This week, we review three different cases of API authorization and privilege escalation vulnerabilities, each of which is a wake-up call for API teams. We examine NIST updates on password security guidelines and share findings from an industry survey on API security and an upcoming OWASP API Top 10 webinar. Also this week we […]
Category: Newsletter Archive
Issue 255: Versa Director API flaw, Feeld BOLA vulnerabilities, logic flaw risks aircraft disaster
This week, we look at API security vulnerabilities discovered in Versa Director and in dating app Feeld. We share insights from ethical API hackers on how they find API vulnerabilities and bugs in mobile apps. We have two separate reports on industry trends and priorities for API security in 2024, and a how-to article on […]
Issue 254: WhatsApp and IBM WebMethods vulnerabilities, 3rd-party API and LLM risks, API access controls
This week, we investigate a recent flaw in WhatsApp’s View Once privacy feature and also critical vulnerabilities reported in the IBM WebMethods integration platform. We highlight a NordicAPIs article on the risks from third-party API and LLMs, and an article on solving the challenges of fine-grained access control for APIs. There’s also an interesting webinar […]
Issue 253: Breached companies face litigation, SQL injection in Cisco APIs, API Security for Automotive & Finance
This week, we look at the growing number of penalties that companies can now face in the event of a data breach. We also learn about critical API vulnerabilities discovered in Cisco and Traccar products. VicOne recently published a white paper on automotive API security, and we also want to highlight a LinkedIn post on […]
Issue 252: API Security in APAC, Crowdstrike and canary tests, API vulnerabilities in solar platforms and React apps, Costs of a data breach
This week, we look at a survey of API security priorities in Asia Pacific and why canary testing became a hot topic following the Crowdstrike incident. We examine two cases of API vulnerabilities discovered in the field, and finally, we review the potential cost and implications of a data breach. Survey: API security insights from […]
Issue 251: FCC mandates API security, API vulnerabilities in dating apps and Docker plugins, Life360 API data leak
This week, we review the API security controls outlined by the FCC to prevent data breaches and examine multiple incidents of API data leaks exposing users’ personal data. We also cover a case of unsafe API consumption in the Docker ecosystem. Report: FCC weighs in with API security requirements The U.S. Federal Communications Commission (FCC) […]
Issue 250: Authy API breach, US agencies push secure by design, APIs grill IoT devices, shares by our readers
This week, an Authy API was misused to verify the registered phone numbers of millions of users and recent injection attacks are prompting US security agencies to promote secure by design for software development. A research team demonstrates IoT hacking via API. As this is a significant milestone for 42Crunch and APIsecurity.io, namely our 250th […]
Issue 249: Major API breach at Optus, CocoaPods exposed, Bad Bots and API DoS attacks, Webinar: 2024 API breaches
This week, we share reports on the latest insights into the API breach at Optus and CocoaPods vulnerabilities reveal severe risks from the software supply chain. We examine the importance of API input validation for blocking DoS and authentication attacks. And finally a mention of our upcoming webinar examining recent API breaches and how to […]
Issue 248: API penetration of apps and modems, GraphQL and its discontents, API security for supply chain and automotive
This week, we share reports on the API exploits of two enterprising students and their takedown of “big laundry”. We take a revealing look at API vulnerabilities exposing millions of modems to remote takeover. We also have two insightful articles on API security in the supply chain and automotive industries, and ask the question what […]
Issue 247: Dropbox and Dell breaches, vulnerability in Next.js, API growth causing concerns
This week, we have news of two high-profile breaches. First up is the Dropbox breach, potentially affecting millions of users, and then the Dell breach, affecting 49 million records. We also have details of a vulnerability in the Next.js component. We also have a free on-demand recording from Microsoft Build on Navigating the Depths of […]
Issue 246: Critical flaw in API portal, securing GraphQL, building bulletproof APIs
This week, we have news of a critical flaw with a popular API portal. We also have guides on securing GraphQL APIs and building bulletproof APIs and news of a new deliberately vulnerable API application. We also have an article on why fraud detection and API security must converge. Dana Epp wraps things up with […]
Issue 245: Delinea patches API vulnerability, API vulnerability in Palo Alto devices
This week, we have two vulnerabilities: an API vulnerability in the Delinea platform and a remote command execution (RCE) affecting Palo Alto PAN-OS devices. We also have articles on how to fix API design, seven ways to better manage supply chain risk, and whether OpenBanking will transform the future of finance. Finally, we have Dana […]
Issue 244: Threats to enterprises in the cloud, looming threats to APIs, API SDK generation tools
This week, we have articles on the threats to enterprises in the cloud and another on the looming threats to APIs. We also examine the challenges posed by API threats in the utility and energy sectors. We also have technical articles on using AI to hack the crAPI vulnerable API and how to generate SDKs […]
Issue 243: Economics of API attacks, understanding CORS, blocking compromised API tokens
This week, we have articles on the economics of API attacks, and how developers can prevent them, and how to create an API solution wishlist with developers in mind. We also have technical articles on understanding cross-origin resource sharing (CORS) for APIs and how to secure APIs by blocking compromised tokens. We also have a […]
Issue 242: API governance to avoid tech sprawl, API security in digital transformation, AI for APIs
This week, we have thoughts from Bill Doerrfeld on how API governance is essential to counter technology sprawl. We also have commentary on how API security is essential in the age of digital transformation and another on why APIs are the new battleground for security. We have two articles on AI for APIs: firstly, how […]
Issue 241: Two critical flaws in FortiSIEM product, making public APIs private, API security strategy
This week, we have news of two critical vulnerabilities in the Fortinet FortiSIEM product. We also have articles on making public APIs private and building an API security strategy. Dana Epp offers his thoughts on the difference between endpoints and routes, and we have two developer-focused tutorials, one on securing gRPC and the other on […]
Issue 240: Spoutible API leakage, 15M Trello profiles scraped, API secret tokens leaked
This week, we have news of a record four API security related incidents. The first comes from Troy Hunt on a leakage on the new Spoutible social media site, with the second big ticket item being the leakage of 15 million profiles on Atlassian’s Trello. There’s also a report on the leakage of over 18,000 […]
Issue 239: Hugging Face API token breach, SonicWall firewalls exploit, Kubernetes API gateway guide
This week, we have news of a recent API token breach affecting the popular Hugging Face AI portal and a vulnerability in the SonicWall firewall affecting 178,000 instances. We also have a comprehensive API security checklist and a guide on selecting the most suitable API gateway for Kubernetes environments. Finally, we have a practical guide […]
Issue 238: APIs used to target business, cloud-native for APIs, and APIs becoming attractive targets
This week, we have views from Forbes on how APIs are being used to target businesses and articles on the role of cloud-native for APIs and how APIs are becoming attractive targets. We also have a doubleheader from Dana Epp covering his predictions for 2024 and structured format injection attacks. We also have news of […]
Issue 237: Six API trends for 2024, API keys leading to vulnerabilities, the future of API gateways
This week, we have a pair of doubleheaders — firstly, The New Stack on six API trends for 2024 and how API keys are leading to vulnerabilities, and then Kin Lane (aka. APIEvangelist) on the future of API gateways and why API discovery is hard. We also have an article on threat modeling for API […]
Issue 236: Using a developer portal, dark data in APIs, an update on Ray AI framework, predictions for 2024
This week, we have an article on the value of using a developer portal for APIs, a guide from Dana Epp in finding “dark data” in an API, and an update from PortSwigger on their Web Security Academy resources for learning more about API security. We also have an update on the API vulnerabilities reported […]
Issue 235: 25m loss at Kronos due to API key loss and three other API vulnerabilities
This week, we have news of four API-related security vulnerabilities, including Kronos’s $25m loss. Other vulnerabilities include a malware threat of DDoS on Docker APIs, a report on vulnerabilities on WordPress and Netflix, and an API vulnerability found in the Ray AI framework. We also have an article on why APIs are fertile ground for […]
Issue 234: Sumo Logic breach leads to key reset, risk of RBAC vulnerabilities, automated API contracts
This week, we have news of another API key leak, this time affecting users of Sumo Logic, who have been advised to rotate their keys out of caution. We also have articles on the risk of RBAC vulnerabilities for APIs and why CFOs should prioritize API security as a cost-saver and business enabler. We also […]
Issue 233: Flaws in OAuth social sign-in, securing API gateways, scalable SaaS security
