├── LICENSE
└── README.md
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Awesome API Security Essentials
4 |
5 | ## 🚀 About the Project
6 | As more applications rely on APIs for communication and data exchange, ensuring their security is crucial to prevent unauthorized access, data breaches, and service disruptions. The "Awesome API Security Essentials" project aims to be a one-stop resource for developers, providing them with everything they need to implement comprehensive API security measures.
7 |
8 | It provides:
9 |
10 | - **Comprehensive API security resources** - articles, tutorials, and whitepapers
11 | - **Curated tools, libraries, and frameworks** for implementation and testing
12 | - **Best practices, guidelines, and recommendations** for secure API design
13 | - **Community-driven contributions and updates** for continuous improvement
14 | - **Detailed explanations and use cases** for better understanding and application
15 |
16 | ## 💥 News
17 | > OWASP API Top 10 - 2023 Released.
18 | > Find more about the release and updates here: https://owasp.org/API-Security/editions/2023/en/0x11-t10/
19 |
20 |
21 | ## 🎳 OWASP API Top 10 2023
22 | | **OWASP API Top 10 - 2023** | **Why?** |
23 | |----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
24 | | [API1:2023 - Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/) | API endpoints often expose object identifiers, which can be manipulated by unauthorized users. It's critical to verify permissions for each request. |
25 | | [API2:2023 - Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/) | If authentication is implemented poorly, attackers can hijack user sessions or impersonate users. Always verify the user's identity in a secure way. |
26 | | [API3:2023 - Broken Object Property Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/) | APIs must also verify permissions for individual object properties. Without this, attackers can access or manipulate data they shouldn't have access to. |
27 | | [API4:2023 - Unrestricted Resource Consumption](https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/) | APIs need to handle resource limitations effectively. If not managed properly, excessive requests can lead to service outages or increased operational costs. |
28 | | [API5:2023 - Broken Function Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/) | APIs must manage user roles and permissions correctly. If not, users could gain unauthorized access to certain functionalities. |
29 | | [API6:2023 - Unrestricted Access to Sensitive Business Flows](https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/) | APIs should protect business operations. Without protection, automated or excessive usage of business functionalities could cause damage. |
30 | | [API7:2023 - Server Side Request Forgery](https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/) | APIs must validate external resource requests to prevent attackers from forcing the server to send requests to unauthorized locations. |
31 | | [API8:2023 - Security Misconfiguration](https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/) | API settings should be configured properly. Neglecting to do so can leave vulnerabilities that attackers can exploit. |
32 | | [API9:2023 - Improper Inventory Management](https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/) | APIs must maintain accurate and updated documentation of all available endpoints to prevent the exposure of deprecated or debug endpoints. |
33 | | [API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | Developers should be careful when using third-party APIs and not trust them blindly. Attackers could exploit these third-party services to compromise your API. |
34 |
35 |
36 | ## 📚 Books
37 | | **Book Name** | **Description** | **Short Summary** |
38 | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
39 | | [API Security in Action](https://www.manning.com/books/api-security-in-action) | A comprehensive guide to API security principles and techniques by Neil Madden. | This book provides a comprehensive exploration of API security principles and practices, with a focus on securing RESTful and GraphQL APIs. It covers a wide range of topics, including handling authentication, authorization, and audit, as well as protecting data at rest and in transit. Through detailed examples and case studies, readers will gain a deep understanding of how to implement robust security measures for their APIs. |
40 | | [Hacking APIs](https://www.google.co.in/books/edition/Hacking_APIs/gHpPEAAAQBAJ?hl=en&gbpv=0) | A practical guide on Breaking Web Application Programming Interfaces. | Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. |
41 | | [RESTful API Design: Best Practices in API Design with REST](https://www.amazon.in/dp/B01L6STMVW?ref=KC_GS_GB_IN) | A book focusing on RESTful API design principles, including security considerations, by Matthias Biehl. | Focusing on the principles of designing scalable, maintainable, and high-performing RESTful APIs, this book provides guidance on versioning, pagination, and error handling. It also presents industry-proven patterns and anti-patterns to help readers avoid common pitfalls. With practical examples, readers will be able to apply these principles to their own API design projects. |
42 | | [OAuth 2.0: Getting Started in API Security](https://www.amazon.in/OAuth-2-0-Getting-Security-University/dp/1507800916) | A practical guide to OAuth 2.0 and API security by Matthias Biehl. | An introductory guide to OAuth 2.0 and its role in API security, this book offers an overview of various OAuth 2.0 flows and use cases. It provides step-by-step guidance on implementing OAuth 2.0 and shares tips for maintaining security and performance. With this book, readers can confidently apply OAuth 2.0 to protect their APIs. |
43 | | [GraphQL in Action](https://www.manning.com/books/graphql-in-action) | A book covering GraphQL API design, development, and security best practices by Samer Buna. | This comprehensive guide to GraphQL implementation explores the GraphQL query language and schema design, along with strategies for securing GraphQL APIs. Through real-world case studies and examples, readers will gain a thorough understanding of how to use GraphQL in their projects while ensuring robust security measures are in place. |
44 | | [Practical API Architecture and Development with Azure and AWS](https://www.amazon.in/Practical-Architecture-Development-Azure-Implementation/dp/1484235541) | A book on API architecture and development, including security considerations, for both Azure and AWS by Thurupathan Vijayakumar. | This book offers a hands-on approach to API architecture and development using Azure and AWS platforms. It covers topics such as API design, development, deployment, and management, with a focus on integrating cloud-based services. Readers will learn how to leverage the capabilities of these platforms to create efficient, secure, and scalable APIs. |
