Knowledge

API security, explained plainly.

A growing reference on APIs and their security: from the fundamentals through the most common risks to digital sovereignty and what regulations like DORA and NIS2 actually require.

Fundamentals

How APIs work.

The starting point: what an API is and why its security matters more than anything else.

Attacks & Risks

Where APIs break.

The most common vulnerabilities, above all the authorization flaws that no signature scanner can see.

Risks

OWASP API Security Top 10

The ten most common API risks (2023), with the three authorization flaws front and center.

Read →
Attack

JWT Attacks

JWT attacks exploit the fact that a server accepts manipulated JSON Web Tokens because signature verification is flawed or not performed at all.

Read →
Attack

GraphQL Security

GraphQL gives clients great flexibility when querying data, but that very flexibility creates its own security risks that go beyond the classic OWASP API Top 10.

Read →
Attack

Injection

Injection attacks occur when an API inserts untrusted input (URL parameters, JSON fields, headers) unchecked into a query or command, so the input gets interpreted as executable code instead of plain data.

Read →
Attack

Credential Stuffing & Account Takeover

Credential stuffing is the automated testing of stolen username/password pairs (from other services' data breaches) against the login or

Read →
Attack

CORS Misconfiguration

CORS (Cross-Origin Resource Sharing) is a browser mechanism that relaxes the strict same-origin policy in a controlled way, so a web application is allowed to read resources from another origin.

Read →
Attack

Webhook Security

Incoming webhooks are HTTP POST requests that an external provider (e.g.

Read →
Attack

API Secrets & Key Leakage

API secrets and key leakage refers to the unintentional exposure of API keys, tokens and credentials, for example hardcoded in client or mobile code, checked into public code repositories, written to logs or transmitted as query parameters in URLs.

Read →
API1

Broken Object Level Authorization

Broken Object Level Authorization (BOLA) ranks as API1:2023, first place in the OWASP API Security Top 10 2023.

Read →
API2

Broken Authentication

Broken Authentication (API2:2023) refers to weaknesses in an API's authentication mechanisms, meaning the process of verifying whether a user really is who they claim to be.

Read →
API3

Broken Object Property Level Authorization

Broken Object Property Level Authorization (API3:2023) occurs when an API checks whether a user may access an object, but doesn't check whether they may access or modify the object's individual properties.

Read →
API4

Unrestricted Resource Consumption

Unrestricted Resource Consumption (API4:2023) refers to the risk that an API sets no, or insufficient, limits on resource consumption, for example CPU, memory, bandwidth, storage or paid third-party services (e.

Read →
API5

Broken Function Level Authorization

Broken Function Level Authorization (BFLA) arises when an API doesn't sufficiently check whether the logged-in user is allowed to execute a given function (action/endpoint) at all.

Read →
API6

Unrestricted Access to Sensitive Business Flows

Unrestricted Access to Sensitive Business Flows (API6:2023) occurs when an API endpoint exposes a business-critical flow (e.

Read →
API7

Server Side Request Forgery

Server Side Request Forgery (SSRF) occurs when an API fetches a remote resource using a URL supplied by the user, without adequately validating that URL.

Read →
API8

Security Misconfiguration

Security Misconfiguration (API8:2023) refers to vulnerabilities that arise from missing or incorrect configuration at any layer of the API stack, from the network to the application.

Read →
API9

Improper Inventory Management

Improper Inventory Management (API9:2023) arises when organizations lose track of their own APIs and of data flows to third parties.

Read →
API10

Unsafe Consumption of APIs

Unsafe Consumption of APIs (API10:2023) describes a risk that arises when an API consumes data from external or third-party APIs and trusts them blindly.

Read →
Protection & Implementation

How to secure APIs.

From authentication, validation and rate limiting, through discovery and pentesting, to enforcement at the gateway.

Protection

Implementing API Security

Security comes from three steps: know your inventory, test continuously and enforce at the gateway.

Read →
Protection

API Gateways

The central entry point that routes, authenticates and throttles, but doesn't catch authorization flaws.

Read →
Protection

OAuth 2.0 & OpenID Connect

OAuth 2.0 is a framework for delegated authorization: an application gets limited access to an API on a user's behalf, without knowing their password.

Read →
Protection

Transport Security: TLS and mTLS

TLS encrypts the transport and verifies the server's identity, but doesn't decide who may access which data.

Read →
Protection

Input Validation and Schema Enforcement

Input validation following the positive security model checks every incoming request against an explicitly defined schema (OpenAPI or JSON Schema) and accepts only what is explicitly allowed.

Read →
Protection

Rate Limiting, Quotas and Throttling

Rate limiting, quotas and throttling limit how many requests a client may make to an API within a given time window.

Read →
Protection

Secrets Management for APIs

Secrets management is the defensive counterpart to key leakage: API keys, tokens and certificates are managed centrally, granted under least privilege, rotated automatically and never hardcoded in code, in Git or in logs.

Read →
Protection

Zero Trust for APIs

Zero Trust shifts defense from the network perimeter to every single request: no implicit trust from network location, identity and authorization are re-checked for every request.

Read →
Operations

Logging, Monitoring and Anomaly Detection

Without logging and monitoring, attacks on APIs stay invisible until the damage is done.

Read →
Operations

API Security in the CI/CD Pipeline

Security as a quality gate instead of an annual appointment: how SAST, DAST, SCA, spec diffing, authorization contract tests and secret scanning belong in the CI/CD pipeline, what NIST SP 800-204D requires and why OWASP considers the annual pentest insufficient.

Read →
Testing

How an API Pentest Works

An API pentest examines an interface systematically along a methodology: recon and endpoint discovery, analysis of authentication and authorization, targeted testing of authorization and logic flaws, and fuzzing.

Read →
Testing

API Discovery and Inventory

API discovery and inventory answer the question of which interfaces an organization actually operates, in which version and with which owner.

Read →
Testing

Severity and Risk Assessment with CVSS

CVSS provides a standardized severity score from 0 to 10 for technical vulnerabilities.

Read →
AI

API Security for AI and LLM Applications

Anyone shipping an LLM feature is operating an API with two risk layers: the classic API risks and the model-specific dangers in the OWASP Top 10 for LLM Applications.

Read →
Sovereignty & Compliance

Control, trust, proof.

What digital sovereignty delivers, why it matters especially for security, and how it connects to DORA, NIS2 and GDPR.

Reference

For reference.

Terms that keep coming up, briefly explained.

From theory to a finding on your API.

See how Venedy uncovers these risks on your own interface, provably.

Become a design partner

Note: This content is provided for education and authorised security testing — not as a guide to unauthorised access. Apply any techniques only to systems you own or are explicitly permitted to test. We give no warranty as to accuracy or completeness. See the Disclaimer.