This week, we have important news of a vulnerability in the OAuth social sign-in feature of many popular platforms, potentially impacting billions of users. We have two articles from The NewStack, the first a guide on securing your API gateway and the second how to design scalable SaaS API security. We also have news of […]
Issue 232: API attacks surge, the silent threat of APIs, Jumpcloud incident review
This week, we have articles on the surge in API attacks as cybercriminals increasingly target financial services and new data on the silent threat of APIs. We have a retrospective on the recent Jumpcloud incident from an API perspective and a great guide on seven things about API security from Philippe de Ryck. We conclude […]
Issue 231: API authentication bypass in Ivanti Sentry, Docker images expose API and keys
This week, we have news of an API authentication bypass vulnerability in the Ivanti Sentry cybersecurity product and a report into Docker images that are exposing APIs and private keys. We also have articles on API security’s role in protecting retail apps, how APIs and generative AI interoperate, and how attackers bypass Web Application Firewalls. […]
Issue 230: OpenSea API breach, flaw in Atlas VPN, using API fuzzing
This week, we have news of a breach affecting users of the OpenSea NFR trading platform, requiring a key rotation; and disclosure of an API vulnerability in the Atlas VPN exposing user IP addresses. We also have an article from The New Stack on API fuzzing and its benefits and a guide on using Keycloak […]
Issue 229: Incidents with DuoLingo and JumpCloud, FastAPI for APIs, and five best practices
This week, we have news of two API security incidents: the reported leakage of the data of 2.6 million DuoLingo users and an incident at JumpCloud that resulted in resetting customer API keys. For the technically minded, we have two guides: the first discusses how to use API keys in an ASP.Net Core application, and […]
Issue 228: 3rd party API security, OAuth2 step-up deep-dive, shadow and zombie APIs
This week, we have a timely article on the five best practices for ensuring the security of 3rd party APIs, a deep-dive guide into the OAuth2 step-up authentication protocol, and two separate articles on the danger of hidden APIs, namely shadow and zombie APIs. We conclude with not one but two excellent guides from Dana […]
Issue 227: GhostToken on Google Cloud, Gartner on zero trust, API authentication
This week, we have news of the so-called “GhostToken” vulnerability affecting Google Cloud. We also have articles from Gartner on a report on zero trust not being a silver bullet, how authentication attacks threaten API security, and finally, why API security is everywhere except where you need it. Vulnerability: GhostToken vulnerability in Google Cloud This […]
Issue 226 : Jetpack WordPress plugin has API vulnerability, how to address API security in 2023
This week, we have news of an API vulnerability in the popular Jetpack WordPress plugin affecting millions of websites, an article on how to address growing API security vulnerabilities in 2023, and an article on why API security is the need of the hour. Finally, we have a guide from Port Swigger on how to […]
Issue 225 : API security needs a reset, vAPI walkthrough, five stages to attain API security
This week, we have views from Matias Madou (CTO of Secure Code Warrior) on why API security needs a reset to focus on people and not tools, another excellent walkthrough of the vAPI vulnerable API, an article covering the five stages necessary to attain API security, and a quick guide on exploiting GraphQL endpoints. Article: […]
Issue 224 : API security is critical in 2023, API contract testing, and Fencer security testing tool
This week, we have an article from Forbes on why API security is critical in 2023, views from Kin Lane on being pedantic about API contract testing, and a preview of a new tool for API security testing. We also have details of an upcoming webinar on API security within a GitHub environment. Article: Why […]
Issue 223 : Becoming an API security expert, AI for API hackers, building API cross-functional teams
This week, we have an article from The New Stack on mastering the skills necessary to become an API security expert and another fine read from Dana Epp on the applicability of artificial intelligence (AI) in API defense and attack. We also have an article from Forbes on building cross-functional API teams and, finally, a […]
Issue 222: Attackers exploiting APIs faster than ever, DVGA walkthrough, Twitter outage
This week, we have a report on how attackers are exploiting APIs faster than previously based on research into over 650 API-related vulnerabilities and a walkthrough guide into DVGA, a vulnerable GraphQL application. We also have further coverage of the Twitter API (this time an outage) and, finally, views from Dana Epp on the new […]
Issue 221: Credential leakage fueling API breaches, API gateway security, PCI DSS 4 impact on API security
This week, we have an article on the rise in API breaches as a result of credential leakage and how this can be addressed by using “MFA for APIs”. We also have a thought-provoking read on how to select an API gateway based on its security characteristics and a brief review of PCI DSS 4.0’s […]
Issue 220: API flaw in Booking.com, apps leaking sensitive API data, API security testing checklist
This week, we have news of a vulnerability affecting the OAuth2 implementation on the Booking.com website. We have a report from Approov on their research into financial apps in the Google Play store and another great article from Dana Epp on API security checklists. Finally, we cover an interview with Matias Madou on the need […]
Issue 219: Money Lover app exposes user data, most web API flaws missed by standard testing
This week, we have news of a recent vulnerability in the Money Lover finance app, and a report into a recent vulnerability in Toyota vehicles, which, according to Toyota, did not result in malicious access. We have an article featuring the views of popular contributor Corey Ball on missing API flaws by using conventional testing […]
Issue 218: Three Argo CD API exploits, distributed identity for modern API security
This week, we have news of three separate API vulnerabilities within the popular cloud-native continuous deployment platform. We also have a report covering the views of Gartner on the current state of API security and an article on distributed identity as a key element of modern API security. Finally, we have a guide on how […]
Issue 217: Wordle API exposes answers, Twitter API breach updates, AWS exposed dangerous API
This week, we have news of three vulnerabilities. The first is a vulnerability affecting the Wordle online puzzle allowing curious users to check solutions and even publish their own puzzles. The second is further coverage of the mass information leak from Twitter, and finally, we have coverage of an AWS IDAM API bypassing central CloudTrail […]
Issue 216: Hacking a .Net application, state of API security report, myths of API security
This week, we have another excellent guide from Dana Epp, this time focusing on hacking .Net applications in the real world. We have coverage on the recent Radware 2022 state of API security report and views from Matthew Reinbold on using ChatGPT for API design. Article: Real-world guide to hacking a .Net application Dana Epp […]
Issue 215: API flaws in Lego marketplace, API style guides, 42Crunch joins MISA
This week, we have news of API and web security flaws in the Lego marketplace, potentially allowing for a full account takeover. From NordicAPIs, we have a guide to seven examples of quality API style guides and coverage of the recent news from 42Crunch being admitted to the Microsoft Intelligent Security Association (MISA). Finally, we […]
Issue 214: Google Cloud’s four pillars of API security, Cerbos for API permissions, attacking predictable GUIDs
This week, we have views from the Google Cloud team on their four pillars of API security and a great article from the NewStack on using Cerbos to add permissions to your APIs. Dana Epp shares his thoughts on attacking predictable GUIDs when hacking APIs and, finally, a quick read on the developer’s need for […]
Issue 213: Supply chain vulnerability in IBM Cloud, hardcoded API keys in Algolia portal, JSON-based SQL attacks
This week, we have news of three vulnerabilities. First up is a supply chain vulnerability in the IBM Cloud platform, which is reported to be the first of its kind to affect a cloud provider. The second is another case of hardcoded API keys, this time in the Algolia AI search portal, and the third […]
Issue 212: Remote control of vehicles, API hacking for QA teams, API Top 10 walkthrough
This week, we have news of a critical API vulnerability that allowed a researcher to demonstrate a proof of concept attack allowing remote vehicle takeover. We have articles on three reasons why QA teams should learn API hacking and the new changes GitHub has made to API versioning to future-proof client code. Finally, we have […]
Issue 211: SQLi vulnerability in Zendesk Explore, Twitter API vulnerability, API threats to data-driven enterprises
This week, we have news of a vulnerability in the API of the Zendesk Explore platform allowing an attacker to inject malicious SQL payloads. We also have coverage of the recent breach affecting up to 5.4 million users of the Twitter platform. We also have two articles — the first is an article on the […]
Issue 210: CSRF vulnerability in F5, supply chain attacks, hacking APIs, GCP API security report
This week, we have news of another CSRF vulnerability affecting an API, this time in the F5 BIG-IP device. We also have an article from Dark Reading on the next generation of supply chain attacks, a quick guide on how to hack APIs, and finally, a very illuminating report from Google Cloud on API security […]
Issue 209: CSRF in Plesk API-enabled server, top five API security myths, Ory Hydra authentication server