45 | | [API Management: An Architect's Guide to Developing and Managing APIs for Your Organization](https://www.amazon.com/API-Management-Architects-Developing-Organization/dp/1484213068) | A book by Brajesh De that includes API security aspects and best practices. | This book offers valuable insights into developing and managing APIs for organizations, with a focus on the architectural aspects of API management. It covers topics such as API design, development, security, and governance, providing practical guidance on creating efficient and secure APIs that align with organizational goals. |
46 | | [Advanced API Security: OAuth 2.0 and Beyon](https://www.amazon.in/Advanced-API-Security-OAuth-Beyond-ebook/dp/B082WRYJJM/ref=sr_1_2?qid=1683721842&s=books&sr=1-2) | A book by Prabath Siriwardena that focuses on OAuth 2.0 and OpenID Connect protocols for API security. | This book provides an in-depth exploration of API security, with a focus on OAuth 2.0 and OpenID Connect protocols. It offers a detailed understanding of these protocols and their implementation, helping readers master the intricacies of API security. By the end of this book, readers will be well-versed in using OAuth |
47 |
48 |
49 | ## 👻 Breaches
50 |
51 | | # | Incident | Year | Impacted Users | Primary Reason | Vulnerability | Remediation | Avoidance | Source |
52 | | -- | --------------------- | ----------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
53 | | 1 | Parler API hack | 2021 | Millions | Lack of authentication for the API | Unauthenticated access to sensitive data | Reimburse affected users and implement proper authentication mechanisms for the API | Use tokens or passwords to secure the API | [The Parler Hack Is a Reminder: The End-to-End Encryption Debate Isn’t Going Away](https://www.wired.com/story/parler-hack-end-to-end-encryption-debate/) |
54 | | 2 | Peloton breach | 2021 | Millions | Misconfigured API that did not enforce proper access control policies for user data | Unauthorized access to user data without authentication | Notify affected users and implement authentication and authorization mechanisms for the API | Use tokens or roles to secure the API | [Peloton’s leaky API let anyone grab riders’ private account data](https://techcrunch.com/2021/05/05/peloton-api-account-data-leak/) |
55 | | 3 | Experian breach | 2020 (reported in 2021) | Millions | Lack of validation for the API requests that enabled unauthorized access to credit scores | Unauthorized access to credit scores by entering a name and an address | Notify affected users and implement validation mechanisms for the API requests | Verify identity or require additional information to access the API | [Experian’s Credit Freeze Security is Still a Joke](https://krebsonsecurity.com/2020/08/experians-credit-freeze-security-is-still-a-joke/) |
56 | | 4 | John Deere breach | 2021 (reported in 2022) | Thousands | Lack of authorization for the API requests that enabled unauthorized access to customer data | Unauthorized access to customer data by entering a serial number of a John Deere product | Notify affected customers and implement authorization mechanisms for the API requests | Verify ownership or require authentication tokens to access the API | [John Deere security flaw lets anyone download sensitive files from its site](https://www.vice.com/en/article/epn5jw/john-deere-security-flaw-lets-anyone-download-sensitive-files-from-its-site) |
57 | | 5 | Microsoft breach | 2022 | Millions | Flaw in the authentication system that enabled unauthorized access to the API. Accessing Microsoft’s API and downloading data from various products using stolen credentials obtained from phishing emails. | Unautheticated access | Implement a more robust authentication system, such as using multi-factor authentication or passwordless authentication. Encrypt data in transit and at rest. | Validate all requests and responses. Limit the number and frequency of requests. Log all API activity and audit regularly. Educate users about phishing and how to protect their accounts. | [Microsoft says it thwarted recent cyberattack from group it calls ‘Lapsus$’](https://www.cnn.com/2022/03/20/tech/microsoft-cyberattack/index.html) |
58 | | 6 | Clubhouse | 2021 | Unknown | Public API access | Exposed user data | Implemented rate limits and added additional security measures | Regularly review and restrict API access | [Cybernews]([https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free/](https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free/)) |
59 | | 7 | Twitter | 2020 | 130 accounts | Social engineering attack | Insufficient internal control | Improved internal security measures and employee training | Implement strong access control and employee training | [Twitter Blog](https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html) |
60 | | 8 | Robinhood | 2020 | 2,000 | Unauthorized access | Compromised API tokens | Investigated the issue and implemented additional security measures | Properly secure sensitive data, including API tokens | [Bloomberg](https://www.bloomberg.com/news/articles/2020-10-15/robinhood-says-some-customer-accounts-may-have-become-target) |
61 | | 9 | Garmin | 2020 | Unknown | Ransomware attack | Compromised API access | Garmin reportedly paid the ransom to restore their services and regain access to their data. | Regularly update and patch software, monitor API access, and implement strong authentication and encryption mechanisms. | [ZDNet](https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/) |
62 | | 10 | MGM Resorts | 2020 | 10.6 million | Unauthorized access | Exposed API keys | MGM Resorts notified affected users, offered credit monitoring services, and improved network security. | Implement network segmentation, regular security audits, and use strong API access controls. | [ZDNet](https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/) |
63 | | 11 | SolarWinds | 2020 | Unknown | Supply chain attack | Compromised API access | SolarWinds released a series of patches and updates to secure their software and network. | Regularly audit and monitor third-party software, implement strong authentication, and use the principle of least privilege. | [SolarWinds](https://www.solarwinds.com/securityadvisory) |
64 | | 12 | EasyJet | 2020 | 9 million | Unauthorized access | Exposed API keys | EasyJet notified affected customers, advised them to change their passwords, and increased security measures. | Monitor API usage, implement multi-factor authentication, and conduct regular security audits. | [BBC](https://www.bbc.com/news/technology-52722626) |
65 | | 13 | Marriott | 2020 | 5.2 million | Unauthorized access | Compromised API access | Marriott disabled the affected API and notified affected customers, offering identity protection services. | Regularly monitor and audit API access, implement strong authentication mechanisms, and encrypt sensitive data.
| [Marriott](https://marriott.gcs-web.com/news-releases/news-release-details/marriott-international-update-on-property-system-security) |
66 | | 14 | Nintendo | 2020 | 300,000 | Unauthorized access | Exposed API keys | Nintendo reset passwords for affected accounts and advised users to enable two-factor authentication. | Implement strong authentication measures, monitor API usage, and educate users about password security. | [Nintendo](https://en-americas-support.nintendo.com/app/answers/detail/a_id/49167/) |
67 | | 15 | Zoom | 2020 | 500,000 | Unauthorized access | Exposed API keys | Zoom disabled the affected API and increased security measures. | Regularly audit API access, encrypt sensitive data, and implement strong authentication mechanisms. | [Bleeping Computer](https://www.bleepingcomputer.com/news/security/500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/) |
68 | | 16 | First American Corp | 2019 | 885 million | Misconfiguration of API | IDOR | Fixed the misconfiguration and conducted a thorough investigation | Regular security audits and testing for misconfigurations | [KrebsOnSecurity](https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/) |
69 | | 17 | JustDial | 2019 | 100 million | Unsecured API | Lack of authentication | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [The Economic Times](https://economictimes.indiatimes.com/tech/internet/justdial-affected-by-data-breach-of-100-million-users/articleshow/68883453.cms) |
70 | | 18 | Capital One | 2019 | 106 million | Unauthorized access | Misconfigured firewall | Fixed the misconfiguration and conducted a thorough investigation | Regular security audits and testing for misconfigurations | [Capital One](https://www.capitalone.com/facts2019/) |
71 | | 19 | DoorDash | 2019 | 4.9 million | Unauthorized access | Exposed API keys | DoorDash added protective security layers and improved security protocols. | Regularly audit API access, implement strong authentication mechanisms, and encrypt sensitive data. | [DoorDash Blog](https://blog.doordash.com/important-security-notice-about-your-doordash-account-34b2b7d89a58) |
72 | | 20 | Canva | 2019 | 137 million | Unauthorized access | Exposed API keys | Canva notified affected users and reset their passwords, enhancing security measures. | Implement multi-factor authentication, monitor API access for unusual activity, and encrypt sensitive data. | [ZDNet](https://www.zdnet.com/article/data-for-roughly-139-million-users-has-been-taken-from-canva/) |
73 | | 21 | Zynga | 2019 | 218 million | Unauthorized access | Exposed API keys | Zynga notified affected users, reset their passwords, and enhanced security measures.
