API vulnerabilities: current status and dependencies


  • Touhid Bhuiyan
  • Afsana Begum
  • Sharifur Rahman
  • Imran Hadid






API, API Security, Vulnerability, Public API’s, API Vulnerability, Test API vulnerabilities, API IDOR, API CORS, API Problems,


Recently API (Application Programming Interface) is becoming more popular for developers. When software is designed, most of the time, developers need to use APIs to manage a specific task. Developers use various kinds of APIs. Some of them are built by themselves and some are used from public APIs. API is a set of functions and procedures that allows another program or application to get access to features or data. Public APIs are open in public networks; developers collect these APIs depending on their specific needs. Developers need to interact with other software, as a result, a developer can conduct specific task without authorization to access the entirety of the software. It definitely reduces our loads at the same time introduces risks. In the end every developer wants to ensure security to his/her application. Commonly used public APIs are not enough secure to provide security to confidential data. We focused on these public APIs that are commonly used by developers. We tested a set of public APIs in our security lab and we have found many vulnerabilities that are highly alarming for developers who are going to use these API. In this paper we have tried to introduce the current status of vulnerable APIs. Moreover, several relationships exist between API vulnerabilities. In this paper we have also discussed the dependencies and relationships between API vulnerabilities.


[1] Kim S.S., Lee D. E., Hong C. S., “Vulnerability Detection Machanism Based on open API for Multi User’s Convenience†Kyung Hee University.

[2] Myer’s B. A., Stylos J., “Improving API usability†Human-Computer Interaction Institute School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213-3891.

[3] Deng Z., Saltaformaggio B. , Zhang X., Xu D., “iRiS: Vetting Private API Abuse in iOS Applicationsâ€, Department of Computer Science and CERIAS Purdue University, West Lafayette, IN 47907.

[4] Alqahtani S. S., Eghan E. E., Rilling J.,†Recovering Semantic Traceability Links between APIs and Security Vulnerabilities: An Ontological Modeling Approachâ€, Concordia University Montreal, Canada.

[5] Thomas D. R., Beresford A. R., Coudray T. , Sutclie T. , and Taylor A., “The Lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface,†Bromium, Cambridge, United Kingdom.

[6] Mao Y., Chen H., Zhou†D., Wang X., Zeldovich N., and Kaashoek M. F.,†Software fault isolation with API integrity and multi-principal modulesâ€, MIT CSAIL, †Tsinghua University IIIS.

[7] (5thJune 2017) Top 5 Vulnerabilities In APIs. [Online]. Available: https://datafloq.com/read/top-5-vulnerabilities-in-apis/2876.

[8] (10thAugust 2017) Viber API Documentation. [Online]. Available: https://developers.viber.com/docs/api/rest-bot-api.

[9] ( 12th August 2017) Web API tester [Online]. Available: http://stoplight.io/platform/scenarios/.

[10] Zhang M., Duan Y., Yin H., Zhao Z.,†Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphsâ€, Syracuse University, Syracuse, NY, USA.

[11] ( 8th july 2017) Documentation and Test Consoles for Over 500 Public APIs [Online]. Available: https://any-api.com.

[12] ( 19th july 2017) Open API [Online]. Available: https://www.getpostman.com/docs/postman_for_publishers/public_api_docs.

[13] ( 20th june 2017) Recent news about security [Online]. Available: https://thehackernews.com.

[14] Sami A., Yadegari B., Rahimi H., Peiravian N., Hashemi S.,†Malware detection based on mining API callsâ€, Ali Hamze Shiraz University, Shiraz, Iran

[15] ( 20th june 2017) REST Security Cheat Sheet. [Online]. Available:https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

[16] ( 1th may 2017) Bug bounty platform [Online]. Available: www.hackerone.com

[17] ( 10th may 2017) List of public API. [Online]. Available: https://github.com/toddmotto/public-apis

[18] Johari R., Sharma P., “A Survey On Web Application Vulnerabilities(SQLIA,XSS)Exploitation and Security Engine for SQL Injectionâ€, 12 International Conference on Communication Systems and Network Technologies

[19] Bhuiya T., Alam D., Farah T., Evaluating the Readiness of Cyber Resilient Bangladesh, January 2016, International Journal of Internet Technology and Secured Transactions 4(1)

[20] Rexha B., Halili A., Rrmoku K. and Imeraj D., "Impact of secure programming on web application vulnerabilities," 2015 IEEE International Conference on Computer Graphics, Vision and Information Security (CGVIS), Bhubaneswar, 2015, pp. 61-66.

[21] Bhuiyan T., Alam D., and Farah T. (2016). Evaluating the Readiness of Cyber Resilient Bangladesh.Journal of Internet Technology and Secured Transactions (JITST), Vol. 4, No. 1, ISSN 2046-3723.

[22] Begum A., Hassan M. M., Sharif M. H., Bhuiyan T., “A study on RFI and SQLi based on Local File Inclusion Vulnerabilities in the Web Applications of Bangladesh†, International Workshop on Computational Intelligence, 12-13 December-2016

[23] Moussaid N.E.E. and Toumanari A., “Web Application Attacks Detection: A Survey and Classificationâ€, “International Journal of Computer Applications (0975 – 8887) Volume 103 – No.12, October 2014â€

[24] Ami P. V. and Malav S.C., â€Top Five Dangerous Security Risks Over Web Applicationâ€, â€International Jurnal Of Emerging Trends & Technology In Computer Science,2013 â€

[25] Chakraborty R., Datta A., Mandal J.K., “Secure Encryption Technique (SET): A Private Key Crypto Systemâ€, “International Journal of Multidisciplinary in Cryptology and Information Securityâ€, Volume 4, No.1, January – February 2015

[26] Kumari M. S., Shrivastava D. M., “A Study on the Security and Routing Protocols for Ad-Hoc networkâ€, “International Journal of Advanced Trends in Computer Science and Engineeringâ€, Volume 1, No.3, July – August 2012

View Full Article: