/newsroom/2016-data-incident/) |
| 34 | Microsoft Code Spaces | 2014 | Unknown | Unauthorized access | Exposed API keys | Shut down Code Spaces and encouraged stronger access controls | Properly secure sensitive data, including API keys | [Ars Technica](https://arstechnica.com/information-technology/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/) |
| 35 | Snapchat | 2014 | 4.6 million | API vulnerability | Exposed user data | Patched the vulnerability and improved security measures | Regular security testing and monitoring of API endpoints | [Gizmodo](https://gizmodo.com/snapchat-leak-4-6-million-usernames-and-phone-numbers-1491407235) |

## πŸ” Vulnerable APIs
| # | Name | Link | Short Description | Vulnerabilities | Maintainer | Active |
| -- | ----------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------ |
| 1 | OWASP crAPI | [GitHub](https://github.com/OWASP/crAPI) | A vulnerable API designed for learning API security practices | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
| 2 | Vampi | [GitHub](https://github.com/erev0s/VAmPI) | VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | [erev0s](https://github.com/erev0s) | Yes |
| 3 | VAPI | [GitHub](https://github.com/roottusk/vapi) | A vulnerable PHP API for security testing | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | [Tushar Kulkarni](https://github.com/roottusk) | Yes |
| 4 | DVNA | [GitHub](https://github.com/appsecco/dvna) | Damn Vulnerable Node.js Application with insecure APIs | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Appsecco | Yes |
| 5 | WebGoat | [GitHub](https://github.com/WebGoat/WebGoat) | A deliberately insecure web app for security training | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
| 6 | Juice Shop | [GitHub](https://github.com/juice-shop/juice-shop) | A modern, intentionally insecure web application | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | OWASP | Yes |
| 7 | Gruyere | [Google](https://google-gruyere.appspot.com/) | A web application with security holes used for training | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Google | Yes |
| 8 | Railsgoat | [GitHub](https://github.com/OWASP/railsgoat) | A vulnerable Ruby on Rails application for learning security | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | OWASP | Yes |
| 9 | Mutillidae | [GitHub](https://github.com/webpwnized/mutillidae) | A deliberately vulnerable set of PHP scripts | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Webpwnized | Yes |
| 10 | NodeGoat | [GitHub](https://github.com/OWASP/NodeGoat) | A Node.js/Express app with security vulnerabilities | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
| 11 | Hackazon | [GitHub](https://github.com/Rapid7/hackazon) | A modern, vulnerable e-commerce web app | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Rapid7 | Yes |
| 12 | BadStore | [SourceForge](http://www.badstore.net/) | A vulnerable e-commerce web app for security training | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | [Badstore.net](http://Badstore.net) | Yes |
| 13 | GoatDroid | [GitHub](https://github.com/jackMannino/OWASP-GoatDroid-Project) | A vulnerable Android app with insecure APIs | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | OWASP | Yes |
| 14 | AltoroJ | [IBM](http://www.altoromutual.com/) | A vulnerable Java web app for learning application security | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | IBM | Yes |
| 15 | Hackademic | [GitHub](https://github.com/Hackademic/hackademic) | A vulnerable web app to learn and practice web application security | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Hackademic | Yes |

## βš”οΈ OWASP API Top 10 2019 vs OWASP API Top 10 2023

| **OWASP API Top 10 2019** | **OWASP API Top 10 2023** | **Changes** |
|-------------------------------------------------|-------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| API1:2019 - Broken Object Level Authorization | API1:2023 - Broken Object Level Authorization | No significant changes, both versions focus on issues related to object identifiers and object level access control. |
| API2:2019 - Broken User Authentication | API2:2023 - Broken Authentication | Slight changes in the naming, but the core issue remains the same - problems with the implementation of authentication mechanisms. |
| API3:2019 - Excessive Data Exposure | API3:2023 - Broken Object Property Level Authorization | The 2023 issue combines the 2019 Excessive Data Exposure and 2019 Mass Assignment to focus on authorization validation at the object property level. |
| API4:2019 - Lack of Resources & Rate Limiting | API4:2023 - Unrestricted Resource Consumption | Similar focus on resource consumption but the 2023 version adds the aspect of resources made available by third-party API integrations. |
| API5:2019 - Broken Function Level Authorization | API5:2023 - Broken Function Level Authorization | No significant changes, both versions focus on the issues with access control policies and different user roles. |
| API6:2019 - Mass Assignment | API6:2023 - Unrestricted Access to Sensitive Business Flows | The 2023 version expands the focus to include the harm to business from automated excessive use of a function, not necessarily resulting from implementation bugs. |
| API7:2019 - Security Misconfiguration | API7:2023 - Server Side Request Forgery | The 2023 version focuses on a specific type of attack – Server-Side Request Forgery (SSRF), while the 2019 version had a broader focus on various misconfigurations. |
| API8:2019 - Injection | API8:2023 - Security Misconfiguration | The 2023 version shifts the Security Misconfiguration from 2019's API7, highlighting the issues related to configurations and best practices, while 2019's API8 was about various types of injection attacks. |
| API9:2019 - Improper Assets Management | API9:2023 - Improper Inventory Management | Both versions stress the importance of proper documentation and inventory of hosts and deployed API versions. The naming was changed to more accurately reflect the main concern. |
| API10:2019 - Insufficient Logging & Monitoring | API10:2023 - Unsafe Consumption of APIs | The 2023 version brings a new concern about trusting third-party APIs and weaker security standards, while the 2019 version focused on logging, monitoring, and incident response. |

## πŸ“ Cheatsheets
| Cheatsheet | Description |
|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| [OWASP API Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/API_Security_Cheat_Sheet.html) | A concise collection of API security best practices by OWASP. |
| [REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) | A cheat sheet focused on security best practices for RESTful APIs. |
| [OAuth 2.0 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Security_Cheat_Sheet.html) | A summary of the OAuth 2.0 security best practices by OWASP. |
| [JWT Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html) | A cheat sheet covering JSON Web Token (JWT) security best practices. |
| [GraphQL Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Security_Cheat_Sheet.html) | A cheat sheet outlining key security aspects and best practices for GraphQL APIs. |
| [HTTP Security Headers Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Security_Headers_Cheat_Sheet.html) | A summary of HTTP security headers and their usage for securing APIs. |
| [Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) | A cheat sheet focused on input validation for APIs and web applications. |
| [Cross-Origin Resource Sharing (CORS) Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Origin_Resource_Sharing_Cheat_Sheet.html) | A guide to implementing and securing CORS for APIs and web applications. |
| [Content Security Policy (CSP) Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) | A cheat sheet for implementing and securing Content Security Policy in APIs and web applications. |
| [API Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/API_Authentication_Cheat_Sheet.html) | A cheat sheet covering API authentication best practices. |

## βœ… Checklists
| Checklist | Description |
|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
| [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) | A comprehensive checklist of API security best practices. |
| [OWASP API Security Top 10 Checklist](https://www.owasp.org/images/7/76/API_Security_Checklist.pdf) | A printable checklist based on the OWASP API Security Top 10. |
| [API Penetration Testing Checklist](https://www.owasp.org/images/3/37/OWASP_Testing_Checklist_for_APIs.pdf) | A checklist for conducting API security penetration testing. |
| [RESTful API Security Checklist](https://github.com/ozgurozturknet/REST-API-Security-Checklist) | A checklist of security best practices for RESTful APIs. |
| [API Security Audit Checklist](https://www.apicasystems.com/blog/api-security-audit-checklist/) | A checklist for auditing API security. |
| [OAuth 2.0 Security Checklist](https://www.oauth.com/playground/server-security) | A checklist of OAuth 2.0 security best practices. |
| [JSON Web Token (JWT) Security Checklist](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-token-security) | A JWT security checklist provided by Auth0. |
| [GraphQL Security Checklist](https://github.com/graphql-community/graphql-security-checklist) | A collection of security best practices for GraphQL APIs. |
| [API Documentation Security Checklist](https://www.stoplight.io/api-security-checklist) | A checklist for ensuring the security of API documentation. |
| [API Security Self-Assessment Checklist](https://www.axway.com/en/checklist/api-security) | A self-assessment checklist for evaluating your organization's API security. |

## πŸ›€ API Security Learning Path

| **Month** | **Week** | **Topic** | **Resources** |
|-----------|----------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Month 1 | 1 | Understanding APIs and their importance | [What is an API?](https://www.freecodecamp.org/news/what-is-an-api-in-english-please-b880a3214a82/) |
| | | | [RESTful API Design](https://restfulapi.net/) |
| | 2 | API Security Basics | [Why is API Security Important?](https://www.indusface.com/blog/what-is-api-security-and-why-is-it-important/) |
| | | | [API Security: Challenges and Solutions](https://www.cloudflare.com/learning/security/api/what-is-api-security/) |
| | 3 | Authentication and Authorization | [Introduction to OAuth 2.0](https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2) |
| | | | [Understanding JSON Web Tokens (JWT)](https://jwt.io/introduction/) |
| | 4 | API Security Best Practices | [API Security Best Practices](https://blogs.mulesoft.com/api-integration/api-security-threats-best-practices-solutions/) |
| | | | [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) |
| Month 2 | 5 | Rate Limiting and Throttling | [Rate Limiting in APIs](https://www.cloudflare.com/learning/bots/what-is-rate-limiting/) |
| | | | [Throttling in APIs](https://www.tibco.com/reference-center/what-is-api-throttling#:~:text=API%20throttling%20is%20the%20process,click%20triggers%20an%20API%20call.) |
| | 6 | Input Validation and Sanitization | [Input Validation for APIs](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) |
| | | | [Input Sanitization for APIs](https://cheatsheetseries.owasp.org/cheatsheets/Data_Validation_Cheat_Sheet.html) |
| | 7 | Transport Security | [Transport Security in APIs](https://developer.okta.com/books/api-security/tls/) |
| | | | [Using HTTPS for API Security](https://www.cloudflare.com/learning/ssl/why-use-https/) |
| | 8 | API Security Testing | [API Security Testing](https://www.soapui.org/learn/security/) |
| | | | [Top 10 API Security Testing Tools](https://www.techtarget.com/searchsecurity/tip/10-API-security-testing-tools-to-mitigate-risk) |
| Month 3 | 9 | Project 1 - Building a Secure RESTful API | [Tutorial: Build a Secure RESTful API](https://www.toptal.com/nodejs/secure-rest-api-in-nodejs) |
| | 10 | Project 2 - Implementing OAuth 2.0 and JWT | [Tutorial: Implement OAuth 2.0 and JWT](https://auth0.com/docs/quickstart/backend/nodejs) |
| | 11 | Project 3 - API Security Audit | [API Security Audit Checklist](https://github.com/shieldfy/API-Security-Checklist) |

## πŸŽ₯ Playlists

| ****Playlist Name**** | ****Link**** |
|------------------------------------|----------------------------------------------------------------------------------|
| API Security: What & How? | [Link](https://youtube.com/playlist?list=PLKUnjn-fSXRTy8sPPXGrNNBDPVOOi3U49) |
| Everything API Hacking | [Link](https://youtube.com/playlist?list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol) |
| OWASP API Security Top 10 | [Link](https://www.youtube.com/playlist?list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD) |
| API Security deep dive | [Link](https://youtube.com/playlist?list=PLiUwrB-tuUUpJIQxo4qqHWKJBfFCTeqh9) |
| REST API Security | [Link](https://youtube.com/playlist?list=PLSId5Ee-5md9FdqzaLrnB30k7Z4YPjBAk) |
| API security | [Link](https://youtube.com/playlist?list=PL4HR6c9eR2yLnBYYwZqhwiV4rhRN1S8f5) |
| API Security 101: Talks | [Link](https://youtube.com/playlist?list=PLwfL2EOOZ36weMxjo1Wk7bV4TFP08HBj9) |
| API Security in Microservice world | [Link](https://youtube.com/playlist?list=PLV47o9J4XHfmTL99nc2b4k-SPSVBF9MIq) |
| API Security essentials | [Link](https://youtube.com/playlist?list=PL8IDSDRZxCCANEpMNtod31YOI1JpB30Qt) |
| Understanding OAuth & API security | [Link](https://youtube.com/playlist?list=PLxeJU39M7tLG1-3UAa1_90YgN9_1bDag4) |

## πŸ— Specifications
| **Specification** | **Description** |
|------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| [OpenAPI Specification (OAS)](https://swagger.io/specification/) | A standard for describing and documenting RESTful APIs. |
| [JSON Web Tokens (JWT)](https://jwt.io/introduction) | A compact, URL-safe means of representing claims to be transferred between parties. |
| [OAuth 2.0](https://oauth.net/2/) | A widely-adopted authorization framework for securing API access. |
| [OpenID Connect](https://openid.net/connect/) | An identity layer built on top of OAuth 2.0 for authentication and single sign-on. |
| [GraphQL](https://graphql.org/) | A query language for APIs and a runtime for executing queries against your data. |
| [JSON:API](https://jsonapi.org/) | A specification for building APIs in JSON. |
| [HAL (Hypertext Application Language)](http://stateless.co/hal_specification.html) | A standard for describing RESTful APIs using hypermedia. |
| [API Blueprint](https://apiblueprint.org/) | A high-level API design language for describing and designing APIs. |
| [RAML (RESTful API Modeling Language)](https://raml.org/) | A language for describing and designing RESTful APIs in a human-readable format. |
| [WS-Security](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) | A set of specifications for securing SOAP-based web services. |

## πŸŽ™ Podcast
| **Podcast** | **Description** |
|------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| [The Secure Developer](https://www.heavybit.com/library/podcasts/the-secure-developer/) | A podcast that discusses security best practices for developers, including API security topics. |
| [Application Security Weekly](https://securityweekly.com/shows/appsec-weekly/) | A weekly podcast covering application security news, including API security updates. |
| [The New Stack Podcast](https://thenewstack.io/podcasts/) | A podcast that covers various technology topics, occasionally featuring API security discussions. |
| [The CyberWire Daily Podcast](https://thecyberwire.com/podcasts/daily-podcast) | A daily cybersecurity news podcast that occasionally discusses API security. |
| [Security Now](https://twit.tv/shows/security-now) | A weekly podcast discussing a wide range of security topics, including API security. |
| [Darknet Diaries](https://darknetdiaries.com/) | A podcast that tells true stories from the dark side of the internet, occasionally featuring episodes about API security incidents. |
| [Risky Business](https://risky.biz/netcasts/risky-business/) | A podcast that covers information security news and events, sometimes discussing API security. |
| [Smashing Security](https://www.smashingsecurity.com/) | A cybersecurity podcast that occasionally discusses API security topics. |
| [The Privacy, Security, & OSINT Show](https://inteltechniques.com/podcast.html) | A podcast focusing on privacy, security, and open-source intelligence topics, occasionally featuring API security discussions. |

## πŸ—‚ Wikis & Collections
| **Collection** | **Description** |
|----------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
| [OWASP API Security Project](https://owasp.org/www-project-api-security/) | An OWASP project that provides resources and guidelines on API security. |
| [API Security Encyclopedia](https://www.apisecurity.io/encyclopedia/) | A comprehensive encyclopedia of API security terms and concepts. |
| [API Security on Infosec](https://www.infosecinstitute.com/topics/api-security/) | A collection of API security articles and resources by Infosec Institute. |
| [API Security on DZone](https://dzone.com/security) | A collection of API security articles, tutorials, and news on DZone. |
| [API Security on Medium](https://medium.com/tag/api-security) | A collection of API security articles and stories on Medium, contributed by various authors. |
| [API Security on Hacker Noon](https://hackernoon.com/tagged/api-security) | A collection of API security articles on Hacker Noon, contributed by various authors. |
| [API Security on Dev.to](https://dev.to/t/apisecurity) | A collection of API security articles, tutorials, and discussions on Dev.to. |
| [API Security on Reddit](https://www.reddit.com/r/apisecurity/) | A subreddit dedicated to API security, featuring articles, discussions, and resources. |

## πŸ—Ί Mind Maps
| **Mind Map** | **Description** |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| [API Security Mind Map](https://dsopas.github.io/MindAPI/play/) | A visual representation of various API security concepts and best practices. |
| [REST API Security Mind Map](https://www.mindmeister.com/555874413/rest-api) | A mind map that covers key security aspects of RESTful APIs. |
| [OAuth 2.0 Mind Map](https://luisfsgoncalves.wordpress.com/2016/06/26/oauth-2-0-mind-map/) | A visual representation of OAuth 2.0 concepts and components, which are crucial for API security. |
| [API Security Testing Mind Map](https://media-exp1.licdn.com/dms/document/C561FAQFMUiAa5fYPhg/feedshare-document-pdf-analyzed/0/1649057128703?e=2147483647&v=beta&t=2MXCYdO_Lpeq1vXOFgwr4exZT-gw16kAhaGG9ZapsH4) | A mind map that provides an overview of API security testing concepts and techniques. |
| [API Management Mind Map](https://media-exp1.licdn.com/dms/document/C561FAQFMUiAa5fYPhg/feedshare-document-pdf-analyzed/0/1649057128703?e=2147483647&v=beta&t=2MXCYdO_Lpeq1vXOFgwr4exZT-gw16kAhaGG9ZapsH4) | A mind map covering various aspects of API management, including security considerations. |
| [Web Services Security Mind Map](https://github.com/nmmcon/MindMaps/blob/532ee4a6ecfad1c7df3cc186b0538477d9e838d8/WebApplicationVulnerabilities.png) | A mind map that delves into security aspects of web services, including APIs. |