| Regularly audit API access, implement strong authentication mechanisms, and encrypt sensitive data. | [The Hacker News](https://thehackernews.com/2019/09/zynga-game-data-breach.html) |
74 | | 22 | Facebook | 2018 | 87 million | Misuse of API | Inadequate API access control | Facebook tightened API access and implemented regular audits | Regularly review and restrict API access for third-party apps | [Facebook Newsroom](https://about.fb.com/news/2018/04/restricting-data-access/) |
75 | | 23 | Instagram | 2018 | 14 million | API vulnerability | Exposed user data | Patched the vulnerability and notified affected users | Regular security testing and monitoring of API endpoints | [The Information](https://www.theinformation.com/articles/instagram-exposed-data-on-millions-of-users) |
76 | | 24 | T-Mobile | 2018 | 2 million | API vulnerability | Insecure API endpoint | Patched the vulnerability and notified affected customers | Regular security testing and monitoring of API endpoints | [T-Mobile](https://www.t-mobile.com/customers/6305378827) |
77 | | 25 | Panera Bread | 2018 | 37 million | Unsecured API | Exposed customer data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [KrebsOnSecurity](https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/) |
78 | | 26 | Venmo | 2018 | 207 million | Public API access | Exposed transaction data | Limited API access and updated privacy settings | Regularly review and restrict API access | [Wired](https://www.wired.com/story/venmo-transaction-public-by-default/) |
79 | | 27 | Exactis | 2018 | 340 million | Unsecured API | Exposed personal data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [Wired](https://www.wired.com/story/exactis-database-leak-340-million-records/) |
80 | | 28 | Google+ | 2018 | 500,000 | API vulnerability | Exposed user data | Patched the vulnerability and shut down Google+ | Regular security testing and monitoring of API endpoints | [Google Blog](https://www.blog.google/technology/safety-security/project-strobe/) |
81 | | 29 | HealthEngine | 2018 | 59,600 | API vulnerability | Exposed patient data | Patched the vulnerability and notified affected users | Regular security testing and monitoring of API endpoints | [ABC News](https://www.abc.net.au/news/2018-06-25/healthengine-sharing-patients-information-with-lawyers/9905554) |
82 | | 30 | USPS | 2018 | 60 million | Unsecured API | Exposed user data | Secured the API and conducted an internal review | Implement proper access controls and authentication measures | [KrebsOnSecurity](https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/) |
83 | | 31 | Strava | 2018 | Unknown | Public API access | Exposed user location data | Updated privacy settings and restricted API access | Regularly review and restrict API access | [The Guardian](https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases) |
84 | | 32 | British Airways | 2018 | 380,000 | Unauthorized access | Compromised API access | British Airways notified affected customers, offered credit monitoring services, and improved security measures. | Implement strong API access controls, use encryption, and conduct regular security audits and assessments. | [ICO](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/british-airways-update/) |
85 | | 33 | Uber | 2016 | 57 million | Unauthorized access | Exposed API keys | Secured API keys and implemented stronger access controls | Properly secure sensitive data, including API keys | [Uber Newsroom](https://www.uber.com/newsroom/2016-data-incident/) |
86 | | 34 | Microsoft Code Spaces | 2014 | Unknown | Unauthorized access | Exposed API keys | Shut down Code Spaces and encouraged stronger access controls | Properly secure sensitive data, including API keys | [Ars Technica](https://arstechnica.com/information-technology/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/) |
87 | | 35 | Snapchat | 2014 | 4.6 million | API vulnerability | Exposed user data | Patched the vulnerability and improved security measures | Regular security testing and monitoring of API endpoints | [Gizmodo](https://gizmodo.com/snapchat-leak-4-6-million-usernames-and-phone-numbers-1491407235) |
88 |
89 | ## 🔐 Vulnerable APIs
90 | | # | Name | Link | Short Description | Vulnerabilities | Maintainer | Active |
91 | | -- | ----------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------ |
92 | | 1 | OWASP crAPI | [GitHub](https://github.com/OWASP/crAPI) | A vulnerable API designed for learning API security practices | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
93 | | 2 | Vampi | [GitHub](https://github.com/erev0s/VAmPI) | VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | [erev0s](https://github.com/erev0s) | Yes |
94 | | 3 | VAPI | [GitHub](https://github.com/roottusk/vapi) | A vulnerable PHP API for security testing | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | [Tushar Kulkarni](https://github.com/roottusk) | Yes |
95 | | 4 | DVNA | [GitHub](https://github.com/appsecco/dvna) | Damn Vulnerable Node.js Application with insecure APIs | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Appsecco | Yes |
96 | | 5 | WebGoat | [GitHub](https://github.com/WebGoat/WebGoat) | A deliberately insecure web app for security training | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
97 | | 6 | Juice Shop | [GitHub](https://github.com/juice-shop/juice-shop) | A modern, intentionally insecure web application | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | OWASP | Yes |
98 | | 7 | Gruyere | [Google](https://google-gruyere.appspot.com/) | A web application with security holes used for training | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Google | Yes |
99 | | 8 | Railsgoat | [GitHub](https://github.com/OWASP/railsgoat) | A vulnerable Ruby on Rails application for learning security | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | OWASP | Yes |
100 | | 9 | Mutillidae | [GitHub](https://github.com/webpwnized/mutillidae) | A deliberately vulnerable set of PHP scripts | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Webpwnized | Yes |
101 | | 10 | NodeGoat | [GitHub](https://github.com/OWASP/NodeGoat) | A Node.js/Express app with security vulnerabilities | SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Broken Access Control, Security Misconfiguration, CORS Misconfigurations | OWASP | Yes |
102 | | 11 | Hackazon | [GitHub](https://github.com/Rapid7/hackazon) | A modern, vulnerable e-commerce web app | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Rapid7 | Yes |
103 | | 12 | BadStore | [SourceForge](http://www.badstore.net/) | A vulnerable e-commerce web app for security training | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | [Badstore.net](http://Badstore.net) | Yes |
104 | | 13 | GoatDroid | [GitHub](https://github.com/jackMannino/OWASP-GoatDroid-Project) | A vulnerable Android app with insecure APIs | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | OWASP | Yes |
105 | | 14 | AltoroJ | [IBM](http://www.altoromutual.com/) | A vulnerable Java web app for learning application security | SQL Injection, Broken Authentication, Sensitive Data Exposure, Insecure Deserialization, Broken Access Control, Security Misconfiguration | IBM | Yes |
106 | | 15 | Hackademic | [GitHub](https://github.com/Hackademic/hackademic) | A vulnerable web app to learn and practice web application security | SQL Injection, Broken Authentication, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | Hackademic | Yes |
107 |
108 | ## ⚔️ OWASP API Top 10 2019 vs OWASP API Top 10 2023
109 |
110 | | **OWASP API Top 10 2019** | **OWASP API Top 10 2023** | **Changes** |
111 | |-------------------------------------------------|-------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
112 | | API1:2019 - Broken Object Level Authorization | API1:2023 - Broken Object Level Authorization | No significant changes, both versions focus on issues related to object identifiers and object level access control. |
113 | | API2:2019 - Broken User Authentication | API2:2023 - Broken Authentication | Slight changes in the naming, but the core issue remains the same - problems with the implementation of authentication mechanisms. |
114 | | API3:2019 - Excessive Data Exposure | API3:2023 - Broken Object Property Level Authorization | The 2023 issue combines the 2019 Excessive Data Exposure and 2019 Mass Assignment to focus on authorization validation at the object property level. |
115 | | API4:2019 - Lack of Resources & Rate Limiting | API4:2023 - Unrestricted Resource Consumption | Similar focus on resource consumption but the 2023 version adds the aspect of resources made available by third-party API integrations. |
116 | | API5:2019 - Broken Function Level Authorization | API5:2023 - Broken Function Level Authorization | No significant changes, both versions focus on the issues with access control policies and different user roles. |
117 | | API6:2019 - Mass Assignment | API6:2023 - Unrestricted Access to Sensitive Business Flows | The 2023 version expands the focus to include the harm to business from automated excessive use of a function, not necessarily resulting from implementation bugs. |
118 | | API7:2019 - Security Misconfiguration | API7:2023 - Server Side Request Forgery | The 2023 version focuses on a specific type of attack – Server-Side Request Forgery (SSRF), while the 2019 version had a broader focus on various misconfigurations. |
119 | | API8:2019 - Injection | API8:2023 - Security Misconfiguration | The 2023 version shifts the Security Misconfiguration from 2019's API7, highlighting the issues related to configurations and best practices, while 2019's API8 was about various types of injection attacks. |
120 | | API9:2019 - Improper Assets Management | API9:2023 - Improper Inventory Management | Both versions stress the importance of proper documentation and inventory of hosts and deployed API versions. The naming was changed to more accurately reflect the main concern. |
121 | | API10:2019 - Insufficient Logging & Monitoring | API10:2023 - Unsafe Consumption of APIs | The 2023 version brings a new concern about trusting third-party APIs and weaker security standards, while the 2019 version focused on logging, monitoring, and incident response. |
122 |
123 |
124 |
125 | ## 📝 Cheatsheets
126 | | Cheatsheet | Description |
127 | |---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
128 | | [OWASP API Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/API_Security_Cheat_Sheet.html) | A concise collection of API security best practices by OWASP. |
129 | | [REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) | A cheat sheet focused on security best practices for RESTful APIs. |
130 | | [OAuth 2.0 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Security_Cheat_Sheet.html) | A summary of the OAuth 2.0 security best practices by OWASP. |
131 | | [JWT Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html) | A cheat sheet covering JSON Web Token (JWT) security best practices. |
132 | | [GraphQL Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Security_Cheat_Sheet.html) | A cheat sheet outlining key security aspects and best practices for GraphQL APIs. |
133 | | [HTTP Security Headers Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Security_Headers_Cheat_Sheet.html) | A summary of HTTP security headers and their usage for securing APIs. |