This week, we have new research from FORTBRIDGE that reveals a client-side request forgery (CSRF) vulnerability in API-enabled instances of Plesk, the popular server administration portal. We also have an article on the top five API security myths according to Hacker News, a quick look at the Ory Hydra OAuth2/OIDC server, and a guide to […]
Issue 208: Urlscan.io leaks sensitive data, Dropbox phishing attack, contract test for microservices
This week, we have news of two API-related data breaches: the first in Urlscan.io API, which was found to be leaking sensitive URLs and data, and the second a phishing attack on Dropbox, where private GitHub repositories were copied. We also have an article on the importance of contract testing for microservices, and finally, another […]
Issue 207: Tinder API gateway, runtime secrets protection for mobile APIs, and Open Banking APIs
This week, we take a deep dive into the Tinder API gateway and how it solves security challenges. We also have an article from Approov on how to protect runtime secrets for mobile APIs, and an article on Open Banking API security best practices. Finally, we look at how software bill of materials (SBOMs) can […]
Issue 205: Manufacturing industry seeing more API incidents than other industries, two guides on developing secure APIs
This week, we have a report revealing that the manufacturing industry experiences more API-related incidents than other industries. To follow, we have two guides for developers: the first describes the REST protocol and common API vulnerabilities, and the second prescribes best practices for secure API design. Finally, we have a fun read on cracking API […]
Issue 204: API attacks on shadow APIs, PII leaks from e-commerce APIs, API runtime security
This week, we have articles on the rise of API attacks that target shadow APIs, how API attacks on on e-commerce sites leak PII, views from Trendmicro on the importance of API runtime security, and a guide on API penetration testing. Article: API attacks target shadow APIs First up this week is a report from […]
Issue 203: Optus data breach, API security guide, AuthN/AuthZ vulnerabilities
This week, the main news is coverage of the huge data breach affecting the Australian telecommunications company Optus, with APIs as a likely root cause. We also have articles on API security, authentication and authorization vulnerabilities, and how Docker REST API exposure can present risks. Breach: APIs at the root of Optus data breach? The […]
Issue 202: Six top API security risks, why APIs have no clothes, and a guide on API security testing
This week, we have an article on the six top API security risks being favored by attackers, an article on why your APIs have no clothes, a guide on API security testing to improve security and data confidentiality, and finally, news of API security testing training courses being off by @theXSSRat. Due to annual vacation, […]
Issue 201: API security in Kubernetes, Corey Ball podcast, broken access controls for APIs, 200th issue prize giveaway
This week, we have an article from the NewStack on API security best practices in Kubernetes, a podcast with Corey Ball discussing API security best practices, an article on broken access control concerns in APIs, and 42Crunch’s eBook on API security. Most importantly, we have news of last week’s winner in the 200th-issue giveaway and […]
Issue 200: Injection vulnerability in BitBucket, OAuth2 exploitation, and 200th issue prize giveaways
Celebrating the 200th issue This week is a special one: it’s the 200th edition of this newsletter, and also my first anniversary as the curator. To celebrate, I have pulled out our three most popular articles and our three most popular guides, in case you missed them the first time around. We’ve also got views […]
Issue 199: Vulnerability in Zulip server, broken access controls threat to APIs, introduction to BOLA
This week, we have news of a API vulnerability allowing privilege escalation in the team chat tool Zulip. We also have articles from PortSwigger on the threat of broken access controls and injection attacks to APIs, as well as a quick read on Broken Object Level Authorization vulnerabilities. Finally, we feature a guide from the […]
Issue 198: API security certification, API authentication webinar, optimizing API security
This week, we have news of the recently released API security training course from Corey Ball and an excellent webinar from Redmonk and FusionAuth. Also, we have an article from TheNewStack on optimizing API security for cloud-native and coverage of a REST API fuzzing tool. Training: API security training with Corey Ball This week’s biggest […]
Issue 197: Apps leaking Twitter tokens, parameter smuggling attack in Golang, API catalogs for security
This week, we have two vulnerabilities — the first is the revelation that thousands of applications are leaking Twitter access tokens, and the second is a parameter smuggling attack in Golang affecting some well-known Golang-based projects. We also have an article on the benefits of API catalogs in delivering security benefits and, finally, a fascinating […]
Issue 196: Software supply chains, APIs in healthcare, Azure API management baselines
This week, we have articles on the importance of API security for the software supply chain, and how API adoption is increasing in the healthcare industry whilst addressing cyber security concerns. We also have new guidance from Microsoft Azure on security baselines for API management, and a free software security course from the Linux Foundation. […]
Issue 195: How DevOps teams defend against API attacks, empathy for the API developer
This week, we have articles on how DevOps teams can defend against API attacks, my views on how empathy for API developers can be a driver toward greater security, and eight measures to improve API security. We also have views on why API gateways might not be sufficient for API security, and finally, a report […]
Issue 194: API testing checklist, API security testing resources, CVSS for API security
This week, we have a very popular API testing checklist aimed at pen-testers, a comprehensive guide to tips & tricks, and resources related to API security and API pen-testing. We also have an article from Cisco on using CVSS to tackle API security, and finally, a 10-year journey in API security vulnerabilities with Ivan Novikov. […]
Issue 193: Five API security best practices, AppSec tools for APIs
This week, we have five best practices from SoftwareAGGov for API security, and views from Jeff Williams at Contrast Security on the suitability (or not) of application security (AppSec) testing tools for API security. We also feature guides on how to secure partner API integrations with OAuth mTLS and on what to look for in […]
Issue 192: Vulnerable APIs costing $75 billion, new Google API security platform
This week, we have a report from Imperva indicating that vulnerable APIs may be costing as much as $75 billion annually with the largest organizations being at the highest risk. We also have coverage of the new API security platform from Google, views from Curity on API-driven backends for frontends for increased API security, and […]
Issue 191: API insecurity causing rising incidents, policy-as-code for API security
This week, we have a report from Imperva on the increasing security incidents caused by unsecured APIs. We also have articles on using policy-as-code to improve API security, views on how common assumptions may prevent effective API protection, and how open APIs are improving cloud-based security. Report: One in thirteen incidents blamed on API insecurity […]
Issue 190: Akamai’s report on APIs, API security checklist, dangers of API security overconfidence
This week, we have a report from Akamai focusing on APIs which they describe as “the attack surface that connects us all”. We also feature an API security checklist that covers seven of the most important requirements, and an article on the dangers of API security overconfidence. Finally, we round off with a video from […]
Issue 189: Vulnerability in Travis CI log API, Microsoft guide to API security, and why API security needs special attention
This week, we have news of an API vulnerability in the Travis CI platform that allowed to access logs on public instances, leading to leaking keys and tokens. Also this week, we have an excellent guide from Microsoft on their recommendations how to mitigate against API threats, some views from the Economic Times on why […]
Issue 188: API security for smart cars, ownership of the API lifecycle, APIs a top CISO concern
This week, we have articles on API security considerations for smart cars, and an exploration of API ownership and its impacts on security. We also have a report surveying CISOs on their top security concerns (no surprise that API security tops the list), and finally, a beginner’s guide to API security focusing on testing. Article: […]
Issue 187: RCE and API vulnerability in OAS platform, account takeover in Yunmai smart scale
This week, we have two API vulnerabilities: the first is a critical remote code execution (RCE) and API access flaw in the Open Automation Software (OAS) platform, the second a mass account takeover vulnerability in the Yunmai smart scale API. We also have an article on preventing API abuse, and a write-up on how to […]
Issue 186: Kubernetes API servers exposed, vulnerability in Swagger-UI library, Google views on API economy
This week, we have news of a report revealing that over 380 000 Kubernetes API servers are exposed on the internet due to possible misconfiguration, as well as details of a vulnerability allowing DOM XSS attacks in the popular Swagger-UI library. We also feature views from Google on the future of the API economy and […]
Issue 185: Three trends in API security, GraphQL securing risks, the importance of API discovery
This week, we have a podcast from Stoplight on three trends in API security; an article on whether GraphQL introduces new security risks; views on the importance of API discovery and inventories; and a report from Cloudflare on the rise of API attacks. We also have news of an upcoming panel discussion at the RSA […]
Issue 184: RCE in F5 BIG-IP suite, API security maturity, hardening GCP implementations
This week, we have news of a high severity remote code execution (RCE) vulnerability in the F5 BIG-IP security suite. We also feature an article from Curity on API security maturity, an article on hardening Google Cloud Platform implementations, and finally a threat matrix for GraphQL APIs. Vulnerability: RCE vulnerability in F5’s BIG-IP security suite […]
Issue 183: API vulnerability in VeryFitPro, exposed Docker APIs targeted by botnets, TruffleHog finds stored credentials
This week, we have two API vulnerabilities: the first in the VeryFitPro app allowed attackers access to a backend API, while in the other LemonDuck botnet attacked exposed Docker APIs. On more positive side, we also have a new version of TruffleHog detecting of stored API credentials, as well as views on how to securely […]
Issue 182: Drupal patches API vulnerability, Google Cloud on API security challenges, guide to OAuth2
This week, we have details of an API vulnerability in the Drupal platform, allowing an attacker to bypass access controls. We also feature views from Google Cloud on challenges to API security, a comprehensive guide to OAuth2, and finally a write up on how GitHub deviates from the implementation guidelines for OAuth2. Vulnerability: Drupal patches […]
Webinar – Actively Monitor and Defend Your APIs with 42Crunch and the Azure Sentinel Platform
APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots. Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential […]
Issue 181: Vulnerability in Wavlink router, API exposing system passwords, views on internal APIs
This week, we have two API vulnerabilities: a command injection vulnerability in the control API of the Wavlink WL-WN531P3 router, and another one on the website of a security regulator in South Africa. In addition, we have views on the management of internal and external APIs, and how the new Lambda Function URLs on AWS […]
Issue 180: API vulnerability in Easy!Appointments platform, new APIs compromising security
This week, we have news of an API vulnerability in the scheduling platform Easy!Appointments allowing unauthorized access. We also have articles on whether the growth in APIs compromises security, how API traffic visibility is a key for API security, and some basic tips on locking down APIs to improve security. Vulnerability: API access control vulnerability […]
Issue 179: Spring4Shell zero-day, CRI-O container runtime vulnerability, and REST API security reference
This week, we have two new vulnerabilities: firstly, the big news in the Spring4Shell zero-day vulnerability in the Spring Framework coming hot on the heels of the recent Log4Shell vulnerability, and secondly, a vulnerability in the CRI-O container runtime that allowed host access to attackers. We also feature a guide to REST API security and […]
Issue 178: Six areas for Cloud-native security, API governance, DevOps for improved API security, locking down APIs
This week, we have articles covering six critical areas for cloud-native security in 2022, including of course API security. In addition there’s a beginner’s guide to API governance, thoughts on how to improve API security by embracing DevOps, and views on three ways to lock down APIs. Article: Six critical areas for cloud-native security in […]
Issue 177: Vulnerabilities in Veeam product, RCE in Parse Server module, insecure API threat to mobile apps
This week, we have news of two critical vulnerabilities patched in the Veeam data backup solution, a remote code execution (RCE) vulnerability in the popular Parse Server API server module, views on how insecure APIs threaten mobile application security, and how attackers are increasingly focusing on APIs as the attack vector of choice. Vulnerability: Two […]
Webinar – OWASP API Security Top 10 Challenges – Third and Final Episode
March 24, 2022 – 11am EST / 4pm GMT In this third and final episode in the webinar series, Dr Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io. address one-by-one, the remaining 5 OWASP API Challenges: Issue 4: Lack of resources & rate […]
Issue 176: Case study of API vulnerabilities, Riverbed vulnerability, API abuse, JWT safety
This week, we have an excellent write-up on a case study of API vulnerabilities, an API vulnerability in Riverbed’s SteelCentral AppInternals software, an article on how even the most “perfect” APIs can be abused, and a guide on the safer handling of JSON web tokens (JWTs). Vulnerability: A case study of API vulnerabilities This week, […]
Issue 175: Vulnerabilities affecting Cisco platforms, GitLab instances, and campus access control
This week, we have three vulnerabilities: the first in the Cisco Expressway Series and TelePresence video communications service, another vulnerability in self-managed GitLab instances, and a bug affecting a campus access control system. On top of this, we also have views on privacy concerns for APIs. Vulnerability: Patches for critical issues in Cisco video communications […]
Webinar: How to Extend Protection of your Data from API to Mobile Application
APIs are mobile app developer’s best friends as they help reduce development time and save costs. But the rapid deployment of mobile apps and the explosion in the development of new APIs present very real threats for most organizations. To defend your APIs, it is important to have a comprehensive approach to API security from […]
Issue 174: APIs increasingly used for account takeover, API hacking book, OAuth in Postman
This week, we have new research in APIs that reveals how they are increasingly used for account takeover, a look at a great new book on hacking APIs, an article on using Postman for OAuth 2.0 authorization code grants, and a guide on documenting APIs. Article: APIs increasingly used for account takeover New research covered […]
Issue 173: Coinbase vulnerability, AuthN/AuthZ best practices, bad bots, Elgato Key light hack
This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on […]
Issue 172: Argo CD vulnerability, state of API security survey, API testing with Zap and Postman
This week, we have news of a vulnerability in Argo CD that allowed leaking application secrets, a survey of the state of API security across three regions, a quick read on how to use Postman and OWASP Zap for API security testing, and finally views on how to distribute authorization services in a microservice architecture. […]
Issue 171: DPD parcel tracking flaw, Apache Pulsar and Casdoor vulnerabilities, trends in API industry
This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data; an API vulnerability in the Apache Pulsar that allowed access data in different tenants; and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at […]
Issue 170: DevSecOps approach to API security, F5 vulnerabilities, ten API integration trends
This week, we have an article on applying a DevSecOps approach to API security, by utilizing a shift-left and protect and monitor right approach; a pair of vulnerabilities patched by F5; views on the top 10 API integration trends by Brenton House: and finally, a view on the rise of bot attacks against APIs. Article: […]
Issue 169: Insecure API in WordPress plugin, Tesla 3rd party vulnerability, introducing vAPI
This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article […]
OWASP API Security Top 10 Challenges – Webinar Series
In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix […]
Issue 168: Safari 15 IndexedDB API vulnerability, a pair of AWS vulnerabilities, and an API security podcast
This week, we have news of a vulnerability in the IndexedDB API in Safari 15 that exposed user information, a pair of vulnerabilities in AWS affecting AWS Glue and AWS CloudFormation, and a podcast featuring Rinki Sethi and Alissa Knight discussing API security. Last week, we featured an “awesome API security” guide from a 3rd-party […]
Issue 167: Uber bug allows spoof emails, partner-facing APIs on the rise, omnichannel APIs increase risk
This week, we have a long-standing vulnerability on a public-facing internal API on Uber, which allowed attackers to spoof emails. In addition, there’s an article by NordicAPIs on the RapidAPI report into the rise on partner-facing APIs, IBM’s views on the API security risk posed by the growth in omnichannel APIs, and finally (another) awesome […]
Issue 166: Securing large API ecosystems, creating OpenAPI from HTTP traffic, Frankenstein APIs, and API proliferation
This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations. Article: Securing large API ecosystems First up this week […]
Issue 165: Vulnerability in All in One WordPress plugin, why to treat all APIs as public, a beginner’s guide to API security
This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner’s guide to API security, and finally an optimistic view […]
Issue 164: Log4Shell vulnerability, API sprawl an increasing threat, API security design best practices, Zero Trust for APIs
This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there’s an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of zero trust approach for API security. […]
Issue 163: Why API security strategies fail, AWS keynote on good API design, biggest breaches in 2021
This week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels at AWS re:Invent on six rules for good API design, an article by Cisco on API discovery, and a review of some of the biggest API security attacks in 2021. Article: Seven […]
Issue 162: Compromised Google Cloud accounts, GraphQL as API gateway, API security guide and training
This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API […]
Webinar: Automate API Protection with “Security as Code”
Thursday December 9th, 2021 | 8am PDT / 11am EST / 4pm GMT Join Colin Domoney as he demonstrates how DevSecOps teams now automate and scale the protection of your APIs by generating “security as code” into a CI/CD pipeline. More information […]
Issue 161: Vulnerability in Wipro Holmes Orchestrator, report into vulnerabilities in FinTech and banking apps
This week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files via path manipulation. There’s also a new report from researcher Alissa Knight on vulnerabilities in banking, cryptocurrency exchange, and FinTech APIs; an article on the impact of a shift-left approach for API security; and […]
Issue 160: Vulnerability in AWS API gateway, Kubernetes API access hardening guide
This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what’s possibly on the next OWASP […]
Issue 159: Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl
This week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system, allowing attackers to hijack secrets of downstream supply chains. There is also an excellent article on the journey of Raiffeisen Bank International toward full lifecycle API security, another article on how API security is hindering application delivery, and […]
Issue 158: Data of 400 000 students exposed, 1 million sites affected by plugin vulnerabilities, views on GraphQL
This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools. Breach: Sensitive data of 400 […]
Issue 157: Unsafe defaults in Prometheus, mapping API attack surfaces, OpenAPI file trend analysis
This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training […]
Issue 156: FHIR APIs vulnerable to abuse, 3D printers facing hijacking risk, API security webinar
This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers. In addition, there’s an article summing up the increasing numbers of […]
Issue 155: Vulnerability in BrewDog mobile app, APIClarity at KubeCon, API attacks in Open Banking
This week, we have a vulnerability in the BrewDog mobile app exposing users’ PII courtesy of hard-coded bearer tokens, Cisco has announced the arrival of their APIClarity at KubeCon 2021, F5 has published a report on API attacks in Open Banking, and finally, there’s a mega-guide on API security best practices. Vulnerability: Hard-coded API bearer […]
Issue 154: Views on APIs and security, report into API misconfiguration, detecting malicious API activity
This week, we have a viewpoint on what security officers can do to address API security. There’s also a report from IBM revealing that two-thirds of cloud breaches are due to misconfigured APIs, the best practices for detecting malicious activity on API endpoints, and a description of common attack vectors on GraphQL implementations. Correction: In […]
Issue 153: Rapid proliferation of APIs, WordPress API vulnerability, false-negative API scanning
This week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API , again through a third-party plugin. In addition, we look into the importance of false-negative API vulnerability scanning, and API protection as a key element of a cloud security strategy. Article: Rapid proliferation of […]
Issue 152: Exposed API keys and tokens, SAST/DAST for API security testing, the value of API specifications
This week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI, the shortcomings of static and dynamic application security testing (SAST/DAST) for API security, and the value that API specification frameworks bring. Breach: Exposed payment integration API keys The big news story this week was the leakage […]
Issue 151: WordPress 5.8.1 security patch, API botnet attacks report, articles on API tokens and API discovery
This week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attacks on APIs, an article on everything you need to know about API tokens, and thoughts on API discovery. Vulnerability: Security patch to REST API in WordPress 5.8.1 Last […]
Issue 150: Vulnerability in Fortress home security system, API fuzzing techniques, hardening GraphQL implementations, and central governance for APIs
This week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system, a guide on API fuzzing techniques and tools, best practice for hardening GraphQL implementations, and views on central governance for APIs. Vulnerability: Fortress home security vulnerability allows remote disarming This week, Rapid7 disclosed two […]
Issue 149: Vulnerabilities on Cisco routers and Bumble, adopting Zero Trust for APIs, a hacker’s view on API security challenges
This week, we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user’s location, a view on adopting Zero Trust for APIs, and a hacker’s view on API security challenges. Vulnerability: Cisco releases critical patches Cisco Systems has released a total of six security patches for API vulnerabilities this […]
Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide
This week, we have Microsoft Power Apps demonstrating the dangers of lax default settings for data exposure, yet another Broken Object Level Authorization (BOLA/IDOR) vulnerability on the Topcoder portal, the newly release RFC 9101, and a guide to hacking APIs. Breach: Microsoft Power Apps records leaked via OData API The big news this week is […]
Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey
This week, we have the recent API vulnerabilities in the SEOPress WordPress plugin and the Valve Software Steam portal, the results from a Dark Reading survey into application security, and details of the upcoming OpenAPI Initiative’s (OAI) API Specifications Conference. Vulnerability: XSS and REST API vulnerability in SEOPress On July 29, 2021, the Wordfence Threat […]
Issue 146: Facebook API leaking private group membership, JWT Attacker plugin for Burp
This week, we have the recent API fix involving group membership at Facebook, a case study of a BOLA vulnerability leaking users’ credit coupons, a handy add-on for Burp Suite, plus an interview with a security expert on API security. Vulnerability: Facebook Facebook API was leaking information on users’ memberships in private groups. Muhammad Sholikhin […]
Issue 145: APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0
This week, we take a look at the recently discovered (and fixed) API vulnerabilities in electric car charging stations, a Udemy course on OAuth 2.0, the recently released Gartner Hype Cycle on APIs, and how APIs in microservices architectures can be exploited if they construct backend calls without properly validating inputs. Vulnerability: Electric vehicle charging […]
Issue 144: JustDial API vulnerability re-emerges, API key checker, the state of OAuth
This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security. Vulnerability: JustDial JustDial had a regression as they accidentally reintroduced the API vulnerability […]
Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map
This week, we have a detailed write-up on finding credit card numbers leaking from a GraphQL API, a lab walkthrough on hacking JSON web tokens (JWT) through SQL injection, and HackerOne’s new Capture The Flag (CFT) API Security challenge. On the resource side, we have another good mind map, this time on XML attack vectors […]
Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery
This week, we take a look at the recently reported API vulnerabilities at Coursera and in one of the Huawei home gateways. We also learn about rate-limiting for GraphQL APIs and GraphQL discovery using its autocorrect feature. Vulnerability: Coursera Coursera has fixed a number of API vulnerabilities reported by David Sopas, Paulo Silva, Ricardo Gonçalves, […]
Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1
This week, we take a look at insecure API traffic in the VeryFitPro Android app, how APIs were used to scrape user profile data from Gettr, and some potential API vulnerabilities affecting AWS API Gateway and Lambda authorizers users. In addition, there is also the latest update to the AsyncAPI standard. Vulnerability: VeryFitPro Researchers from […]
Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap
This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities. Vulnerability: LazyPay LazyPay is a pay-later platform that has over 2 million […]
Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar
This week, we take a look at the recent API vulnerabilities at Apple, Amazon, and the volunteer coordination app of the Philippine opposition coalition, and there is an upcoming API security webinar by Gartner. Vulnerability: Apple iCloud account takeover Laxman Muthiyah was able to demonstrate how he could brute-force his way into taking over someone […]
Issue 138: Vulnerabilities in Microsoft Teams and Instagram
This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 conference. Vulnerability: Microsoft Teams Evan Grant found a way to break into Microsoft Teams accounts by leveraging Microsoft Power Apps. Microsoft Power Apps and Power Automate services are meant to provide easy tools […]
Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks
This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on how the API security vendor […]
Issue 136: OAuth 2.0 security checklist and pentesting
This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing. Vulnerability: Russian opposition email list breach Companies typically avoid providing details […]
Issue 135: Millions stolen from cryptoexchanges through APIs
This week, we take a look at how cybercriminals exploit leaked API keys to steal millions of dollars from cryptoexchanges. In addition, we also have the recent API vulnerabilities in Rocket.Chat, the upcoming change in Let’s Encrypt root certificate and its impact on APIs, and another video on common GraphQL API vulnerabilities. Vulnerability: API keys […]
Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace
This week, we have three API vulnerabilities: in Echelon sports equipment, Instagram, and Facebook Workspace, as well as an interview with Forrester’s key API security expert, Sandy Carielli. Vulnerability: Echelon In our previous newsletter, we discussed API vulnerabilities at Peloton. This week, the same researcher, Jan Masters from Pen Test Partners, has published his research […]
Issue 133: Vulnerable Peloton APIs, API contract generation for .NET
