Tales of API Woes From a Security Professional Part 1

APIs need securing properly, not just via obscurity.

Photo by Markus Spiske on Unsplash

Some APIs are so large that they are more like complete products of their own, not just an intermediary.

Average users will never see the API, but this doesn’t mean they don’t need to be secure.

Not performing user checks

My Password is Your Password

json/user/update_password
json/un000123/update_passwordjson/un000132/update_password
A valid request to update our own user password — un000123
A valid request to update the target user’s password — un000132

This simple lack of separation allowed a complete takeover and control of any other user’s account on the entire platform — game over.

And…?

Random posts about mobile security and testing techniques from a bunch of mobile professionals.