Web Application Security

  1. API Security
    1. API Security Fundamentals
      1. API Types and Architectures
        1. REST APIs
          1. SOAP APIs
            1. GraphQL APIs
              1. gRPC APIs
              2. API Attack Surface
                1. Endpoints
                  1. Parameters
                    1. Headers
                      1. Authentication Mechanisms
                    2. OWASP API Security Top 10
                      1. Broken Object Level Authorization
                        1. IDOR in APIs
                          1. Resource Access Control
                          2. Broken User Authentication
                            1. Authentication Bypass
                              1. Token Vulnerabilities
                              2. Excessive Data Exposure
                                1. Over-Fetching Data
                                  1. Sensitive Data Leakage
                                  2. Lack of Resources and Rate Limiting
                                    1. Resource Exhaustion
                                      1. DoS Prevention
                                      2. Broken Function Level Authorization
                                        1. Administrative Function Access
                                          1. Privilege Escalation
                                          2. Mass Assignment
                                            1. Parameter Pollution
                                              1. Object Property Manipulation
                                              2. Security Misconfiguration
                                                1. Default Configurations
                                                  1. Verbose Error Messages
                                                  2. Injection Vulnerabilities
                                                    1. SQL Injection in APIs
                                                      1. NoSQL Injection in APIs
                                                        1. Command Injection
                                                        2. Improper Assets Management
                                                          1. API Versioning
                                                            1. Deprecated Endpoints
                                                              1. Documentation Management
                                                              2. Insufficient Logging and Monitoring
                                                                1. API Activity Logging
                                                                  1. Anomaly Detection
                                                                    1. Incident Response
                                                                  2. API Authentication and Authorization
                                                                    1. API Key Management
                                                                      1. Key Generation
                                                                        1. Key Distribution
                                                                          1. Key Rotation
                                                                            1. Key Revocation
                                                                            2. OAuth 2.0 for APIs
                                                                              1. Bearer Tokens
                                                                                1. Scope-Based Authorization
                                                                                  1. Token Introspection
                                                                                  2. JWT for APIs
                                                                                    1. Token Structure
                                                                                      1. Claims Validation
                                                                                        1. Token Signing
                                                                                        2. mTLS Authentication
                                                                                          1. Client Certificate Authentication
                                                                                            1. Certificate Management
                                                                                          2. API-Specific Security Controls
                                                                                            1. Input Validation for APIs
                                                                                              1. Schema Validation
                                                                                                1. Parameter Validation
                                                                                                  1. Content-Type Validation
                                                                                                  2. Output Filtering
                                                                                                    1. Response Filtering
                                                                                                      1. Data Minimization
                                                                                                      2. Rate Limiting for APIs
                                                                                                        1. Per-User Rate Limits
                                                                                                          1. Per-Endpoint Rate Limits
                                                                                                            1. Burst Protection
                                                                                                            2. API Versioning Security
                                                                                                              1. Backward Compatibility
                                                                                                                1. Deprecation Strategies
                                                                                                              2. Securing Different API Types
                                                                                                                1. REST API Security
                                                                                                                  1. HTTP Method Security
                                                                                                                    1. Resource-Based Security
                                                                                                                      1. Stateless Authentication
                                                                                                                      2. GraphQL Security
                                                                                                                        1. Query Complexity Analysis
                                                                                                                          1. Query Depth Limiting
                                                                                                                            1. Introspection Disabling
                                                                                                                              1. Authorization in GraphQL
                                                                                                                              2. SOAP API Security
                                                                                                                                1. WS-Security Standards
                                                                                                                                  1. XML Signature
                                                                                                                                    1. XML Encryption
                                                                                                                                      1. SOAP Fault Handling

                                                                                                                                  Previous

                                                                                                                                  6. Web Application Defense and Hardening

                                                                                                                                  Go to top

                                                                                                                                  Next

                                                                                                                                  8. Security Testing and Assessment