This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers. Vulnerability: Peloton Peloton is a producer of popular treadmills and […]
Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab
This week, we take a look at the recent API vulnerabilities at Experian, Facebook, and possibly DigitalOcean and Geico. There is also a review of Burp plugins for API vulnerability discovery, and a new API security penetration testing lab. Vulnerability: Experian Bill Demirkapi found an unprotected Experian API that returned a credit score based simply […]
Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL
This week, we check out the recent API vulnerability in John Deere farming machinery, the best practices in using Springfox annotations for API security, a new JWT penetration testing lab, and AutoGraphQL – a tool for GraphQL authorization testing. Vulnerability: John Deere John Deere is one of the leading manufacturers of expensive farming equipment, such […]
Issue 130: GitHub’s new token format, MindAPI, Kiterunner
It’s a rare week with no high-profile API breaches in the news, so we can actually take our time to focus on the positives, like the best practices around API tokens and new tools for API reconnaissance and penetration testing. Best practices: API token format API keys can be or look like pretty much anything. […]
Issue 129: Facebook and Clubhouse profiles scraped through APIs, Forrester’s “State of Application Security, 2021”
This week, we obviously have to discuss the hundreds of millions of Facebook and Clubhouse user profiles that were scraped using APIs. In other news, Forrester has published their fresh and insightful report “The State of Application Security”, and there’s a new online training “Building an Identity Architecture for APIs”. Data leak: Facebook The biggest […]
Issue 128: API flaws at VMware and GitLab, URL parameters and SSRF, webinar on recent breaches
This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws. Vulnerability: VMware vRealize Operations API VMware has just patched two critical security issues in their vRealize Operations API. […]
Issue 127: Hidden OAuth attack vectors, Methodology for BOLA/IDOR
This week, we look at an API vulnerability in Micro Focus Operation Bridge Reporter, new research on 3 hidden attack vectors in OAuth and OpenID Connect, a methodology for finding BOLA/IDOR, and research on OpenAPI adoption in the banking sector. Vulnerability: Micro Focus Operation Bridge Reporter Even authentication APIs may lead to direct remote code […]
Issue 126: F5 iControl REST API under attack, Regexploit, Ford’s API security talk recording
This week, we check out the recent API vulnerabilities at F5 and Facebook, there’s a new tool to locate regular expressions vulnerable to Denial-of-Service (DoS) attacks, and we have the recording of Ford’s recent talk on their API security policies and lessons learned. Vulnerability: F5 iControl REST API This one appears to be the most […]
Issue 125: iPhone call recorder API flaw, Burp and OpenAPI, GraphQL pentesting, FAPI
This week, we look at an API vulnerability in a popular call recorder app, newly added OpenAPI support in Burp, a GraphQL pentesting lab, and the just-released Financial-grade API (FAPI) standard. Vulnerability: iPhone Automatic call recorder Anand Prakash found an API vulnerability in one of the most popular call recording apps for iPhone – Automatic […]
Issue 124: API vulnerabilities at Microsoft and Truecaller Guardians, Pentester labs, API security at Ford Motors
This week, we take a look at the recent API vulnerabilities reported at Microsoft and Truecaller Guardians, the new penetration testing labs for API security, and an upcoming webinar on the API security process at Ford Motors. Vulnerability: Microsoft online accounts API endpoints for resetting account passwords are a frequent attack vector. Attackers brute-force these […]
Issue 123: API vulnerabilities VMWare vCenter and Facebook, mismatch between JSON parsers, API security fixes in VS Code
This week, we learn about the recent serious API vulnerability in VMware vCenter (if you have one, update ASAP!), why query and path parameters cannot be trusted for confidential data, how potential attacks can emerge from inconsistencies in JSON parser behavior, and how a VS Code extension can help fix API vulnerabilities. Vulnerability: VMware vCenter […]
Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0
This week, we take a look at the recent data spill incident at Clubhouse, the (poor) state of API security in major healthcare mobile applications, how scope-based reconnaissance methodology works, and the latest update (v3.1.0) to the OpenAPI Specification. Vulnerability: Clubhouse Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a […]
Issue 121: Vulnerability at chess.com, GraphQL security playground and checklist
This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget. Vulnerability: chess.com Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app. Community members can exchange messages, […]
Issue 120: Video doorbells security flaws, intro to JWT attacks, security zines
This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization. Oh, and we also have a link to DZone community awards where you can vote […]
Issue 119: NoxPlayer supply-chain attack through a hacked API
This week, we take a look at the recently discovered API attack in NoxPlayer, the latest annual “State of Web Application Security” report by Radware, a detailed step-by-step pentesting tutorial, and a recording of a session on API security and Azure API management from AppSec Israel. Vulnerability: NoxPlayer [UPDATE] We have been contacted by a […]
Issue 118: Spring Framework ALPS, OAuth 2.0 attack mindmap, securing JWTs
This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week. Vulnerability: Spring Framework Application-Level Profile Semantics Frameworks make developer […]
Issue 117: Vulnerabilities in YouTube and Ring Neighbors app, OAuth Mix-Up attacks, Tamper Dev
This week, we look into some recent API vulnerability reports on YouTube and Amazon’s Ring Neighbors app, there is a new proposed addition to the OAuth standard, and Google has developed an API proxy extension for Chrome. Vulnerability: YouTube David Schütz found a clever way to get (limited) access to private YouTube videos via a […]
Issue 116: Facebook and Parler API vulnerabilities, clairvoyance
This week, we check out the recent API vulnerabilities at Facebook and Parler, there is a new GraphQL discovery tool called clairvoyance, and we have API security advice from Corey Ball. Vulnerability: Facebook Pouya Darabi found an API vulnerability in Facebook that allowed him to create posts on other users’ pages. The posts were not […]
Issue 115: Vulnerabilities in SolarWinds, Ledger, Outlook. New plugin for JetBrains IDEs
Happy New Year 2021! This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs. Vulnerability: SolarWinds The now-infamous SolarWinds breach […]
Issue 114: SolarWinds and PickPoint breaches, GitHub Code Scanning review, GraphQL security
This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security. Breach: SolarWinds The SolarWinds hacking reported this weekend was not API-related as such. It was a supply […]
Issue 113: API vulnerabilities at YouTube and 1Password, OIDC security, Assetnote Wordlists
This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery. Vulnerability: YouTube Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses. When […]
Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security
This week, we have the recently reported API vulnerability in Duffel’s Paginator, a new API fuzzer from Microsoft Research, an upcoming JWT security webinar, and a recorded talk on approaches to API authentication. Vulnerability: Paginator Peter Stöckli from Alphabot Security has posted a write-up on the API vulnerability he found in Duffel’s Paginator (CVE-2020-15150). Duffel […]
Issue 111: API vulnerabilities in AWS, Tesla Backup Gateway, Twitter
Happy Thanksgiving to all of our readers in the US! This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes […]
Issue 110: API flaws in Bumble and COVID-KAYA, Forrester on API security, ASC 2020 talks
This week, we check out API vulnerabilities in the dating app Bumble and COVID-KAYA, an app for front-line healthcare workers in the Philippines. There’s also a new Forrester report and an upcoming webinar on API security, as well as a couple of recordings of API security talks from the recent API Specification Conference (ASC). Vulnerability: […]
Issue 109: API token best practices, Dredd, IDOR hunting tips
This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs. Vulnerability: Trump campaign’s post-election site Although the campaigns are […]
Issue 108: API vulnerabilities in Thrillophilia and GitLab
This week, we have the recent API vulnerabilities in Thrillophilia and GitLab, there is a new free online course on OpenID Connect, and OpenAPI support has been recently added in Cloudflare. Vulnerability: Thrillophilia Thrillophilia is an Indian online platform for discovering and booking travel experiences and tours. Ehraz Ahmed found that Thrillophilia exposed about 2 […]
Issue 107: Vulnerabilities in Waze, AWS, and NHS COVID-19 app, Forrester App Sec Tech Tide
This week, we check out three API vulnerability reports for Waze, Amazon Web Services (AWS), and the UK NHS COVID-19 app. In addition, the new Forrester study of the technologies constituting application security as of Q4 2020 has been published. Vulnerability: Waze Remember the fun “other cars” icons that Waze, Google’s social GPS navigation app […]
Issue 106: API flaws at GitLab and Grindr, APICheck, API World and apidays conferences next week
This week, we have the recent API vulnerabilities at GitLab and Grindr, the APICheck tool gets donated to OWASP, there’s a summary on the basics of API authentication options, and complimentary registration links for the online conferences API World and apidays London next week. Vulnerability: GitLab Riccardo Padovani found an API vulnerability in GitLab related […]
