{"id":29756,"date":"2019-11-06T07:41:20","date_gmt":"2019-11-06T07:41:20","guid":{"rendered":"https:\/\/www.checkmarx.com\/?p=29756"},"modified":"2024-08-15T13:30:49","modified_gmt":"2024-08-15T13:30:49","slug":"breaking-down-owasp-api-security-top10-part1","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/","title":{"rendered":"Breaking Down the OWASP API Security Top 10 (Part 1)"},"content":{"rendered":"

As a result of a broadening threat landscape and the ever-increasing usage of APIs<\/span>, the OWASP API Security Top 10 Project <\/a>was launched. From the start, the project was designed to help organizations, developers<\/span>, and application<\/span> security teams become more aware of the risks associated with APIs<\/span>. This past September, the OWASP API Security Top 10 release candidate (RC)<\/a> was finalized and published on OWASP<\/a>.
\nIn my previous blog, I provided a high-level view of the interaction between API<\/span> endpoints, modern apps, and backend servers, in addition to how they\u2019re different from their traditional browser-based counterparts. I also discussed why this project was so important to the contributors and industry overall. In this blog, I aim to clarify the first five (5) risks by highlighting some of the possible attack scenarios to help organizations and end-users understand the dangers associated with deficient API<\/span> implementations. The following discussion follows the same order as found in the OWASP API<\/span> Security Top 10.
\nAPI1:2019 – Broken Object Level Authorization:<\/strong> Attackers can exploit API<\/span> endpoints that are vulnerable to broken object level authorization<\/em> by manipulating the ID of an object<\/em> that is sent within the client request. What this means is that the client can request information from an API<\/span> endpoint that they are not supposed to have access to. This attack normally leads to unauthorized information disclosure, modification, or destruction of data.
\nExample Attack Scenario:
\nSay for instance there is an e-commerce platform that provides financial and hosted services to a group of different online stores (shops). The platform provides an API<\/span> used to gain access to revenue charts for each of their hosted stores, and each store should only have access to their own revenue charts. However, while inspecting the client request from a single store who wants to gain access to their own revenue charts, an attacker can identify (find) the API<\/span> endpoint for those revenue charts and identify the URL in use, for example \/shops\/{shop name}\/revenue_data.json<\/strong>. Using the names of other stores being hosted on the e-commerce platform, an attacker can create a simple script to modify the {shop name}<\/strong> ID object in subsequent requests, and gain access to the revenue charts of every other store.
\nAPI2:2019<\/strong> \u2013 Broken Authentication:<\/strong> Being different than Authorization<\/span> discussed above, Authentication<\/em> on the other hand is a complex and confusing mechanism concerning APIs<\/span>. Since authentication endpoints are exposed to anyone by design, the endpoints that are responsible for user<\/span>-authentication must be treated differently from regular API<\/span> endpoints and implement extra layers of protection for credential stuffing<\/a> attempts, in addition to brute force password and token guessing attacks.
\nExample Attack Scenario:
\nSuppose that an attacker obtained a list of leaked username<\/span>\/password combinations as the result of a data breach from another organizations. If the API<\/span> endpoint handling authentication does not implement brute force or credential stuffing protections like CAPTCHA, rate-limiting, account<\/span> lockout, etc., an attacker can repeatedly attempt to gain access using the list of username<\/span>\/password combinations to determine what combination(s) work.
\nAPI3:2019<\/strong> \u2013 Excessive Data Exposure:<\/strong> By design, <\/span><\/strong>API endpoints often expose sensitive data since they frequently rely on the client app to perform data filtering. Attackers exploit this issue by sniffing the traffic to analyze the responses, looking for sensitive data that should not be exposed. This data is supposed to be filtered on the client app, before being presented to the user<\/span>.