## πŸ“œ Newseltters
| **Newsletter** | **Description** |
|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| [The Hacker New](https://thehackernews.com/search/label/API%20Security) | A blog and newsletter that covers various API topics, including security. |
| [API Evangelist](http://apievangelist.com/) | A blog and newsletter by Kin Lane that covers various API topics, including security. |
| [The New Stack](https://thenewstack.io/) | A platform for news and analysis on various technology topics, including API security. Subscribe to their newsletter for regular updates. |
| [Secjuice](https://www.secjuice.com/) | A cybersecurity publication with a dedicated section for API security articles. Subscribe to their newsletter for updates. |
| [Security Weekly](https://securityweekly.com/) | A cybersecurity podcast network and newsletter that occasionally covers API security topics. |
| [StatusCode Weekly](https://webopsweekly.com/) | A weekly newsletter that covers web operations and occasionally includes API security articles. |

## βš™ Projects
| **Project** | **Description** |
|---------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
| [OWASP API Security Project](https://owasp.org/www-project-api-security/) | An open-source project that aims to provide guidance and resources for API security. |
| [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) | A GitHub repository containing a checklist of essential security measures for API developers. |
| [API Security in Action](https://www.manning.com/books/api-security-in-action) | A book that contains sample projects and code for implementing API security best practices. |
| [ModSecurity](https://www.github.com/SpiderLabs/ModSecurity) | An open-source web application firewall (WAF) that can help protect APIs. |
| [ZAP API Scan](https://www.zaproxy.org/docs/docker/api-scan/) | A ZAP add-on that automates API security scanning. |
| [RESTler](https://github.com/microsoft/restler-fuzzer) | Microsoft's open-source, stateful REST API fuzzer for automatically testing API security. |
| [GraphQL Shield](https://github.com/maticzav/graphql-shield) | A library for securing GraphQL APIs with fine-grained access control. |

## 🀝 Contributing
We welcome contributions from developers of all skill levels! Check out our [Contribution Guidelines](.github/CONTRIBUTING.md) to learn how you can contribute to *awesome-api-security-essentials*.

## πŸ“– License
Except as otherwise noted **awesome-api-security-essentials** is licensed under the *[Apache License, Version 2.0](/License)* .

## 🌐 Join Our Community
Connect with other **API Security** enthusiasts and contributors by joining our [discord community](https://discord.gg/NvXBX4Jd2v). Share your experiences, ask questions, and collaborate on this exciting project!

## πŸ“£ Stay Informed
Keep up-to-date with the latest news, updates, and announcements by following us on [Twitter](https://twitter.com/jayesh_ahire1) and [Linkedin](https://www.linkedin.com/company/api-security-community/).

[contributors-shield]: https://img.shields.io/github/contributors/jbahire/awesome-api-security.svg?style=for-the-badge
[contributors-url]: https://github.com/jbahire/awesome-api-security/graphs/contributors
[github-actions-shield]: https://img.shields.io/github/workflow/status/jbahire/awesome-api-security/e2e%20test?color=orange&label=e2e-test&logo=github&logoColor=orange&style=for-the-badge
[github-actions-url]: https://github.com/jbahire/awesome-api-security/actions/workflows/docker-tests.yml
[forks-shield]: https://img.shields.io/github/forks/jbahire/awesome-api-security.svg?style=for-the-badge
[forks-url]: https://github.com/jbahire/awesome-api-security/network/members
[stars-shield]: https://img.shields.io/github/stars/jbahire/awesome-api-security.svg?style=for-the-badge
[stars-url]: https://github.com/jbahire/awesome-api-security/stargazers
[issues-shield]: https://img.shields.io/github/issues/jbahire/awesome-api-security.svg?style=for-the-badge
[issues-url]: https://github.com/jbahire/awesome-api-security/issues
[twitter-shield]: https://img.shields.io/badge/-Twitter-black.svg?style=for-the-badge&logo=twitter&colorB=555
[twitter-url]: https://twitter.com/jayesh_ahire1