Issue 105: API vulnerabilities in HashiCorp, Azure App Services, and Qiui adult devices
This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and “smart” adult toys. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10. Vulnerability: HashiCorp Vault Felix Wilhelm from Google’s […]
Issue 104: API vulnerabilities at Twitter and Grandstream, mTLS in AWS API Gateway, Application Security Podcast
This week, we check out the recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and the API security episode in the Application Security Podcast. Vulnerability: Twitter A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and […]
Issue 103: API vulnerabilities at Cisco, Shopify, BrandBQ, a security guide to CORS
This week, we check out three recent API vulnerabilities or breaches and what we know about them, and take a deep dive into cross-origin resource sharing (CORS). Vulnerability: Cisco Cisco has released critical security updates to IOS XE Software run by many of its devices. Two of the issues they have fixed are critical API […]
Issue 102: Vulnerabilities in Facebook and campaign apps, creating defensible APIs
This week, we look into the recent API vulnerabilities at Facebook and the campaign apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers. Vulnerability: Facebook Marcos Ferreira found a […]
Issue 101: Vulnerabilities in Giggle, Google Cloud Platform, SonicWall, New Relic, Tesla
After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks. Vulnerability: Giggle Giggle is a women-only social network and mobile app. It […]
Issue 100: API Security advice from top industry experts
Today is a special day for our newsletter – our centennial issue and the number of email subscribers crossing the 5,000 mark (and in addition to that we have about 1300 followers on Twitter and a similar number of members of the API Security LinkedIn group). This has definitely grown significantly bigger than the original […]
Issue 99: API flaws in the Mercedes-Benz app and Russian inter-bank money transfer
This week, we check out the API vulnerabilities in the Mercedes-Benz connected cars and the Russian inter-bank money transfer system. We also have the upcoming ASC 2020 conference next week, as well as a recording of IIoT Cybersecurity panel discussion from the recent IIoT World event. Vulnerability: Mercedes-Benz car control The conference Black Hat USA […]
Issue 98: APIs as the next frontier in cybercrime
This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020. Vulnerability: Aura COVID-19 tracing app Another mandatory COVID-19 tracing app, was found to leak personal information and […]
Issue 97: Gym apps & home automation vulnerabilities, how to not leak API keys
This week, we check out the recent API vulnerabilities in the gym management platform Fizikal and the HDL smart home automation. We also have a great detailed write-up on the recent HacktivityCon 2020 Capture the Flag challenge, and a DEF CON talk on leaking API keys. Vulnerability: Fizikal Apps use platforms to get to the […]
Issue 96: Vulnerabilities at Cisco and MGM Grand Resort, tutorial on Chrome DevTools and pentesting with GraphQL
This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and […]
Issue 95: Vulnerabilities at Zoom and OkCupid, progress on OAuth 2.1, API Information Disclosure tutorial
This week, we have recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs. Vulnerability: Zoom Zoom has become the household name of the times, with plenty of face-to face activities moving online. While this helps to keep the bugs of the living kind […]
Issue 94: Two-day API security training at Black Hat USA
This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security. Vulnerability: WordPress If you use WordPress, check if the REST API endpoint […]
Issue 93: API authentication flaw in Chingari, a guide to OAuth Authorization Code grant
This week, we have a report of a vulnerability in Google Sign In in a popular Indian video-sharing app, a new guide on typical OAuth implementation flaws, a tool for importing OpenAPI definitions into Burp, and a virtual training on API security. Vulnerability: Chingari Chingari is a popular Indian video-sharing app. With the latest steps […]
Issue 92: APIs putting dementia patients at risk, OAuth simulators
This week, Pen Test Partners take us to dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also a vulnerability in TP-LINK’s Kasa Cameras. On the sunny side of the street, we have helpful simulators to figure out the different OAuth2 and OpenID Connect (OIDC) flows, and […]
Issue 91: Homograph OAuth bypass, common JWT mistakes, ReDos attacks
This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect. Vulnerability: SEMrush OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir. The problem […]
Issue 90: Twitter API data security incident, Google Analytics APIs used with skimmers
This week, we take a look at how Twitter API erroneously allowed browsers to cache sensitive data, and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data. Plus, there is a live demo of API hacking, as well as a new book on API security. […]
Issue 89: Starbucks API flaw exposes almost 100 million customer accounts
This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all. Vulnerability: Starbucks Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer […]
Issue 88: JWT pentesting, API discovery, the present and future of OpenAPI
This week, we take a break from vulnerabilities and direct our gaze to the wider landscape of API security. On the practical side, we have a toolkit for JSON Web Token (JWT) security. The more high-level items include a video on API discovery, an eBook on API security, and a discussion on the role of […]
Issue 87: Vulnerabilities in Digilocker, Facebook, VMware Cloud Director
This week, we take a look at the recent API vulnerabilities in Digilocker, Facebook, and VMware Cloud Director. On top of that trio, there is also a new instructive video on REST API pentesting. Vulnerability: Digilocker A critical API vulnerability in India’s digital wallet system, Digilocker, exposed personal documents of more than 38 million citizens. […]
Issue 86: Vulnerabilities in Sign in with Apple, Qatar’s COVID19 app, GitLab
This week, we have three API vulnerabilities in: Apple’s Sign in with Apple authentication endpoint Qatar’s COVID-19 tracking app GitLab’s Repository Files API In addition, there’s also a new Burp plugin that automatically handles authentication tokens in API calls. Vulnerability: Sign in with Apple Sign in with Apple is an OAuth-like social logon system from […]
Issue 85: Vulnerability in Google Cloud Deployment Manager, a pentester’s guide to OAuth
This week, we check out the recently fixed vulnerability in Google Cloud Deployment Manager, and how to penetration test OAuth 2.0. On a higher level, we have Gartner’s classification of API security technology, and a recording of a panel discussion on API security. Vulnerability: Google Cloud Deployment Manager Google Cloud Deployment Manager is an infrastructure […]
Issue 84: Unprotected APIs at Google Firebase, leaky Arkansas PUA portal
This week, we take a look at how thousands of Android apps inadvertently exposed Google Firebase APIs, and how Arkansas Pandemic Unemployment Assistance (PUA) portal was leaking sensitive personal data. We also have a new pentesting tool for identifying data transformations used in APIs and apps, and a case study of four recent high-profile API […]
Issue 83: India’s COVID-19 tracing app, OAuth2 API attacks
This week, we check out an API vulnerability in India’s coronavirus tracing app, a couple of write-ups on OAuth2 API attacks, and a recording of a talk on REST API penetration testing. Vulnerability: India’s coronavirus tracing app Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is […]
Issue 82: Most common GraphQL vulnerabilities, pentesting with Insomnia
This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security. Opinion: The 5 most common vulnerabilities in GraphQL Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. […]
Issue 81: Vulnerabilities in Microsoft Teams, Auth0, smart home hubs
This week, we check out how Microsoft Teams could be breached with a single GIF image sent in a chat, and Auth0 by changing the case of a single character. In other news, a report on security issues in smart home hubs has been published, and a new online training on OAuth2.0 and OpenID Connect […]
Issue 80: API vulnerabilities IBM Data Risk Manager and Cisco Unified Computing System
This week, API vulnerabilities have been reported in IBM and Cisco products, and some conferences and webinars related to API security are coming up soon. Vulnerability: IBM Data Risk Manager Pedro Ribeiro found a bunch of security vulnerabilities in IBM Data Risk Manager (IDRM). This is a control center that helps to locate, analyze, and […]
Issue 79: 1.4 million doctor records scraped using API
This week, unprotected APIs have allowed hackers to compile to put on sale a list of 1.4 million of US doctors, and GitLab has published details on the API vulnerability they recently fixed. We also have a recording of a recent API security conference talk, and an announcement of an upcoming training on OAuth and […]
Issue 78: Vulnerabilities in WordPress Rank Math, Tapplock, and TicTocTrack
This week, we check out the API vulnerabilities in the WordPress Rank Math plugin, Tapplock smartlock, and TicTocTrack, another kids’ smartwatch. In addition, an update to VS Code OpenAPI extension that adds static application security testing (SAST) for composite API contracts has been released. Vulnerability: WordPress Rank Math plugin A popular WordPress plugin, Rank Math, […]
Issue 77: Vulnerabilities in GitLab, OAuth 2.1 draft is out
This week, GitLab has fixed several vulnerabilities, including API vulnerabilities, and the draft for OAuth 2.1 has been released. If you find yourself stuck at home with extra time in your hands, why not check out the free course on web security that Stanford University is offering? Vulnerability: GitLab GitLab has released a new security […]