\nExample Attack Scenario:
\nImage that an IoT-based camera surveillance system allows administrators to add a newly-hired security guard as a system user<\/span>, and the administrator wants to ensure the new user<\/span> should only have access to certain cameras. These cameras are accessible via a mobile app that the security guard uses while at work. The newly hired security guard\u2019s mobile app makes an API<\/span> request to an endpoint in order to receive data about the cameras, and relies on the mobile app to filter which cameras the guard has access to. Although the mobile app only shows the cameras the guard can access, the actual API<\/span> response contains a full list of all the cameras. Using the sniffed traffic, an attacker can manipulate the API<\/span> request to show all cameras, bypassing the filtering on the mobile app.
\nAPI4:2019<\/strong> \u2013 Lack of Resources & Rate Limiting:<\/strong> It is common to find API<\/span> endpoints that do not implement any sort of rate limiting on the number of API<\/span> requests, or they do not limit the type of requests that can consume considerable network, CPU, memory, and storage<\/span> resources. The amount of resources required to satisfy a request greatly depends on the user<\/span> input and endpoint business logic. Attackers exploit these issues causing denial-of-service attacks and associated endpoint outages.
\nExample Attack Scenario:
\nLet\u2019s say that an attacker wants to cause a denial-of-service outage to a certain API<\/span> that contains a very large list of users<\/span>. The users<\/span>\u2019 list can be queried, but the application<\/span> limits the number of users<\/span> that can be displayed to 100 users<\/span>. A normal request to the application<\/span> would look like this: \/api\/users<\/span>?page=1&size=100. In this case, the request would return with the first page and the first 100 users<\/span>. If the attacker changed the size parameter<\/em> from 100 to 200000, it could cause a performance issue on the backend database, since the size parameter in use is so large. As a result, the API<\/span> becomes unresponsive and is unable to handle further requests from this or any other client.
\nAPI5:2019 \u2013 Broken Function Level Authorization<\/span>:<\/strong> Although different than API1 above, exploitation of this issue requires the attacker to send API<\/span> requests to endpoints that they should not have access to, yet are exposed to anonymous users<\/span> or regular, non-privileged users<\/span>. These types of flaws are often easy to find and can allow attackers to access unauthorized functionality. For example, administrative functions are prime targets for this type of attack.
\nExample Attack Scenario:
\nTo illustrate this further, imagine that during the registration process<\/span> to a certain application<\/span> that only allows invited users<\/span> to join<\/em>, the mobile<\/span> app triggers an API<\/span> request to GET<\/span> \/api\/invites\/{invite_guid}<\/strong>. GET<\/a> is a standard HTTP<\/span> method used to request<\/em> information from a particular resource. In this case, the response to the GET<\/span> contains details about the invite, including the user<\/span>\u2019s role and email address.
\nNow, say that an attacker duplicated the request and manipulated the HTTP<\/span> method by changing GET<\/span> to POST<\/a>. POST is an HTTP<\/span> method used to send<\/em> information to create or update a resource. The URL would look like this: POST \/api\/invites\/new\/{\u201cemail\u201d:\u201dhugo@malicious.com\u201d,\u201drole\u201d:\u201dadmin\u201d}. <\/strong>In this case, the attacker easily exploits this issue and sends himself an email invite to create an admin account. <\/strong>
\nIn the context of the five risks above, one could easily image many similar attack scenarios. Those provided were just examples of the nearly unlimited possibilities when attacking vulnerable API implementations. Hopefully you can see, the risks above are primarily caused by errors or oversights. I believe these risks could easily be managed or nearly eliminated when organizations improve their secure coding practices, especially when it comes to the way they\u2019re utilizing APIs.<\/p>","protected":false},"excerpt":{"rendered":"

As a result of a broadening threat landscape and the ever-increasing usage of APIs, the OWASP API Security Top 10 Project was launched. From the start, the project was designed to help organizations, developers, and application security teams become more aware of the risks associated with APIs. This past September, the OWASP API Security Top […]<\/p>\n","protected":false},"author":12,"featured_media":57229,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84],"tags":[218,216,205,219,228,175],"class_list":["post-29756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security","tag-application-security-awareness","tag-application-security-vulnerabilities","tag-owasp-api-security-project","tag-owasp-top-10-api","tag-software-exposure"],"acf":[],"yoast_head":"\nBreaking Down the OWASP API Security Top 10 (Part 1)<\/title>\n<meta name=\"description\" content=\"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Breaking Down the OWASP API Security Top 10 (Part 1)\" \/>\n<meta property=\"og:description\" content=\"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-06T07:41:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-15T13:30:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Erez Yalon\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Erez Yalon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\"},\"author\":{\"name\":\"Erez Yalon\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/cb0710e4bc79b776a473a974986cc123\"},\"headline\":\"Breaking Down the OWASP API Security Top 10 (Part 1)\",\"datePublished\":\"2019-11-06T07:41:20+00:00\",\"dateModified\":\"2024-08-15T13:30:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\"},\"wordCount\":1195,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg\",\"keywords\":[\"API Security\",\"Application Security Awareness\",\"Application Security Vulnerabilities\",\"OWASP API Security Project\",\"OWASP Top 10 API\",\"software exposure\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\",\"name\":\"Breaking Down the OWASP API Security Top 10 (Part 1)\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg\",\"datePublished\":\"2019-11-06T07:41:20+00:00\",\"dateModified\":\"2024-08-15T13:30:49+00:00\",\"description\":\"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg\",\"width\":1024,\"height\":512},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/cb0710e4bc79b776a473a974986cc123\",\"name\":\"Erez Yalon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/89d2fa04735f99d8297d6cf7abe12b74e420dd8f431dccf12f3155689c53ad43?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/89d2fa04735f99d8297d6cf7abe12b74e420dd8f431dccf12f3155689c53ad43?s=96&d=mm&r=g\",\"caption\":\"Erez Yalon\"},\"url\":\"https:\/\/checkmarx.com\/author\/erezy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Breaking Down the OWASP API Security Top 10 (Part 1)","description":"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/","og_locale":"en_US","og_type":"article","og_title":"Breaking Down the OWASP API Security Top 10 (Part 1)","og_description":"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.","og_url":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2019-11-06T07:41:20+00:00","article_modified_time":"2024-08-15T13:30:49+00:00","og_image":[{"width":1024,"height":512,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg","type":"image\/jpeg"}],"author":"Erez Yalon","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Erez Yalon","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/"},"author":{"name":"Erez Yalon","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/cb0710e4bc79b776a473a974986cc123"},"headline":"Breaking Down the OWASP API Security Top 10 (Part 1)","datePublished":"2019-11-06T07:41:20+00:00","dateModified":"2024-08-15T13:30:49+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/"},"wordCount":1195,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg","keywords":["API Security","Application Security Awareness","Application Security Vulnerabilities","OWASP API Security Project","OWASP Top 10 API","software exposure"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/","url":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/","name":"Breaking Down the OWASP API Security Top 10 (Part 1)","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg","datePublished":"2019-11-06T07:41:20+00:00","dateModified":"2024-08-15T13:30:49+00:00","description":"Our blog series delves into the critical OWASP API Security Top 10, empowering developers to build secure APIs.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/breaking-down-owasp-api-security-top10-part1\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2019\/11\/Website-1024x512-3.jpg","width":1024,"height":512},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/cb0710e4bc79b776a473a974986cc123","name":"Erez Yalon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/89d2fa04735f99d8297d6cf7abe12b74e420dd8f431dccf12f3155689c53ad43?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/89d2fa04735f99d8297d6cf7abe12b74e420dd8f431dccf12f3155689c53ad43?s=96&d=mm&r=g","caption":"Erez Yalon"},"url":"https:\/\/checkmarx.com\/author\/erezy\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/29756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=29756"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/29756\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/57229"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=29756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=29756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=29756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}