A vulnerability in the context of software applications is a violation of the defined security policies. Modern web apps are centered on the idea of keeping the workflow logic in the client side and its interaction with the server using APIs (application programming interface). Developers try to make the APIs as stateless as possible, in accordance with the REST principles. This, however, adds a new attack surface. Poorly designed APIs are often subjected to attacks. Here are top 5 API vulnerabilities that you need to take care of in 2017:
Poorly designed APIs are often a target of DDoS attacks. Often developers do not put rate limits on the APIs, or block malicious requests. Sometimes API endpoints have complex logic behind them which is computationally heavy to run, like authentication logic that requires a hashing algorithm like Bcrpyt. When an attacker finds out such an endpoint, they spam it with requests taking the whole system down. Such endpoints should be served independently from the main APIs so that limited functionality is affected in an attack. Rate limits should also be applied differently to different APIs; authenticated users may raise their rate limits though.
2. Enumerated Resources
APIs that have enumerated resources are a …
Read More on Datafloq