API Threat Modeling Cheat Sheet

View the original Working Session content


A Cheat Sheet covering most common threats against APIs.

Synopsis and Takeaways

Cheat sheets are an important learning tool because they force us to distill threat models to their most simple, essential parts.

Identified Questions

  • What are the main Threats against an API?
  • Can we find common Threats that apply to APIs?
  • Are there generic Threats we could check for applicability?
  • Could we organize the Threats in Risk Patterns for APIs?
  • Can they be summarized on a Cheat Sheet form?


A list of threats from “Threat Modeling: Designing for Security” by Adam Shostack:

  • Perform security checks inside the boundary
  • Copy before validation-for-purpose
  • Define the purpose for data, validate near that definition
  • Manage error reporting
  • Document what checks happen where
  • Do crypto in constant time
  • Address the security requirements of your API

A Generic Cheat Sheet for a Generic API




  • Multiparameter API
  • Server logs requests including I.P address
  • GDPR is applicable (see 2)


  • API
  • Server
  • Data Flows 1 and 2

Out of Scope

  • Provision of code
  • Provision of server/hardware (Be explicit about what you are excluding ie server hardware and software)

Model A

graph LR A(CLIENT) -->|1|B(SERVER) B-->|2|A(CLIENT)


  1. The wrong server responds


Client receives tampered data

  1. Compromised Server

  2. Man in Middle

  3. Server receives tampered data


  1. Client repudiates request

  2. Server repudiates sent


Server Logs

  1. Confidential data is disclosed through the connection

  2. Information is disclosed through error messages


DoS through:

  1. API overload

  2. Network overload

  3. Budget overload



  1. Unauthorised access to API

  2. Code Execution

Model B

graph LR A(CLIENT) -->|1|B(PROXY) B -->|2| C(API) C-->|3|B(PROXY) B-->|4|A(CLIENT)
  • No state change
  • Public Data
  • No Authorisation


Additional/External References

Session organiser(s)

Steven Wierckx Steven Wierckx


Chris Allen Chris Allen , Adam Shostack Adam Shostack , Andrew Johnstone Andrew Johnstone , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fabien Thalgott Fabien Thalgott , Imran Chaudhari Imran Chaudhari , Luis Saiz Luis Saiz , Ruben Tronçon Ruben Tronçon , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris Ethan Schorer Ethan Schorer , Joset Zamora Joset Zamora , Lubo Vikev Lubo Vikev , Salma jalouqa Salma jalouqa

Attached materials: