Explore common REST API security pitfalls and best practices in this 37-minute conference talk from OWASP BeNeLux Day. Delve into the evolution of application development, focusing on the rise of JavaScript and mobile applications that have led to an explosion of easily-accessible REST APIs. Learn how to protect API access, identify outdated security aspects, and implement essential security features. Discover the root causes of common API security issues that often result in compromised user accounts and unauthorized data access. Gain actionable advice to address these security problems and assess the security of your own APIs. Cover topics such as HTTP guidelines, strict transport security, application layer security, endpoint protection, state-changing operations, authorization, session management, JSON Web Tokens, CSRF prevention, CORS, input validation, and more. Equip yourself with the knowledge to build secure REST APIs and improve existing ones for future-proof security.
Overview
Syllabus
Intro
Demo
About me
API
HTTP
Guidelines
HTTPStrict Transport Security
Warming Up
Application Layer
Endpoints
State Changing Operations
Missing Authorization
Session Information
Clientside Session Data
JSON Web Token
Decode Functions
Token Misuse
JSON Web Token Rabbit Hole
Cookies
Authorization Header
Attachment to outgoing requests
Default solutions
Crosssite request forgery
Transparent token
Crossorigin resource sharing
Custom headers
Cookies for API
Input validation
Input validation best practices
Over or under estimating input validation
Build secure stuff
Taught by
OWASP Foundation
