OData provides a whole new dimension to SQL Injection attacks. Although it’s not SQL itself, the premise that OData is “like ODBC for the Web” sends a shiver down the spine of any security person. JavaScript injection also could be a fruitful attack method, given that many API clients simply run eval() on the JavaScript they receive, which again is shocking to security folks. I guess I’m biased as a vendor here (Axway/Vordel) but there is a need for more awareness and shielding of these types of attacks. This article is great to throw some light on the problem. At the moment, the API is the “soft underbelly” for many organizations, in terms of security vulnerability.

Definitely a great point. I debated the inclusion of SQL attacks…it’s trickier as lots of APIs are on non-SQL backends these days. However variations of XSS attacks are far more universal. That said SQL injections are still high on the OWASP list, and clearly a concern.