Like most modern applications, APIs require extensive authorization controls to safeguard data and functionality. When authorization controls break down, sensitive data and critical functions become exposed, leading to potentially disastrous consequences. When precisely diagnosing authorization-related vulnerabilities, the OWASP API Security Top Ten outlines several variants. One such variant, Broken Function Level Authorization (BFLA), is an API vulnerability to which users can perform actions or use functions they shouldn't have access to. Imagine an attacker gaining unauthorized administrat ..read more

Golang is fast becoming the programming language on which developers build the internet. Only JavaScript and Python are ahead in popularity survey results, which is an undeniable confirmation of this trend. Key to this growing popularity is how simple it is to learn and use Go. Add to this the fact that it's perfectly designed for fast execution of applications in microservice architecture models.  Even as you use one of the top languages on the market, your applications are often at the mercy of hackers. They've basically laced the internet with "minefields"—attacks waiting to activate o ..read more

APIs are everywhere and power almost everything. API usage and traffic continue to grow as applications become more distributed, thanks to the massive amount of SaaS and other web-based services that consume the modern software landscape. APIs offer significant advantages to developers, empowering them to leverage existing functionality, accelerate application development, and unlock new possibilities. However, as applications and API portfolios become increasingly complex, maintaining a comprehensive understanding of all existing APIs becomes a significant challenge. APIs can quickly become o ..read more

With every passing year, the complexity of cyber threats intensifies. With each new threat comes the demand for more sophisticated defenses. This guide is designed to teach you the essential cybersecurity tools that stand as the vanguard against these evolving threats. From network security monitors and web vulnerability scanning to encryption tools, this blog uncovers the critical technologies that cyber security professionals depend on to safeguard our digital realm. You'll learn about the tools and how to strategically select and effectively implement them to enhance your digital defenses ..read more

First of all, what is HTTP strict transport security (HSTS) and why do you need it? HSTS is a specific HTTP response header that tells the browser to load a site over HTTPS. The browser will do so whether the user uses the HTTP or the HTTPS protocol. Even if you have a redirect, it's a good idea to set up HSTS since that initial plain text send from the browser to the HTTP endpoint remains vulnerable. That's because the browser will still send any domain cookies to that endpoint—unless, of course, they're set to secure.  In this post, you can read more about HSTS and how it relates to Rea ..read more

For developers striving to build secure APIs, Insecure Direct Object References (IDOR) stand out as a critical vulnerability to look for. As outlined in the OWASP API Security Top 10, this vulnerability can lead to unauthorized access and manipulation of data, leading to disastrous consequences. Broken Object Level Authorization (BOLA) vulnerabilities arise when applications fail to enforce adequate authorization checks for accessing objects or resources. This flaw enables attackers to exploit user-supplied inputs, like URL parameters, to access or manipulate objects they shouldn't, such as fi ..read more

Introduction As the internet is becoming increasingly accessible to people, the number of attacks trying to steal personal information is on the rise. We, as developers, need to protect our users' data, and sometimes, the protection needs to start even before they reach our web application.  This post is about how we can protect our users when they first request our website using HTTP Strict Transport Security (HSTS). To illustrate this, we'll build a sample app with Spring Boot and Java and walk through how to configure HSTS. We'll also be using the Spring Security project.  But fir ..read more

Imagine a scenario where a simple change in a URL grants an attacker access to your most sensitive data or even control over physical systems. That's the potential danger of broken Object-Level Authorization (BOLA), a widespread vulnerability plaguing APIs. BOLA can expose your financial records, medical information, or any data your application handles to malicious actors. Broken Object Level Authorization occurs when an API fails to implement strict controls around who can access what. It's like leaving your house unlocked and hoping nobody with bad intentions walks in. In the world of APIs ..read more

In our increasingly interconnected world, APIs (Application Programming Interfaces) form the backbone of modern digital systems. They power seamless data exchange and enable applications to communicate effortlessly. Because of their rise in usage and popularity, they’ve also become a target for bad actors to exploit. This has led to the OWASP Top 10 API Security Risks, a list developed by OWASP to highlight the top API vulnerabilities that could be and are exploited in the wild. One of the vulnerabilities highlighted in the 2023 edition of the list, in tenth position, is API10: Unsafe Consumpt ..read more

In today’s rapidly evolving digital landscape, the security of web applications and APIs is more crucial than ever. With cyber threats becoming increasingly sophisticated, protecting sensitive data against unauthorized access is a top priority for developers and businesses. Among the numerous security vulnerabilities that frequently plague web applications and APIs, SQL Injection stands out as one of the most dangerous and prevalent. In this blog, we delve into the world of web application security by exploring SQL Injection vulnerabilities. First, we will build a simple API with Flask, then c ..read more