API Security Fundamentals [2023]

This video is the recording of my last API Security Fundamentals webinar (March 15, 2023).

This is a quick overview of the most important topics of API security. It includes everything you must take into account when building and designing secure APIs.

In contrast to my previous videos, this one is more theoretical and doesn't have any coding. However, this content is so important that I felt it's worth releasing it here. I'm thinking of creating a course with practical coding examples illustrating all the vulnerabilities - let me know if you'd be interested on that in the comments.

If you're new to API security, my recommendation is don't try to watch the take the whole thing in one go. Go little by little, trying to understand and make sense of everything I explain. I've divided the video into small chapters to make it easier to follow along with the content and plan your study.

If there's anything you don't understand, I'm available for any questions in the comments or privately.

More specifically, the video covers:

👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities - I explain what they are, when they tend to show up, and illustrate them with practical examples. I also explain how to avoid them

👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂. Implementation challenges, common mistakes, and best practices

👉 How 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧 can expose vulnerabilities and how to prevent them

👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I talk about elements “around the API” that also need to be protected

👉 Finally, I talk about API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 and how to automate it with fencer

Fencer is an open-source API security testing tool. I created this library because most of the tooling in this space is from proprietary vendors. I believe we can create a better and more robust API security testing tool by offering a public space where we can all contribute our knowledge and experience with API security. That space is fencer. My goal is to turn fencer into a world-class API security testing tool. I welcome contributions to the project!

RESOURCES:
🔷 OWASP's top 10 API security vulnerabilities [2019]: https://owasp.org/www-project-api-sec...
🔷 OWASP's top 10 API security vulnerabilities 2023 RFC: https://github.com/OWASP/API-Security...
🔷 Fencer: https://github.com/abunuwas/fencer

💥 ANNOUNCEMENT 💥
If you want to learn how to build awesome APIs using 𝐅𝐚𝐬𝐭𝐀𝐏𝐈 and 𝐒𝐐𝐋𝐀𝐥𝐜𝐡𝐞𝐦𝐲, check out my 𝐨𝐧𝐥𝐢𝐧𝐞 𝐜𝐨𝐮𝐫𝐬𝐞 𝐁𝐮𝐢𝐥𝐝 𝐀𝐏𝐈𝐬 𝐰𝐢𝐭𝐡 𝐏𝐲𝐭𝐡𝐨𝐧: https://microapis.teachable.com/p/bui.... Use the code 𝐩𝐫𝐞-𝐥𝐚𝐮𝐧𝐜𝐡 to obtain a 𝟐𝟓% 𝐝𝐢𝐬𝐜𝐨𝐮𝐧𝐭 while the course is on pre-launch!

00:00 Introduction
01:16 Agenda
03:07 OWASP Top 10 API Vulnerabilities
06:02 Broken Object Level Authorization (BOLA)
07:40 Broken Authentication
09:38 Broken Object Property Level Authorization
13:29 Unrestricted Resource consumption
15:40 Broken Function Level Authorization
17:09 Server-side Request Forgery
19:00 Security Misconfiguration
20:08 Lack of Protection from Automated Threats
22:50 Improper Assets Management
25:30 Unsafe Consumption of APIs
27:28 Injection (2019)
29:23 Authentication vs Authorization
30:22 Open Authorization (OAuth)
31:16 Authorization Code Flow
32:57 PKCE Flow
35:11 Client Credentials Flow
36:04 Refresh Token Flow
36:30 JSON Web Tokens (JWTs)
37:45 Structure of a JWT
41:11 OpenID Connect (OIDC)
42:42 Vulnerable API Designs
46:27 Vulnerabilities around the API
48:33 Automating API security testing with fencer
50:22 Wrapping up