www.group-ib.com
Open in
urlscan Pro
3.72.181.255
Public Scan
URL:
https://www.group-ib.com/blog/api-security-best-practices/
Submission: On May 30 via api from US — Scanned from DE
Submission: On May 30 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
POST https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/044e7558-8073-478a-ad3c-5807dd76840f
<form id="hsForm_044e7558-8073-478a-ad3c-5807dd76840f" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/044e7558-8073-478a-ad3c-5807dd76840f"
class="hs-form-private hsForm_044e7558-8073-478a-ad3c-5807dd76840f hs-form-044e7558-8073-478a-ad3c-5807dd76840f hs-form-044e7558-8073-478a-ad3c-5807dd76840f_8dda3e56-946b-45f1-855c-d45a6bc741dc hs-form stacked"
target="target_iframe_044e7558-8073-478a-ad3c-5807dd76840f" data-instance-id="8dda3e56-946b-45f1-855c-d45a6bc741dc" data-form-id="044e7558-8073-478a-ad3c-5807dd76840f" data-portal-id="25755956" data-hs-cf-bound="true"
data-nb-form="57ccb31a-e542-4056-9cdd-a258a6a078de">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your "
for="firstname-044e7558-8073-478a-ad3c-5807dd76840f"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-044e7558-8073-478a-ad3c-5807dd76840f" name="firstname" required="" placeholder="First name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your " for="lastname-044e7558-8073-478a-ad3c-5807dd76840f"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-044e7558-8073-478a-ad3c-5807dd76840f" name="lastname" required="" placeholder="Last name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your " for="email-044e7558-8073-478a-ad3c-5807dd76840f"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-044e7558-8073-478a-ad3c-5807dd76840f" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""
data-nb-id="57ccb31a-e542-4056-9cdd-a258a6a078de"></div>
</div>
<div class="hs_phone hs-phone hs-fieldtype-phonenumber field hs-form-field"><label id="label-phone-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your " for="phone-044e7558-8073-478a-ad3c-5807dd76840f"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="phone-044e7558-8073-478a-ad3c-5807dd76840f" name="phone" placeholder="Phone number" type="tel" class="hs-input" inputmode="tel" autocomplete="tel" value=""></div>
</div>
<div class="hs_comment hs-comment hs-fieldtype-textarea field hs-form-field"><label id="label-comment-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your " for="comment-044e7558-8073-478a-ad3c-5807dd76840f"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><textarea id="comment-044e7558-8073-478a-ad3c-5807dd76840f" class="hs-input hs-fieldtype-textarea" name="comment" required="" placeholder="Incident description*"></textarea></div>
</div>
<div class="hs_latest_form_submitted hs-latest_form_submitted hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-latest_form_submitted-044e7558-8073-478a-ad3c-5807dd76840f" class=""
placeholder="Enter your Latest Form Submitted" for="latest_form_submitted-044e7558-8073-478a-ad3c-5807dd76840f"><span>Latest Form Submitted</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="latest_form_submitted" class="hs-input" type="hidden" value="COM-System-Report an incident"></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your utm_campaign"
for="utm_campaign-044e7558-8073-478a-ad3c-5807dd76840f"><span>utm_campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your utm_content"
for="utm_content-044e7558-8073-478a-ad3c-5807dd76840f"><span>utm_content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your utm_medium"
for="utm_medium-044e7558-8073-478a-ad3c-5807dd76840f"><span>utm_medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your utm_source"
for="utm_source-044e7558-8073-478a-ad3c-5807dd76840f"><span>utm_source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term__c hs-utm_term__c hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term__c-044e7558-8073-478a-ad3c-5807dd76840f" class="" placeholder="Enter your utm_term"
for="utm_term__c-044e7558-8073-478a-ad3c-5807dd76840f"><span>utm_term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term__c" class="hs-input" type="hidden" value=""></div>
</div>
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_136902391 hs-LEGAL_CONSENT.subscription_type_136902391 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_136902391-044e7558-8073-478a-ad3c-5807dd76840f" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_136902391-044e7558-8073-478a-ad3c-5807dd76840f" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_136902391" value="true"><span>
<p>I understand and agree that my personal data will be collected and processed according to the <a href="https://www.group-ib.com/policy.html" target="_blank" rel="noopener">Privacy and Cookies Policy</a> and
unconditionally agree and accept the <a href="https://www.group-ib.com/term-of-use.html" target="_blank" rel="noopener">Terms of Use</a></p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Send report"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1685440684119","formDefinitionUpdatedAt":"1663062813967","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":136902391,\"label\":\"<p>I understand and &nbsp;agree that my personal data will be collected and processed according to the <a href=\\\"https://www.group-ib.com/policy.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy and Cookies Policy</a> and unconditionally agree and accept the <a href=\\\"https://www.group-ib.com/term-of-use.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a></p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree to allow Group-IB to store and process my personal data.</p>\",\"isLegitimateInterest\":false}","embedType":"REGULAR","clonedFromForm":"fec8ebd7-2fbb-428e-adb1-2ed1cfb1849c","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36","pageTitle":"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog","pageUrl":"https://www.group-ib.com/blog/api-security-best-practices/","referrer":"https://www.group-ib.com/blog/api-security-best-practices/","isHubSpotCmsGeneratedPage":false,"hutk":"80f4e8e38c75ff3450789a2356a539b8","__hsfp":1944070336,"__hssc":"84897990.1.1685440686111","__hstc":"84897990.80f4e8e38c75ff3450789a2356a539b8.1685440686111.1685440686111.1685440686111.1","formTarget":"#hbspt-form-8dda3e56-946b-45f1-855c-d45a6bc741dc","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_136902391","locale":"en","timestamp":1685440686145,"originalEmbedContext":{"portalId":"25755956","formId":"044e7558-8073-478a-ad3c-5807dd76840f","region":"eu1","target":"#hbspt-form-8dda3e56-946b-45f1-855c-d45a6bc741dc","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"8dda3e56-946b-45f1-855c-d45a6bc741dc","renderedFieldsIds":["firstname","lastname","email","phone","comment","latest_form_submitted","utm_campaign","utm_content","utm_medium","utm_source","utm_term__c","LEGAL_CONSENT.subscription_type_136902391"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3243","sourceName":"forms-embed","sourceVersion":"1.3243","sourceVersionMajor":"1","sourceVersionMinor":"3243","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1685440684424,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog\",\"pageUrl\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"referrer\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1685440684428,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1685440686136,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"80f4e8e38c75ff3450789a2356a539b8\"}"}]}"><iframe
name="target_iframe_044e7558-8073-478a-ad3c-5807dd76840f" style="display: none;"></iframe>
</form>POST https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/4dbceae1-75ae-423a-9c12-dee8f1ca3345
<form id="hsForm_4dbceae1-75ae-423a-9c12-dee8f1ca3345" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/4dbceae1-75ae-423a-9c12-dee8f1ca3345"
class="hs-form-private hsForm_4dbceae1-75ae-423a-9c12-dee8f1ca3345 hs-form-4dbceae1-75ae-423a-9c12-dee8f1ca3345 hs-form-4dbceae1-75ae-423a-9c12-dee8f1ca3345_b6390e52-58ea-49e4-a18c-832119abcb57 hs-form stacked"
target="target_iframe_4dbceae1-75ae-423a-9c12-dee8f1ca3345" data-instance-id="b6390e52-58ea-49e4-a18c-832119abcb57" data-form-id="4dbceae1-75ae-423a-9c12-dee8f1ca3345" data-portal-id="25755956" data-hs-cf-bound="true"
data-nb-form="88e95596-f162-414a-8d22-5943d760b5c4">
<div class="hs_product_service hs-product_service hs-fieldtype-select field hs-form-field"><label id="label-product_service-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your "
for="product_service-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><select id="product_service-4dbceae1-75ae-423a-9c12-dee8f1ca3345" required="" class="hs-input is-placeholder" name="product_service">
<option disabled="" value="">Please choose a product/service you are interested in*</option>
<option value="Attack Surface Management">Attack Surface Management</option>
<option value="Business Email Protection">Business Email Protection</option>
<option value="Digital Risk Protection">Digital Risk Protection</option>
<option value="Education">Education</option>
<option value="Fraud Protection">Fraud Protection</option>
<option value="Incident Response">Incident Response</option>
<option value="Investigations">Investigations</option>
<option value="Managed XDR">Managed XDR</option>
<option value="Security Audit">Security Audit</option>
<option value="Threat Intelligence">Threat Intelligence</option>
</select></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your " for="email-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-4dbceae1-75ae-423a-9c12-dee8f1ca3345" name="email" required="" placeholder="Business Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""
data-nb-id="88e95596-f162-414a-8d22-5943d760b5c4"></div>
</div>
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your "
for="firstname-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-4dbceae1-75ae-423a-9c12-dee8f1ca3345" name="firstname" required="" placeholder="First name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your " for="lastname-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-4dbceae1-75ae-423a-9c12-dee8f1ca3345" name="lastname" required="" placeholder="Last name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field"><label id="label-company-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your " for="company-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="company-4dbceae1-75ae-423a-9c12-dee8f1ca3345" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
</div>
<div class="hs_position hs-position hs-fieldtype-select field hs-form-field"><label id="label-position-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your "
for="position-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><select id="position-4dbceae1-75ae-423a-9c12-dee8f1ca3345" required="" class="hs-input is-placeholder" name="position">
<option disabled="" value="">Job Title*</option>
<option value="CEO">CEO</option>
<option value="Fraud - Director/Analyst">Anti-Fraud Team</option>
<option value="Information Security - CISO/VP">Information Security - CISO/VP</option>
<option value="Information Security - Director/Head">Information Security - Director/Head</option>
<option value="Information Security - Team Lead/Manager">Information Security - Team Lead/Manager</option>
<option value="Information Security - Analyst/Engineer/Specialist/Consultant">Information Security - Analyst/Engineer/Specialist/Consultant</option>
<option value="Information Security - Other">Information Security - Other</option>
<option value="Threat Intelligence - Devision lead/Director/Head">Threat Intelligence - Devision lead/Director/Head</option>
<option value="Threat Intelligence - Analyst/Specialist/Researcher/Manager/Engineer">Threat Intelligence - Analyst/Specialist/Researcher/Manager/Engineer</option>
<option value="IT - CTO/CIO/VP">IT - CTO/CIO/VP</option>
<option value="IT - Director/Head">IT - Director/Head</option>
<option value="IT - Team Lead/Manager">IT - Team Lead/Manager</option>
<option value="IT - Analyst/Engineer/Specialist/Consultant">IT - Analyst/Engineer/Specialist/Consultant</option>
<option value="IT - Other">IT - Other</option>
<option value="Marketing/Media - CMO/Editor-in-Chief">Marketing/Media - CMO/Editor-in-Chief</option>
<option value="Marketing/Media - Director/Head/Senior Editor">Marketing/Media - Director/Head/Senior Editor</option>
<option value="Marketing/Media - Manager/Specialist/Reporter">Marketing/Media - Manager/Specialist/Reporter</option>
<option value="Marketing/Media - Other">Marketing/Media - Other</option>
<option value="Sales/Business Development - VP">Sales/Business Development - VP</option>
<option value="Sales/Business Development - Director/Head">Sales/Business Development - Director/Head</option>
<option value="Sales/Business Development - Manager">Sales/Business Development - Manager</option>
<option value="Sales/Business Development - Other">Sales/Business Development - Other</option>
<option value="HR">HR Team</option>
<option value="Legal">Legal Team</option>
<option value="Operations">Operations Team</option>
<option value="Finance">Finance Team</option>
<option value="Education">Education Team</option>
</select></div>
</div>
<div class="hs_phone hs-phone hs-fieldtype-phonenumber field hs-form-field"><label id="label-phone-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your " for="phone-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="phone-4dbceae1-75ae-423a-9c12-dee8f1ca3345" name="phone" required="" placeholder="Phone number*" type="tel" class="hs-input" inputmode="tel" autocomplete="tel" value=""></div>
</div>
<div class="hs-dependent-field">
<div class="hs_country_list hs-country_list hs-fieldtype-select field hs-form-field"><label id="label-country_list-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your "
for="country_list-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><select id="country_list-4dbceae1-75ae-423a-9c12-dee8f1ca3345" required="" class="hs-input is-placeholder" name="country_list">
<option disabled="" value="">Country*</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="American Samoa">American Samoa</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermudas">Bermudas</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia">Bolivia</option>
<option value="Bonaire">Bonaire</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Virgin Islands">British Virgin Islands</option>
<option value="Brunei">Brunei</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Canada">Canada</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo (Brazzaville)">Congo (Brazzaville)</option>
<option value="Congo, Democratic Republic of the">Congo, Democratic Republic of the</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote d'Ivoire (Ivory Coast)">Cote d'Ivoire (Ivory Coast)</option>
<option value="Croatia">Croatia</option>
<option value="Cuba">Cuba</option>
<option value="Curacao">Curacao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="East Timor">East Timor</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Federated States of Micronesia">Federated States of Micronesia</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Germany">Germany</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey and Alderney">Guernsey and Alderney</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Holy See (Vatican City)">Holy See (Vatican City)</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iran">Iran</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Kosovo">Kosovo</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Laos">Laos</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libyan Arab Jamahiriya">Libyan Arab Jamahiriya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macau">Macau</option>
<option value="Macedonia">Macedonia</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Man, Isle of">Man, Isle of</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Moldova, Rep.">Moldova, Rep.</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="North Korea">North Korea</option>
<option value="Northern Mariana Islands">Northern Mariana Islands</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestine">Palestine</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn Islands">Pitcairn Islands</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Republic of Panama">Republic of Panama</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saba">Saba</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Maarten">Saint Maarten</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent & Grenadines">Saint Vincent & Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Eustatius">Sint Eustatius</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Korea">South Korea</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Sudan">Sudan</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard And Jan Mayen Islands">Svalbard And Jan Mayen Islands</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Syria">Syria</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania, United Republic of">Tanzania, United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad & Tobago">Trinidad & Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks & Caicos Islands">Turks & Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="United States of America">United States of America</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela">Venezuela</option>
<option value="Vietnam">Vietnam</option>
<option value="Virgin Islands, U.S.">Virgin Islands, U.S.</option>
<option value="Wake Island">Wake Island</option>
<option value="Wallis and Futuna">Wallis and Futuna</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select></div>
</div>
</div>
<div class="hs_message hs-message hs-fieldtype-textarea field hs-form-field"><label id="label-message-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your " for="message-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><textarea id="message-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="hs-input hs-fieldtype-textarea" name="message" placeholder="Details on your project"></textarea></div>
</div>
<div class="hs_campaign hs-campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-campaign-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your Campaign"
for="campaign-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="campaign" class="hs-input" type="hidden" value="[COM Website request] Talk to Sales"></div>
</div>
<div class="hs_latest_form_submitted hs-latest_form_submitted hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-latest_form_submitted-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class=""
placeholder="Enter your Latest Form Submitted" for="latest_form_submitted-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>Latest Form Submitted</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="latest_form_submitted" class="hs-input" type="hidden" value="MQL-COM-Talk to Sales"></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your utm_campaign"
for="utm_campaign-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>utm_campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your utm_content"
for="utm_content-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>utm_content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your utm_medium"
for="utm_medium-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>utm_medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your utm_source"
for="utm_source-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>utm_source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term__c hs-utm_term__c hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term__c-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="" placeholder="Enter your utm_term"
for="utm_term__c-4dbceae1-75ae-423a-9c12-dee8f1ca3345"><span>utm_term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term__c" class="hs-input" type="hidden" value=""></div>
</div>
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_137766582 hs-LEGAL_CONSENT.subscription_type_137766582 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_137766582-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_137766582-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_137766582" value="true"><span>
<p>I understand and agree that my personal data will be collected and processed according to the <a href="https://www.group-ib.com/policy.html" target="_blank">Privacy and Cookies Policy</a> and unconditionally agree and accept
the <a href="https://www.group-ib.com/term-of-use.html" target="_blank">Terms of Use</a></p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_136902391 hs-LEGAL_CONSENT.subscription_type_136902391 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_136902391-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_136902391-4dbceae1-75ae-423a-9c12-dee8f1ca3345" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_136902391" value="true"><span>
<p>Please send me information about new product releases, price changes, and special offers from Group-IB. I am aware that my consent could be revoked at any time by clicking the unsubscribe link inside any email received from
Group-IB.</p>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1685440684140","formDefinitionUpdatedAt":"1682070307654","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":137766582,\"label\":\"<p>I understand and agree that my personal data will be collected and processed according to the <a href=\\\"https://www.group-ib.com/policy.html\\\" target=\\\"_blank\\\">Privacy and Cookies Policy</a> and unconditionally agree and accept the <a href=\\\"https://www.group-ib.com/term-of-use.html\\\" target=\\\"_blank\\\">Terms of Use</a></p>\",\"required\":true},{\"communicationTypeId\":136902391,\"label\":\"<p>Please send me information about new product releases, price changes, and special offers from Group-IB. I am aware that my consent could be revoked at any time by clicking the unsubscribe link inside any email received from Group-IB.</p>\",\"required\":false}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I understand and &nbsp;agree that my personal data will be collected and processed according to the <a href=\\\"https://www.group-ib.com/policy.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy and Cookies Policy</a> and unconditionally agree and accept the <a href=\\\"https://www.group-ib.com/term-of-use.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a></p>\",\"isLegitimateInterest\":false}","embedType":"REGULAR","clonedFromForm":"411f9fe8-a265-46ee-87d4-af9d0bbd20d7","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36","pageTitle":"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog","pageUrl":"https://www.group-ib.com/blog/api-security-best-practices/","referrer":"https://www.group-ib.com/blog/api-security-best-practices/","isHubSpotCmsGeneratedPage":false,"hutk":"80f4e8e38c75ff3450789a2356a539b8","__hsfp":1944070336,"__hssc":"84897990.1.1685440686111","__hstc":"84897990.80f4e8e38c75ff3450789a2356a539b8.1685440686111.1685440686111.1685440686111.1","formTarget":"#hbspt-form-b6390e52-58ea-49e4-a18c-832119abcb57","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_137766582,LEGAL_CONSENT.subscription_type_136902391","locale":"en","timestamp":1685440686159,"originalEmbedContext":{"portalId":"25755956","formId":"4dbceae1-75ae-423a-9c12-dee8f1ca3345","region":"eu1","target":"#hbspt-form-b6390e52-58ea-49e4-a18c-832119abcb57","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"b6390e52-58ea-49e4-a18c-832119abcb57","renderedFieldsIds":["product_service","email","firstname","lastname","company","position","phone","country_list","message","campaign","latest_form_submitted","utm_campaign","utm_content","utm_medium","utm_source","utm_term__c","LEGAL_CONSENT.subscription_type_137766582","LEGAL_CONSENT.subscription_type_136902391"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3243","sourceName":"forms-embed","sourceVersion":"1.3243","sourceVersionMajor":"1","sourceVersionMinor":"3243","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1685440684464,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog\",\"pageUrl\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"referrer\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1685440684482,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1685440686146,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"80f4e8e38c75ff3450789a2356a539b8\"}"}]}"><iframe
name="target_iframe_4dbceae1-75ae-423a-9c12-dee8f1ca3345" style="display: none;"></iframe>
</form>POST https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/55a22738-d5a5-43f9-9c1c-fa4c1a6eb349
<form id="hsForm_55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms-eu1.hsforms.com/submissions/v3/public/submit/formsnext/multipart/25755956/55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"
class="hs-form-private hsForm_55a22738-d5a5-43f9-9c1c-fa4c1a6eb349 hs-form-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349 hs-form-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349_9a8077c0-f0b9-4e55-87d7-f126a8c38b00 hs-form stacked"
target="target_iframe_55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" data-instance-id="9a8077c0-f0b9-4e55-87d7-f126a8c38b00" data-form-id="55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" data-portal-id="25755956" data-hs-cf-bound="true"
data-nb-form="f3828211-921a-4bfa-a217-fdf27ba8da6a">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your " for="email-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" name="email" required="" placeholder="Business Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""
data-nb-id="f3828211-921a-4bfa-a217-fdf27ba8da6a"></div>
</div>
<div class="hs_latest_form_submitted hs-latest_form_submitted hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-latest_form_submitted-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class=""
placeholder="Enter your Latest Form Submitted" for="latest_form_submitted-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>Latest Form Submitted</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="latest_form_submitted" class="hs-input" type="hidden" value="COM-Footer Subscription"></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your utm_campaign"
for="utm_campaign-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>utm_campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your utm_content"
for="utm_content-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>utm_content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your utm_medium"
for="utm_medium-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>utm_medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your utm_source"
for="utm_source-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>utm_source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term__c hs-utm_term__c hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term__c-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your utm_term"
for="utm_term__c-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>utm_term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term__c" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_languagemailing__c hs-languagemailing__c hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-languagemailing__c-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your Language (Mailing)"
for="languagemailing__c-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>Language (Mailing)</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="languagemailing__c" class="hs-input" type="hidden" value="English"></div>
</div>
<div class="hs_country hs-country hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-country-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="" placeholder="Enter your Country/Region"
for="country-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349"><span>Country/Region</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="country" class="hs-input" type="hidden" value=""></div>
</div>
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_152429613 hs-LEGAL_CONSENT.subscription_type_152429613 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_152429613-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_152429613-55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_152429613" value="true"><span>
<p>I understand and agree that my personal data will be collected and processed according to the <a href="https://www.group-ib.com/policy.html" target="_blank" rel="noopener">Privacy and Cookies Policy</a> and unconditionally
agree and accept the <a href="https://www.group-ib.com/term-of-use.html" target="_blank" rel="noopener">Terms of Use</a></p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value=" "></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1685440684207","formDefinitionUpdatedAt":"1679474705664","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":152429613,\"label\":\"<p>I understand and agree that my personal data will be collected and processed according to the <a href=\\\"https://www.group-ib.com/policy.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy and Cookies Policy</a> and unconditionally agree and accept the <a href=\\\"https://www.group-ib.com/term-of-use.html\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a></p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree to allow Group-IB to store and process my personal data.</p>\",\"isLegitimateInterest\":false}","embedType":"REGULAR","disableCookieSubmission":"true","clonedFromForm":"66912349-dc7b-4de8-8f33-8dc6bd2dd1ca","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36","pageTitle":"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog","pageUrl":"https://www.group-ib.com/blog/api-security-best-practices/","referrer":"https://www.group-ib.com/blog/api-security-best-practices/","isHubSpotCmsGeneratedPage":false,"hutk":"80f4e8e38c75ff3450789a2356a539b8","__hsfp":1944070336,"__hssc":"84897990.1.1685440686111","__hstc":"84897990.80f4e8e38c75ff3450789a2356a539b8.1685440686111.1685440686111.1685440686111.1","formTarget":"#hbspt-form-9a8077c0-f0b9-4e55-87d7-f126a8c38b00","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_152429613","locale":"en","timestamp":1685440686173,"originalEmbedContext":{"portalId":"25755956","formId":"55a22738-d5a5-43f9-9c1c-fa4c1a6eb349","region":"eu1","target":"#hbspt-form-9a8077c0-f0b9-4e55-87d7-f126a8c38b00","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"9a8077c0-f0b9-4e55-87d7-f126a8c38b00","renderedFieldsIds":["email","latest_form_submitted","utm_campaign","utm_content","utm_medium","utm_source","utm_term__c","languagemailing__c","country","LEGAL_CONSENT.subscription_type_152429613"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3243","sourceName":"forms-embed","sourceVersion":"1.3243","sourceVersionMajor":"1","sourceVersionMinor":"3243","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1685440684487,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types | Group-IB Blog\",\"pageUrl\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"referrer\":\"https://www.group-ib.com/blog/api-security-best-practices/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1685440684488,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1685440686167,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"80f4e8e38c75ff3450789a2356a539b8\"}"}]}"><iframe
name="target_iframe_55a22738-d5a5-43f9-9c1c-fa4c1a6eb349" style="display: none;"></iframe>
</form>Text Content
Report an incident
Get 24/7 incident response assistance from our global team
* APAC: +65 3159 4398
* EU & NA: +31 20 226 90 90
* MEA: +971 4 568 1785
Latest Form Submitted
utm_campaign
utm_content
utm_medium
utm_source
utm_term
* I understand and agree that my personal data will be collected and processed
according to the Privacy and Cookies Policy and unconditionally agree and
accept the Terms of Use
*
Talk to sales
Just fill out the form, and our representative will contact you soon.
Please choose a product/service you are interested in*Attack Surface
ManagementBusiness Email ProtectionDigital Risk ProtectionEducationFraud
ProtectionIncident ResponseInvestigationsManaged XDRSecurity AuditThreat
Intelligence
Job Title*CEOAnti-Fraud TeamInformation Security - CISO/VPInformation Security -
Director/HeadInformation Security - Team Lead/ManagerInformation Security -
Analyst/Engineer/Specialist/ConsultantInformation Security - OtherThreat
Intelligence - Devision lead/Director/HeadThreat Intelligence -
Analyst/Specialist/Researcher/Manager/EngineerIT - CTO/CIO/VPIT -
Director/HeadIT - Team Lead/ManagerIT - Analyst/Engineer/Specialist/ConsultantIT
- OtherMarketing/Media - CMO/Editor-in-ChiefMarketing/Media -
Director/Head/Senior EditorMarketing/Media -
Manager/Specialist/ReporterMarketing/Media - OtherSales/Business Development -
VPSales/Business Development - Director/HeadSales/Business Development -
ManagerSales/Business Development - OtherHR TeamLegal TeamOperations TeamFinance
TeamEducation Team
Country*AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntigua and
BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudasBhutanBoliviaBonaireBosnia
and HerzegovinaBotswanaBouvet IslandBrazilBritish Virgin
IslandsBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman
IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling)
IslandsColombiaComorosCongo (Brazzaville)Congo, Democratic Republic of theCook
IslandsCosta RicaCote d'Ivoire (Ivory Coast)CroatiaCubaCuracaoCyprusCzech
RepublicDenmarkDjiboutiDominicaDominican RepublicEast TimorEcuadorEgyptEl
SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFaroe IslandsFederated States of
MicronesiaFijiFinlandFranceFrench GuianaFrench
PolynesiaGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernsey
and AlderneyGuineaGuinea-BissauGuyanaHaitiHoly See (Vatican City)HondurasHong
KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKosovoKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyan
Arab
JamahiriyaLiechtensteinLithuaniaLuxembourgMacauMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMan,
Isle ofMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMoldova,
Rep.MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew
CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth KoreaNorthern
Mariana IslandsNorwayOmanPakistanPalauPalestinePapua New
GuineaParaguayPeruPhilippinesPitcairn IslandsPolandPortugalPuerto
RicoQatarRepublic of PanamaReunionRomaniaRussian FederationRwandaSabaSaint Kitts
and NevisSaint LuciaSaint MaartenSaint Pierre and MiquelonSaint Vincent &
GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi
ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint
EustatiusSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth KoreaSouth
SudanSpainSri LankaSudanSurinameSvalbard And Jan Mayen
IslandsSwazilandSwedenSwitzerlandSyriaTaiwanTajikistanTanzania, United Republic
ofThailandTogoTokelauTongaTrinidad & TobagoTunisiaTurkeyTurkmenistanTurks &
Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited States
of AmericaUruguayUzbekistanVanuatuVenezuelaVietnamVirgin Islands, U.S.Wake
IslandWallis and FutunaWestern SaharaYemenZambiaZimbabwe
Campaign
Latest Form Submitted
utm_campaign
utm_content
utm_medium
utm_source
utm_term
* I understand and agree that my personal data will be collected and processed
according to the Privacy and Cookies Policy and unconditionally agree and
accept the Terms of Use
*
* Please send me information about new product releases, price changes, and
special offers from Group-IB. I am aware that my consent could be revoked at
any time by clicking the unsubscribe link inside any email received from
Group-IB.
* Products
Threat Intelligence
Attack Surface Management
Fraud Protection
Digital Risk Protection
Managed XDR
Business Email Protection
Learn more information about our Unified Risk Platform
* Services
Digital Forensics
& Incident Response
* Incident Response
* Incident Response
Retainer
* Incident Response
Readiness Assessment
* Compromise Assessment
* Digital Forensics
* eDiscovery
Hi-Tech Crime
Investigation
* Cyber Investigation
* Investigation Subscription
Audit
& Consulting
* Penetration Testing
* Security Assessment
* Compliance & Consulting
* Red Teaming
Education
& Training
* Trainings for Technical Specialists
* Cybersecurity Awareness Workshop
* Incident Response Simulation Game
* All Training Programs
* Solutions
Use Case
* Ransomware Protection and Response
* Phishing and Scam Protection
* Subscription Plans
* Resources
* Research Hub
* Knowledge Hub
* Certificates
* Webinars
* Free Tools
* Email Security Assessment
* Network Protection Assessment
* Cloud Recon Tool
* Blog
* Company
* About Group-IB
* Team
* Partners
* MSSP and MDR Partner Program
* Careers
* Internship
* Media Center
* Contact
* Subscription Plans
* Blog
* Report an incident
* Talk to sales
* Search
* Sign in
Share this article
Found it interesting? Don't hesitate to share it to wow your friends or
colleagues
* Twitter
* LinkedIn
* Telegram
*
← Blog
Share this article
Found it interesting? Don't hesitate to share it to wow your friends or
colleagues
* Twitter
* LinkedIn
* Telegram
*
Konstantin Damotsev
Penetration Tester
BRIDGING THE GAP: HOW TO LEVERAGE API SECURITY BEST PRACTICES TO COMBAT TOP 3
VULNERABILITY TYPES
Security misconfiguration, excessive data exposure, and injections top three API
vulnerability types for financial and tech firms
May 30, 2023 · 14 min to read · Threat Landscape Overview
API security
Penetration testing
Vulnerabilities
Application programming interface (API) usage has exploded in recent years. An
increased desire for connectivity between applications, the greater need for
data, and the rise of the internet of things have all combined to create a
massive growth in API traffic. According to Cloudflare, APIs accounted for more
than 50% of the traffic generated by end users and connected devices in 2021.
Despite their increasing popularity, APIs are particularly vulnerable if they
are not properly implemented or secured. International research and consulting
firm Gartner predicted that, by 2022, API abuses would become the most frequent
attack vector leveraged by threat actors, and a recent joint study by Marsh
McLennan and Imperva concluded that API insecurity is the cause of anywhere from
$41 billion to $75 billion of losses annually.
Group-IB’s Audit and Consulting department has extensive experience in assessing
where API risks lie in a company’s digital infrastructure. Throughout the 2022
financial year, Group-IB researchers conducted a significant number of security
assessments for companies in the financial and technology sectors. They found
that the top 3 API vulnerability types within organizations in these two core
industries were: security misconfiguration, excessive data exposure, and
injections.
This blog provides a concise overview of API security, including key domains and
nuances from the perspectives of API developers and end users. It outlines the
importance of secure coding practices, authentication, authorization and other
key domains, and provides recommendations for securing your environment. By
following our tips, organizations can better protect their APIs against
potential threats and vulnerabilities.
As modern software development increasingly relies on the use of APIs, ensuring
the security of these interfaces has become an essential aspect of protecting
sensitive data and systems. It’s now almost impossible to find a company without
a public API. Even government agencies have begun offering APIs as part of their
digital transformation initiatives for fellow ministries, companies and
residents.
API usage introduces certain unique challenges that require specific security
considerations, but it is important to recognize that many security guidelines
are applicable to all types of technologies. Therefore, a robust security
strategy should encompass a comprehensive set of security measures and best
practices that are tailored to the specific needs of the organization and the
APIs in use.
TOP 3 TYPES OF API VULNERABILITIES
1. Security Misconfiguration
Security misconfiguration issues, such as those related to Cross-Origin Resource
Sharing (CORS), Content Security Policy (CSP), security headers, and parameters,
are among the most common API vulnerabilities, and were discovered in 47% of
security assessments carried out by Group-IB specialists in the 2022 financial
year. These features are easy to introduce, but they are challenging to
configure correctly. As a result, they are the prevalent concern when it comes
to API security.
Most of the time, these vulnerabilities go unnoticed. However, in some cases
even minor errors in configuring these mechanisms can have significant and
devastating consequences.
2. Excessive Data Exposure
In its categorization of API security risks, the Open Web Application Security
Project (OWASP) recently merged the issue of Excessive Data Exposure with Mass
Assignment under the umbrella of Broken Object Property Level Authorization.
Despite this, the issue of excessive data exposure remains a top priority due to
the inherent risk of sensitive data being exposed to unauthorized parties.
Group-IB specialists found excessive data exposure vulnerabilities in roughly a
third of their security assessments over the past financial year. Excessive data
exposure can be the result of poor configuration of an API, which then results
in it returning more information than is necessary for a specific request.
3. Injections
It may come as a surprise to see injection-related vulnerabilities, such as SQL,
SMTP, HTML/XSS, and host header injections, in the top 3 types of API
vulnerabilities, but they continue to pose significant security risks.
These weaknesses enable attackers to manipulate the application’s behavior,
execute malicious queries or commands, or insert harmful content. Over recent
years, developers have made significant progress in addressing and mitigating
this type of vulnerability, although it is essential that they remain vigilant
and ensure they adhere to best practices.
LEARN WHERE YOUR API VULNERABILITIES LIE WITH GROUP-IB’S SECURITY ASSESSMENT AND
PENETRATION TESTING SERVICES
Just fill out the form, and our representative will contact you soon.
Schedule a demo
API SECURITY CHECKLIST FOR DEVELOPERS
To effectively secure their APIs, developers must assess a large number of
concerns. Here’s a run down of some of the most pressing issues that may arise
during the development stage:
INPUT VALIDATION
Validating all input data, including query parameters and JSON or XML payloads,
is essential to ensure that everything is in the correct format and free of
malicious code. While some developers may feel secure using API frameworks that
primarily employ safe data formats like JSON, it is crucial to check where the
data input ultimately lands. For instance, a valid XSS payload sent via JSON
format could end up being displayed on an HTML page, resulting in an XSS
vulnerability. The same applies to other vulnerabilities, such as LDAP/SQL/NoSQL
injections, remote code execution, and more.
For frameworks utilizing XML as a data format, it’s vital to assess the
potential for XXE vulnerabilities. Developers should also be mindful of any XML
processing engines they use and whether they entail user input. In addition,
developers should evaluate whether their APIs are susceptible to denial of
service vulnerabilities. One way to do this is to adopt a “use case” approach.
Use case example:
What would happen if an attacker attempts to send an invalid JSON object? Could
it disrupt the processing engine, causing the application to slow down
significantly or even crash?
Practical example:
In order to illustrate the types of API vulnerabilities that can arise, we will
highlight a number of practical case studies. In the below example, the API
endpoint retrieves data from the database based on the user ID provided in the
request.
@app.route('/api/user/<user_id>', methods=['GET'])
def get_user_data(user_id):
query = "SELECT * FROM users WHERE id = '{user_id}'"
cursor.execute(query)
user_data = cursor.fetchone()
return jsonify(user_data)
By tracing the flow of the user_id parameter, we can see that it originates from
an unvalidated user input and is subsequently incorporated into a SQL query
without proper escaping. This results in a SQL injection vulnerability.
One simple way to resolve this issue is to apply a validation check at the very
beginning of the process by casting the type to integer. Additionally, we can
switch to a parameterized query instead of string formatting.
@app.route('/api/user/<int:user_id>', methods=['GET'])
def get_user_data(user_id):
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
user_data = cursor.fetchone()
return jsonify(user_data)
AUTHENTICATION
Authentication is a process of verifying the identity of the user or system
making the API request. Authentication related vulnerabilities come in
different forms. Some of them are related to applications that fail to conduct
proper or sufficient checks of the authentication tokens. There are also attacks
such as brute forcing, password spraying, and credential stuffing, which allow a
malicious actor to access someone else’s account by exploiting weaknesses in the
authentication system.
Overall, the process of establishing secure authentication on APIs differs
little from any other type of infrastructure. Therefore, OWASP’s handy
authentication cheat sheet is applicable for most types of authentication
implementations.
Practical example:
Having addressed the input validation vulnerability, let’s now evaluate and
tackle other potential vulnerabilities.
@app.route('/api/user/<int:user_id>', methods=['GET'])
def get_user_data(user_id):
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
user_data = cursor.fetchone()
return jsonify(user_data)
As you may have noticed, this method lacks an authentication check, which means
that anyone can invoke it, regardless of whether they have an account within the
application or not. To fix this issue we can simply add an authentication
validation before everything else:
@app.route('/api/user/<int:user_id>', methods=['GET'])
def get_user_data(user_id):
# Check if the user is authenticated
if current_user.is_authenticated:
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
user_data = cursor.fetchone()
return jsonify(user_data)
else:
abort(401, "Unauthorized: You need to be authenticated to access this resource.")
AUTHORIZATION
Authorization means controlling access to API resources and ensuring that users
or systems have the appropriate permissions to access specific resources. OWASP
differentiates between object and function level authorization issues. This
resource states that function level authorization entails checking the
privileges of the user before giving them the opportunity to perform API
operations. Object level authorization requires checking whether the logged-in
user has the required privileges to perform the required action or access a
specific object, even if they have the privileges to execute an API method.
Many developers rely on GUID identifiers for object level authorization, but
it’s crucial to ensure that these GUIDs are inaccessible from other parts of the
application, in addition to them having a suitable lifetime to prevent reuse in
the event of leakage. While additional precautions can help, relying on
probabilities is insufficient for authorization, which requires certainty. As a
best practice, developers must implement server-side authorization checks to
verify the relationship between the GUID and the user requesting access to the
object.
Practical example:
If we return to our prior example, some may notice that while we addressed the
authentication vulnerability, the code still lacks any authorization checks.
Let’s address this issue by adding an explicit authorization check, which can be
done by comparing the requested user ID with the current user ID.
def get_user_data(user_id):
# Check if the user is authenticated
if current_user.is_authenticated:
# Check if the authenticated user is the owner of the requested data
if user_id == current_user.id:
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
user_data = cursor.fetchone()
return jsonify(user_data)
else:
abort(403, "Forbidden: You don't have permission to access this resource.")
else:
abort(401, "Unauthorized: You need to be authenticated to access this resource.")
LOGICAL VULNERABILITIES
Logical vulnerabilities refer to weaknesses in an application’s logic and
design, as opposed to technical implementation issues. These flaws can
compromise the intended behavior of the application, even when individual
components function as expected.
Logical vulnerabilities can encompass a variety of forms, including a blend of
technical vulnerabilities (e.g., authorization) and manipulations of legitimate
functions. While some of these vulnerabilities are technical, others rest
primarily in the logic of the application.
As there is no definitive guide or cheat sheet for safeguarding against logical
vulnerabilities, it’s crucial to enlist the services of experienced application
security specialists and conduct regular third-party security assessments to
identify and mitigate these vulnerabilities. Automated solutions typically
cannot detect such vulnerabilities.
For readers interested in learning more, the OWASP Testing Guide Business Logic
overview is an excellent resource.
Example:
With our API method now secured, it’s reasonable to assume that we can apply the
same constructs to other API methods, isn’t it? Let’s find out!
Suppose we need to create two additional API methods: one for a user to modify
their own data, and another for an admin to alter user data. By employing the
same constructs, we aim to ensure that the vulnerabilities related to
authentication, authorization, and input validation are effectively addressed.
modify_user_data
@app.route('/api/user/<int:user_id>', methods=['POST'])
def modify_user_data(user_id):
if current_user.is_authenticated:
if user_id == current_user.id:
data = request.get_json()
hashed_password = bcrypt.generate_password_hash(data['password'])
query = "UPDATE users SET name = %s, surname = %s, password=%s WHERE id = %s"
cursor.execute(query, (data['name'], data['surname'], hashed_password, user_id))
return jsonify({"message": "User data updated successfully."})
else:
abort(403, "Forbidden: You don't have permission to modify this user's data.")
else:
abort(401, "Unauthorized: You need to be authenticated to access this resource.")
admin_modify_user_data
@app.route('/api/admin/user/<int:user_id>', methods=['POST'])
def admin_modify_user_data(user_id):
if current_user.is_authenticated:
if user_id == current_user.id or current_user.admin:
data = request.get_json()
hashed_password = bcrypt.generate_password_hash(data['password'])
query = "UPDATE users SET username = %s, password = %s, role = %b WHERE id = %s"
cursor.execute(query, (data['username'], hashed_password, data['role'], user_id))
return jsonify({"message": "User data updated successfully."})
else:
abort(403, "Forbidden: You don't have permission to modify this user's data.")
else:
abort(401, "Unauthorized: You need to be authenticated to access this resource.")
Take a moment to analyze the code and try to uncover the issues with it. After
examining the code, let’s identify the purpose of each track.
* modify_user_data is designed for a user to update their own data.
* admin_modify_user_data is intended for an admin to modify other users’ data.
We can assume that the user object in these two scenarios will likely differ, as
evident in the provided code examples. While modify_user_data works with
parameters like name, surname, and password, admin_modify_user_data utilizes
parameters such as username, password, and role.
The vulnerability arises when an authenticated user is allowed to execute the
admin_modify_user_data method, potentially changing their role and escalating
their privileges. This serves as an example of a logical vulnerability, which
often results from the replication of patterns in programming. The developer may
have assumed that these checks would suffice for both authentication and
authorization, but they failed to account for the differences between user
object models.
Now, let’s attempt to address these issues. There are several approaches we can
take. One option is to simply verify if the current user is an administrator.
Alternatively, we can adopt a more universal approach by compiling a list of
privileges and checking if the required privilege is present. Each approach has
its own implications and limitations. It’s important to regularly review the
list of privileges or permissions to ensure security remains up to date.
Below is one example of fixing this issue
admin_modify_user_data
@app.route('/api/admin/user/<int:user_id>', methods=['POST'])
def admin_modify_user_data(user_id):
if current_user.is_authenticated and current_user.has_permission('admin_modify_user_data'):
data = request.get_json()
hashed_password = bcrypt.generate_password_hash(data['password'])
query = "UPDATE users SET username = %s, password = %s, role = %b WHERE id = %s"
cursor.execute(query, (data['username'], hashed_password, data['role'], user_id))
return jsonify({"message": "User data updated successfully by admin."})
else:
abort(403, "Forbidden: You don't have permission to modify this user's data as an admin.")
KNOWLEDGE OF THE API
It is essential that developers know and understand the API framework they are
required to use. Some API types have built-in functionalities that can be
manipulated by the attackers. For example, GraphQL has introspection queries and
some REST API variants have a “swagger” file listing all methods and their
usage.
Exploring the API is a first step in the vulnerability discovery process.
Therefore, it is crucial to understand the functionality of a specific type of
API and secure it accordingly.
WHAT THIRD-PARTY API USERS CAN DO TO PROTECT THEMSELVES
Earlier in this blog, we looked at API security from a developer’s point of
view. However, there are instances when APIs are designed for use by other
organizations or a company’s clients. Let’s now explore some recommendations for
securely utilizing APIs in such contexts.
SECURING SECRETS
API keys and tokens are frequently leaked due to the negligence of an
organization’s technical staff. Many developers store credentials in source code
or configuration files either in plaintext or using weak encryption types. This
often results in leaks and unauthorized usage.
While not very common, token leakage can still occur through JavaScript files,
where API keys may inadvertently be exposed in client-side code. As these files
are easily accessible to attackers, it’s crucial to ensure that sensitive data
remains out of the reach of potential threats.
Mobile applications can also contribute to API key leaks. Developers should be
mindful that attackers can decompile the source code of mobile apps in search of
sensitive information.
To mitigate these risks, organizations should adhere to best practices for
storing secrets and utilize secret vaults or management solutions to ensure the
security of their APIs.
MULTI-FACTOR AUTHENTICATION (MFA)
Cybersecurity is directly correlated to risks and probabilities. That’s why
defense mechanisms should have a multi-layered approach. MFA can provide an
extra layer of protection that can either help prevent data from being leaked or
assist in any subsequent investigation.
Companies must have a process for detecting and responding to security
incidents. When it comes to API keys and the circumstances as to when and how
they are leaked, a company must know where, how and by whom this token is
supposed to be used. Thus, in case of abuse, the company can identify it and
take action.
GENERAL RECOMMENDATIONS TO SECURE YOUR ENVIRONMENT
ADHERE TO THE SECURE SOFTWARE DEVELOPMENT LIFE CYCLE (SSDLC)
The Software Security Development Life Cycle (SSDLC) is a secure variant of the
traditional Software Development Life Cycle (SDLC) that incorporates security
measures into every stage of the development process from the initial
architecture design phase to the final release of the product.
One of the key components of SSDLC is the inclusion of comprehensive security
testing at every stage of the development process. This includes both static and
dynamic testing of every build and release, which helps to identify and
remediate security vulnerabilities before they can be exploited by attackers.
Static testing involves analyzing the source code for security issues, such as
coding errors or weaknesses that could be exploited by attackers. Dynamic
testing, on the other hand, involves testing the software in real-world
scenarios to identify potential vulnerabilities that may not have been detected
during static testing.
In addition to testing, SSDLC also emphasizes the importance of incorporating
security measures into every aspect of the development process. This includes
incorporating secure coding practices, performing regular security audits and
assessments, and establishing incident response plans in case of a security
breach.
CONDUCT REGULAR 3RD PARTY ASSESSMENTS
Even though SSDLC provides a solid foundation for ensuring security, it may not
be sufficient on its own to fully safeguard against all potential threats.
To ensure the highest level of security for the company and its key assets,
organizations should regularly engage third-party security vendors to perform
comprehensive security assessments. This can help identify vulnerabilities that
may have been missed during the internal team’s SSDLC processes and ensure that
all areas of the organization’s security posture are thoroughly evaluated.
Security vendors bring a wealth of knowledge and expertise to the table,
including the latest threat intelligence and advanced techniques for identifying
and exploiting vulnerabilities. They also offer an impartial and independent
assessment, free from the biases and limitations that may be present within an
organization’s internal team.
CONCLUSION
Securing API vulnerabilities should be a critical aspect of any company’s
security strategy. API security requires a comprehensive approach that includes
assessing key domains such as authentication, authorization, input validation,
and logical vulnerabilities. In this blog, we outlined some of the best
practices that both developers and third parties should implement to address
some of the weaknesses that can appear in the event that APIs are misconfigured.
APIs will continue to be a prime target for cybercriminals, and successful
attacks can have devastating consequences, whether that be service disruption or
the theft of sensitive data.
It is crucial to stress that API security is a round-the-clock process that
requires constant attention and effort. Organizations should ensure that their
in-house or outsourced developers are aware of the importance of API security,
in addition to having all the necessary resources to create secure APIs.
Share this article
Found it interesting? Don't hesitate to share it to wow your friends or
colleagues
* Twitter
* LinkedIn
* Telegram
*
Konstantin Damotsev
Penetration Tester
More posts
May 17, 2023
The distinctive rattle of APT SideWinder
May 15, 2023
You’ve been kept in the dark (web): exposing Qilin’s RaaS program
May 2, 2023
Managed upgrades. Enhance malware analysis efficiency with Group-IB Malware
Detonation Platform updates
View all
This site uses cookies
We use cookies on the website to make your browser experience more personal,
convenient and secure. You may block or manage the use of cookies, however, in
some cases they’re essential to make this site work properly. Learn more about
cookies in Group-IB Privacy And Cookies Policy.
Accept Find out more
Products
* Threat Intelligence
* Fraud Protection
* Managed XDR
* Attack Surface Management
* Digital Risk Protection
* Business Email Protection
Solutions
* Ransomware Protection and Response
* Phishing and Scam Protection
Services
Pricing
Resources
* Research Hub
* Knowledge Hub
* Certificates
* Webinars
* Blog
Company
* About Group-IB
* Team
* Partners
* MSSP and MDR Partner Program
* Careers
* Internship
* Media Center
* Contact
Subscribe to stay up to date with the latest cyber threat trends
Latest Form Submitted
utm_campaign
utm_content
utm_medium
utm_source
utm_term
Language (Mailing)
Country/Region
* I understand and agree that my personal data will be collected and processed
according to the Privacy and Cookies Policy and unconditionally agree and
accept the Terms of Use
*
Contact
* APAC: +65 3159 4398
* EU & NA: +31 20 226 90 90
* MEA: +971 4 568 1785
info@group-ib.com
*
*
*
*
*
*
© 2003 – 2023 Group-IB is a global leader in the fight against cybercrime,
protecting customers around the world by preventing breaches, eliminating fraud
and protecting brands.
* Terms
* Privacy