134 | | [Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) | A cheat sheet focused on input validation for APIs and web applications. |
135 | | [Cross-Origin Resource Sharing (CORS) Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Origin_Resource_Sharing_Cheat_Sheet.html) | A guide to implementing and securing CORS for APIs and web applications. |
136 | | [Content Security Policy (CSP) Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) | A cheat sheet for implementing and securing Content Security Policy in APIs and web applications. |
137 | | [API Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/API_Authentication_Cheat_Sheet.html) | A cheat sheet covering API authentication best practices. |
138 |
139 |
140 | ## ✅ Checklists
141 | | Checklist | Description |
142 | |---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
143 | | [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) | A comprehensive checklist of API security best practices. |
144 | | [OWASP API Security Top 10 Checklist](https://www.owasp.org/images/7/76/API_Security_Checklist.pdf) | A printable checklist based on the OWASP API Security Top 10. |
145 | | [API Penetration Testing Checklist](https://www.owasp.org/images/3/37/OWASP_Testing_Checklist_for_APIs.pdf) | A checklist for conducting API security penetration testing. |
146 | | [RESTful API Security Checklist](https://github.com/ozgurozturknet/REST-API-Security-Checklist) | A checklist of security best practices for RESTful APIs. |
147 | | [API Security Audit Checklist](https://www.apicasystems.com/blog/api-security-audit-checklist/) | A checklist for auditing API security. |
148 | | [OAuth 2.0 Security Checklist](https://www.oauth.com/playground/server-security) | A checklist of OAuth 2.0 security best practices. |
149 | | [JSON Web Token (JWT) Security Checklist](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-token-security) | A JWT security checklist provided by Auth0. |
150 | | [GraphQL Security Checklist](https://github.com/graphql-community/graphql-security-checklist) | A collection of security best practices for GraphQL APIs. |
151 | | [API Documentation Security Checklist](https://www.stoplight.io/api-security-checklist) | A checklist for ensuring the security of API documentation. |
152 | | [API Security Self-Assessment Checklist](https://www.axway.com/en/checklist/api-security) | A self-assessment checklist for evaluating your organization's API security. |
153 |
154 |
155 | ## 🛤 API Security Learning Path
156 |
157 | | **Month** | **Week** | **Topic** | **Resources** |
158 | |-----------|----------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
159 | | Month 1 | 1 | Understanding APIs and their importance | [What is an API?](https://www.freecodecamp.org/news/what-is-an-api-in-english-please-b880a3214a82/) |
160 | | | | | [RESTful API Design](https://restfulapi.net/) |
161 | | | 2 | API Security Basics | [Why is API Security Important?](https://www.indusface.com/blog/what-is-api-security-and-why-is-it-important/) |
162 | | | | | [API Security: Challenges and Solutions](https://www.cloudflare.com/learning/security/api/what-is-api-security/) |
163 | | | 3 | Authentication and Authorization | [Introduction to OAuth 2.0](https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2) |
164 | | | | | [Understanding JSON Web Tokens (JWT)](https://jwt.io/introduction/) |
165 | | | 4 | API Security Best Practices | [API Security Best Practices](https://blogs.mulesoft.com/api-integration/api-security-threats-best-practices-solutions/) |
166 | | | | | [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) |
167 | | Month 2 | 5 | Rate Limiting and Throttling | [Rate Limiting in APIs](https://www.cloudflare.com/learning/bots/what-is-rate-limiting/) |
168 | | | | | [Throttling in APIs](https://www.tibco.com/reference-center/what-is-api-throttling#:~:text=API%20throttling%20is%20the%20process,click%20triggers%20an%20API%20call.) |
169 | | | 6 | Input Validation and Sanitization | [Input Validation for APIs](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) |
170 | | | | | [Input Sanitization for APIs](https://cheatsheetseries.owasp.org/cheatsheets/Data_Validation_Cheat_Sheet.html) |
171 | | | 7 | Transport Security | [Transport Security in APIs](https://developer.okta.com/books/api-security/tls/) |
172 | | | | | [Using HTTPS for API Security](https://www.cloudflare.com/learning/ssl/why-use-https/) |
173 | | | 8 | API Security Testing | [API Security Testing](https://www.soapui.org/learn/security/) |
174 | | | | | [Top 10 API Security Testing Tools](https://www.techtarget.com/searchsecurity/tip/10-API-security-testing-tools-to-mitigate-risk) |
175 | | Month 3 | 9 | Project 1 - Building a Secure RESTful API | [Tutorial: Build a Secure RESTful API](https://www.toptal.com/nodejs/secure-rest-api-in-nodejs) |
176 | | | 10 | Project 2 - Implementing OAuth 2.0 and JWT | [Tutorial: Implement OAuth 2.0 and JWT](https://auth0.com/docs/quickstart/backend/nodejs) |
177 | | | 11 | Project 3 - API Security Audit | [API Security Audit Checklist](https://github.com/shieldfy/API-Security-Checklist) |
178 |
179 |
180 | ## 🎥 Playlists
181 |
182 | | ****Playlist Name**** | ****Link**** |
183 | |------------------------------------|----------------------------------------------------------------------------------|
184 | | API Security: What & How? | [Link](https://youtube.com/playlist?list=PLKUnjn-fSXRTy8sPPXGrNNBDPVOOi3U49) |
185 | | Everything API Hacking | [Link](https://youtube.com/playlist?list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol) |
186 | | OWASP API Security Top 10 | [Link](https://www.youtube.com/playlist?list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD) |
187 | | API Security deep dive | [Link](https://youtube.com/playlist?list=PLiUwrB-tuUUpJIQxo4qqHWKJBfFCTeqh9) |
188 | | REST API Security | [Link](https://youtube.com/playlist?list=PLSId5Ee-5md9FdqzaLrnB30k7Z4YPjBAk) |
189 | | API security | [Link](https://youtube.com/playlist?list=PL4HR6c9eR2yLnBYYwZqhwiV4rhRN1S8f5) |
190 | | API Security 101: Talks | [Link](https://youtube.com/playlist?list=PLwfL2EOOZ36weMxjo1Wk7bV4TFP08HBj9) |
191 | | API Security in Microservice world | [Link](https://youtube.com/playlist?list=PLV47o9J4XHfmTL99nc2b4k-SPSVBF9MIq) |
192 | | API Security essentials | [Link](https://youtube.com/playlist?list=PL8IDSDRZxCCANEpMNtod31YOI1JpB30Qt) |
193 | | Understanding OAuth & API security | [Link](https://youtube.com/playlist?list=PLxeJU39M7tLG1-3UAa1_90YgN9_1bDag4) |
194 |
195 | ## 🏗 Specifications
196 | | **Specification** | **Description** |
197 | |------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
198 | | [OpenAPI Specification (OAS)](https://swagger.io/specification/) | A standard for describing and documenting RESTful APIs. |
199 | | [JSON Web Tokens (JWT)](https://jwt.io/introduction) | A compact, URL-safe means of representing claims to be transferred between parties. |
200 | | [OAuth 2.0](https://oauth.net/2/) | A widely-adopted authorization framework for securing API access. |
201 | | [OpenID Connect](https://openid.net/connect/) | An identity layer built on top of OAuth 2.0 for authentication and single sign-on. |
202 | | [GraphQL](https://graphql.org/) | A query language for APIs and a runtime for executing queries against your data. |
203 | | [JSON:API](https://jsonapi.org/) | A specification for building APIs in JSON. |
204 | | [HAL (Hypertext Application Language)](http://stateless.co/hal_specification.html) | A standard for describing RESTful APIs using hypermedia. |
205 | | [API Blueprint](https://apiblueprint.org/) | A high-level API design language for describing and designing APIs. |
206 | | [RAML (RESTful API Modeling Language)](https://raml.org/) | A language for describing and designing RESTful APIs in a human-readable format. |
207 | | [WS-Security](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) | A set of specifications for securing SOAP-based web services. |
208 |
209 | ## 🎙 Podcast
210 | | **Podcast** | **Description** |
211 | |------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
212 | | [The Secure Developer](https://www.heavybit.com/library/podcasts/the-secure-developer/) | A podcast that discusses security best practices for developers, including API security topics. |
213 | | [Application Security Weekly](https://securityweekly.com/shows/appsec-weekly/) | A weekly podcast covering application security news, including API security updates. |
214 | | [The New Stack Podcast](https://thenewstack.io/podcasts/) | A podcast that covers various technology topics, occasionally featuring API security discussions. |
215 | | [The CyberWire Daily Podcast](https://thecyberwire.com/podcasts/daily-podcast) | A daily cybersecurity news podcast that occasionally discusses API security. |
216 | | [Security Now](https://twit.tv/shows/security-now) | A weekly podcast discussing a wide range of security topics, including API security. |
217 | | [Darknet Diaries](https://darknetdiaries.com/) | A podcast that tells true stories from the dark side of the internet, occasionally featuring episodes about API security incidents. |
218 | | [Risky Business](https://risky.biz/netcasts/risky-business/) | A podcast that covers information security news and events, sometimes discussing API security. |
219 | | [Smashing Security](https://www.smashingsecurity.com/) | A cybersecurity podcast that occasionally discusses API security topics. |
220 | | [The Privacy, Security, & OSINT Show](https://inteltechniques.com/podcast.html) | A podcast focusing on privacy, security, and open-source intelligence topics, occasionally featuring API security discussions. |
221 |
222 | ## 🗂 Wikis & Collections
223 | | **Collection** | **Description** |
224 | |----------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
225 | | [OWASP API Security Project](https://owasp.org/www-project-api-security/) | An OWASP project that provides resources and guidelines on API security. |
226 | | [API Security Encyclopedia](https://www.apisecurity.io/encyclopedia/) | A comprehensive encyclopedia of API security terms and concepts. |
227 | | [API Security on Infosec](https://www.infosecinstitute.com/topics/api-security/) | A collection of API security articles and resources by Infosec Institute. |
228 | | [API Security on DZone](https://dzone.com/security) | A collection of API security articles, tutorials, and news on DZone. |
229 | | [API Security on Medium](https://medium.com/tag/api-security) | A collection of API security articles and stories on Medium, contributed by various authors. |
230 | | [API Security on Hacker Noon](https://hackernoon.com/tagged/api-security) | A collection of API security articles on Hacker Noon, contributed by various authors. |
231 | | [API Security on Dev.to](https://dev.to/t/apisecurity) | A collection of API security articles, tutorials, and discussions on Dev.to. |
232 | | [API Security on Reddit](https://www.reddit.com/r/apisecurity/) | A subreddit dedicated to API security, featuring articles, discussions, and resources. |
233 |
234 | ## 🗺 Mind Maps
235 | | **Mind Map** | **Description** |
236 | |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
237 | | [API Security Mind Map](https://dsopas.github.io/MindAPI/play/) | A visual representation of various API security concepts and best practices. |
238 | | [REST API Security Mind Map](https://www.mindmeister.com/555874413/rest-api) | A mind map that covers key security aspects of RESTful APIs. |
