A super crisp talk by Phillepe on the API Security pitfalls. And here's some bookmarks from the talk for a ready reference. - OWASP Underprotected APIs vulnerabilities [2:10] - Brute force attack & Lack of using *different* rate limits for different APIs [6:08] - IDOR vulnerabilities & Lack of Proper Authorization [8:05] - Scaling Need to move authorization states a.k.a. sessions to clients using JWT [13:04] - JWT basics - Integrity checks for JWT - Mishandling client side auth headers [17:15] - HMAC based JWT Signatures [17:57] - Symmetric (Shared Secrets) vs Asymmetric JWT signatures [22:22] - Key Management [23:00] - Cookies vs Custom Authorization Headers [25:00] - CORS policies [30:00] - Enforcing strict CORS policies. - Input Validations [34:44] - Not the primary last line of defense - Not for Complex Data - Compartmentalizing your APIs [37:30] All in all a pretty good talk.
I know that Philippe's talks are usually not super-sexy and mind-blowing entertaining, but still really relevant. I am curious why you label it "typical German" though.
A super crisp talk by Phillepe on the API Security pitfalls. And here's some bookmarks from the talk for a ready reference.
- OWASP Underprotected APIs vulnerabilities [2:10]
- Brute force attack & Lack of using *different* rate limits for different APIs [6:08]
- IDOR vulnerabilities & Lack of Proper Authorization [8:05]
- Scaling Need to move authorization states a.k.a. sessions to clients using JWT [13:04]
- JWT basics
- Integrity checks for JWT
- Mishandling client side auth headers [17:15]
- HMAC based JWT Signatures [17:57]
- Symmetric (Shared Secrets) vs Asymmetric JWT signatures [22:22]
- Key Management [23:00]
- Cookies vs Custom Authorization Headers [25:00]
- CORS policies [30:00]
- Enforcing strict CORS policies.
- Input Validations [34:44]
- Not the primary last line of defense
- Not for Complex Data
- Compartmentalizing your APIs [37:30]
All in all a pretty good talk.
Great talk. Concise analysis of the topic.
This talk is really good.
Great talk!
Thanks 😊
i will review his presentations a couple of times...
Oh...
Poor cameraman.
After reading this comment, I lost all the focus on the presentation and was just watching the camera move.. hahaha 😂
Such typical German lecture, extremely boring
I know that Philippe's talks are usually not super-sexy and mind-blowing entertaining, but still really relevant. I am curious why you label it "typical German" though.