Bay Area OWASP Meetup - Cequence Security Talk on API Security

Event: October Meet

Existing Approaches Fall Short

Shadow APIs - unknown

Drivers of API as an attack vector

  • insufficient visibility
  • insufficient inventory tracking (OWASP API9)
  • poor quality assurance
  • no formal publication process
  • internal APIs publicly exposed

Abuse Examples

  • sneaker bots
  • third party payment APIs
  • credit/gift card checking
  • content scraping

APIs and Bots: Inextricably Connected

  • API10+: API Abuse that encompasses the different ways a prefectly coded API might be abused

Continuous API Protection Lifecycle - Unified API Protection

  • Discovery - Identify ALL Public Facing APIs
  • Inventory - Provide Unified Inventory of ALL APIs
  • Compliance - Ensure Adherence to Security and Governance Best Practices
  • Detection - Detect attacks as they happen
  • Prevention - Block attacks natively in real time
  • Testing - secure new APIs before go-live

Real World Stories

SIM Swapping and Broken Object Level AUTH (OWASP API1)

Stealing your phone without touching it - then gaining access to financial info, etc

If API says can’t port phone number over, it means it’s already a customer

Inventory Validation Attack

Local inventory search API targeted by massive attack Attackers leveraged:

  • 3rd party API used to help customers find products locally
  • API4 - Lack of resource and rate limiting
  • API5 - Broken function level auth


  • Targeting hot product availability and location for efficient smash and grab shoplifting
  • ULTA - There are apps/companies that are like junior doordash/instacart that offer same-day delivery even though no affiliation.

The Unholy Trinity: Becoming a commonly observed tactic

How it works:

  • Validate account via credential stuffing
  • Collect information returned
  • Use knowledge of APIs to find shadow APIs of similar format