239 | | [OAuth 2.0 Mind Map](https://luisfsgoncalves.wordpress.com/2016/06/26/oauth-2-0-mind-map/) | A visual representation of OAuth 2.0 concepts and components, which are crucial for API security. |
240 | | [API Security Testing Mind Map](https://media-exp1.licdn.com/dms/document/C561FAQFMUiAa5fYPhg/feedshare-document-pdf-analyzed/0/1649057128703?e=2147483647&v=beta&t=2MXCYdO_Lpeq1vXOFgwr4exZT-gw16kAhaGG9ZapsH4) | A mind map that provides an overview of API security testing concepts and techniques. |
241 | | [API Management Mind Map](https://media-exp1.licdn.com/dms/document/C561FAQFMUiAa5fYPhg/feedshare-document-pdf-analyzed/0/1649057128703?e=2147483647&v=beta&t=2MXCYdO_Lpeq1vXOFgwr4exZT-gw16kAhaGG9ZapsH4) | A mind map covering various aspects of API management, including security considerations. |
242 | | [Web Services Security Mind Map](https://github.com/nmmcon/MindMaps/blob/532ee4a6ecfad1c7df3cc186b0538477d9e838d8/WebApplicationVulnerabilities.png) | A mind map that delves into security aspects of web services, including APIs. |
243 |
244 | ## 📜 Newseltters
245 | | **Newsletter** | **Description** |
246 | |-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
247 | | [The Hacker New](https://thehackernews.com/search/label/API%20Security) | A blog and newsletter that covers various API topics, including security. |
248 | | [API Evangelist](http://apievangelist.com/) | A blog and newsletter by Kin Lane that covers various API topics, including security. |
249 | | [The New Stack](https://thenewstack.io/) | A platform for news and analysis on various technology topics, including API security. Subscribe to their newsletter for regular updates. |
250 | | [Secjuice](https://www.secjuice.com/) | A cybersecurity publication with a dedicated section for API security articles. Subscribe to their newsletter for updates. |
251 | | [Security Weekly](https://securityweekly.com/) | A cybersecurity podcast network and newsletter that occasionally covers API security topics. |
252 | | [StatusCode Weekly](https://webopsweekly.com/) | A weekly newsletter that covers web operations and occasionally includes API security articles. |
253 |
254 | ## ⚙ Projects
255 | | **Project** | **Description** |
256 | |---------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
257 | | [OWASP API Security Project](https://owasp.org/www-project-api-security/) | An open-source project that aims to provide guidance and resources for API security. |
258 | | [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) | A GitHub repository containing a checklist of essential security measures for API developers. |
259 | | [API Security in Action](https://www.manning.com/books/api-security-in-action) | A book that contains sample projects and code for implementing API security best practices. |
260 | | [ModSecurity](https://www.github.com/SpiderLabs/ModSecurity) | An open-source web application firewall (WAF) that can help protect APIs. |
261 | | [ZAP API Scan](https://www.zaproxy.org/docs/docker/api-scan/) | A ZAP add-on that automates API security scanning. |
262 | | [RESTler](https://github.com/microsoft/restler-fuzzer) | Microsoft's open-source, stateful REST API fuzzer for automatically testing API security. |
263 | | [GraphQL Shield](https://github.com/maticzav/graphql-shield) | A library for securing GraphQL APIs with fine-grained access control. |
264 |
265 |
266 | ## 🤝 Contributing
267 | We welcome contributions from developers of all skill levels! Check out our [Contribution Guidelines](.github/CONTRIBUTING.md) to learn how you can contribute to *awesome-api-security-essentials*.
268 |
269 | ## 📖 License
270 | Except as otherwise noted **awesome-api-security-essentials** is licensed under the *[Apache License, Version 2.0](/License)* .
271 |
272 | ## 🌐 Join Our Community
273 | Connect with other **API Security** enthusiasts and contributors by joining our [discord community](https://discord.gg/NvXBX4Jd2v). Share your experiences, ask questions, and collaborate on this exciting project!
274 |
275 | ## 📣 Stay Informed
276 | Keep up-to-date with the latest news, updates, and announcements by following us on [Twitter](https://twitter.com/jayesh_ahire1) and [Linkedin](https://www.linkedin.com/company/api-security-community/).
277 |
278 |
279 |
280 | [contributors-shield]: https://img.shields.io/github/contributors/jbahire/awesome-api-security.svg?style=for-the-badge
281 | [contributors-url]: https://github.com/jbahire/awesome-api-security/graphs/contributors
282 | [github-actions-shield]: https://img.shields.io/github/workflow/status/jbahire/awesome-api-security/e2e%20test?color=orange&label=e2e-test&logo=github&logoColor=orange&style=for-the-badge
283 | [github-actions-url]: https://github.com/jbahire/awesome-api-security/actions/workflows/docker-tests.yml
284 | [forks-shield]: https://img.shields.io/github/forks/jbahire/awesome-api-security.svg?style=for-the-badge
285 | [forks-url]: https://github.com/jbahire/awesome-api-security/network/members
286 | [stars-shield]: https://img.shields.io/github/stars/jbahire/awesome-api-security.svg?style=for-the-badge
287 | [stars-url]: https://github.com/jbahire/awesome-api-security/stargazers
288 | [issues-shield]: https://img.shields.io/github/issues/jbahire/awesome-api-security.svg?style=for-the-badge
289 | [issues-url]: https://github.com/jbahire/awesome-api-security/issues
290 | [twitter-shield]: https://img.shields.io/badge/-Twitter-black.svg?style=for-the-badge&logo=twitter&colorB=555
291 | [twitter-url]: https://twitter.com/jayesh_ahire1
292 |
--------------------------------------------------------------------------------