Issue 76: 3rd-party API leaks 8 million shopping records
This week, new security issues have been reported in US election app, Voatz, and an API vendor has leaked 8 million shopping records in UK. In addition, ESG have shared some of their findings on API security and DevSecOps, and there is a new API security extension for Azure Pipelines. Vulnerability: Voatz We have already […]
Issue 75: 98% of IoT traffic unencrypted, API DevSecOps in Azure Pipelines
This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement. Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out. Vulnerability: Zyxel Cloud CNM SecuManager Pierre Kim and Alexandre […]
Issue 74: Vulnerability in Login with Facebook, API security talks
This week, we check out how Facebook’s OAuth implementation in their social login feature left the access tokens vulnerable. We also have some statistics and predictions on the rise of API security, and recordings of a couple of more API security talks have been published. Vulnerability: OAuth in Login with Facebook Doing a bullet-proof OAuth […]
Issue 73: Up to 75% credential abuse attacks target APIs
This week, we check how Tinder’s API vulnerability has developed a life of its own, the latest statistics from Akamai on API security, the best current practices for JWT, and why API security needs both API firewalls and API management, not just either or. Vulnerability: Tinder Back in July 2019, we covered the OWASP API3:2019 — […]
Issue 72: Vulnerabilities in WordPress ThemeREX Addons and Voatz, Facebook postmortem, JWT talks, OpenAPI Specification 3.0.3
This week, we take a look at how WordPress got exploited by a 3rd-party plugin, and how API security research can sometimes be a very ungrateful endeavor. In addition, we also have the cost of ignoring API security as showcased by Facebook, as well as several good JSON Web Token (JWT) talks. And as a […]
Issue 71: Vulnerabilities in SoundCloud and Lime e-scooters, NIST Microservices security strategies
This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security. Vulnerability: SoundCloud Paulo Silva has published a very systematic and thorough report on API vulnerabilities that […]
Issue 70: Vulnerabilities in Twitter, Likud, Iowa caucus apps, two API security talks
This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in USA. We also have two API security talks: one recorded and one upcoming webinar. […]
Issue 69: Vulnerabilities in Azure Stack and Cisco TelePresence, API fuzzing
This week, we look at the recently patched API vulnerabilities in Microsoft Azure Stack and Azure Cloud infrastructure, and in Cisco TelePresence and RoomOS. In addition, there is a recorded conference talk on API pentesting, and Yelp has released an open-source tool for API fuzzing. Vulnerability: Azure Cloud infrastructure Ronen Shustin from Checkpoint Research has […]
Issue 68: API security in Gartner Hype Cycle, McAfee threat predictions for 2020
This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like to be according to McAfee, and a SANS Institute whitepaper on DevSecOps. Analysts: API security in Gartner Hype Cycle Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The […]
Issue 67: RFC for OAuth 2.0 Token Exchange, JWT Webinar
This week, the OAuth 2.0 Token Exchange got its RFC, and there is an upcoming webinar on JWT. In addition, we take a look at where to start with securing your APIs, and how does 2020 seem to be shaping up, according to analysts. Standard: OAuth 2.0 Token Exchange IETF has published the RFC 8693 […]
Issue 66: Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020
This week, we check how several API vulnerabilities in TikTok can lead to attackers taking over the social media account, and how an admin plugin for WordPress had an API allowing for an authentication bypass. In other news, the OWASP security conference kicks off next week in California, and we take a look at API […]
Issue 65: Vulnerabilities at Siemens, Cisco, D-Link, OWASP API Security Top 10 2019 out
This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security. Vulnerability: Siemens SPPA-T3000 The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API […]
Issue 64: API Vulnerabilities in Plenty of Fish, SonyLIV, SharePoint, Facebook
It is all about vulnerable APIs this week. We are looking at the ones in Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint. Also, there is a big leak of Facebook users’ phone numbers presumably harvested via APIs. Vulnerability: Plenty of Fish Dating apps contain highly personal information and thus are a […]
Issue 63: Microsoft and Google dropping Basic Auth, Thinkrace exposing 47mln+ devices
This week, we are looking into a huge API vulnerability exposing more than 47 million devices. Also, Microsoft and Google are dropping Basic Authentication support, and there is an opinion piece on the top risks of API security. Vulnerability: Thinkrace The platforms you are using to power your systems can add vulnerabilities. PenTestPartners looked at […]
Issue 62: Vulnerabilities in Amazon Ring Neighbors and Droom, WebSocket API security
This week we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars. Vulnerability: Amazon Ring Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data […]
Issue 61: Exposed patient records, vulnerabilities at Airtel and Kaspersky
This week we check out recent API vulnerabilities in India’s statewide patient portal, at the mobile operator Airtel, and in Kaspersky Internet Security products. In addition, the results of Radware Web App Security survey are out. Vulnerability: India’s ORS patient portal A broken object level authorization (aka IDOR) vulnerability in India’s nationwide patient portal, Online Registration […]
Issue 60: Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars
This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks. In other news, the recording of our OWASP API Security Top 10 webinar is now […]
Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch
This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app, an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security. Vulnerability: Fortinet Researchers from SEC Consult have found bad implementation in various […]
Issue 58: Broken Object Level Authorization explained, plus practical tips on API security
This week, we continue to look at the upcoming OWASP API Security Top 10, discuss organizational changes that can make organizations more cybersecure, check out another security checklist, and upcoming API security conferences. API vulnerability explained: Broken Object Level Authorization Broken Object Level Authorization (BOLA, aka IDOR) holds the #1 spot in the OWASP API […]
Issue 57: Vulnerabilities at Facebook, Amazon Ring, and GitHub, OWASP API Security Top 10 Webinar
This week we look at the recent API vulnerabilities at Facebook, Amazon Ring, and GitHub. There is also an upcoming webinar on OWASP API Security Top 10 that you can attend. Vulnerability: Facebook Facebook has reported and fixed a vulnerability in their Groups API. This API and the information it exposes had been potentially abused […]
Issue 56: Common JWT Attacks, OWASP API Security Top 10 cheat sheet
This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security. Vulnerability: Rittal industrial cooling Applied Risk has […]
Issue 55: Vulnerabilities in eIDAS and Cisco routers, Instagram API program locked down
This week, we check out the vulnerabilities fixed in EU’s eIDAS (electronic IDentification, Authentication, and trust Services) system and Cisco routers, how Instagram is seeking to avoid the privacy controversies that Facebook itself has had, and interesting predictions from Gartner’s latest API report. Vulnerability: EU eIDAS EU has patched the reference implementation of the eIDAS […]
Issue 54: API vulnerabilities in eRosary, Kubernetes, Harbor
This week, we take a look at the recent API vulnerabilities in smart prayer beads, Kubernetes, and Harbor, as well as analogies between API security and airport security. Vulnerability: ClickToPray eRosary Vatican has released ClickToPray eRosary, the smart rosary beads that — naturally — come with the accompanying mobile app. Unfortunately, the app had a […]
Issue 53: Vulnerabilities in TwitterKit, JustDial, Voi e-scooters
This week, we take a look at how out-of-date library compromises login to Twitter, how simple parameter switch gave access to over 150 million JustDial user accounts, and how holes in API security can lead a business to give out uncontrolled freebies. In addition, there is an update on Google’s decision to change the access […]
Issue 52: NIST Zero Trust Architecture Guidelines
This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in. Vulnerabilities: Kubernetes The Kubernetes API server is currently vulnerable to the so-called Billion laughs attack. This is the […]
Issue 51: Gartner releases full report on API security
This week, we ponder when is an API vulnerability a vulnerability, and check out Gartner’s new report and OWASP’s new API security project. Vulnerability: Cisco Webex and Zoom Definitions of API vulnerabilities can vary: what someone considers a vulnerability may be design to someone else. This is exactly the case with this week’s vulnerability. Cequence […]
Issue 50: Harbor API vulnerability, and the dangers of CRUD APIs
This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling. Vulnerability: Harbor Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability. The vulnerability is a classical case […]
Issue 49: Uber account takeover and the leaky Get API
This week, we check out the details of two API vulnerabilities at Uber and Get, the updated 42Crunch API security platform, and Red Hat’s vision of the future of API management. Vulnerability: Uber Anand Prakash found a way to do full account takeover on Uber through a vulnerability in their APIs. The same approach worked […]
Issue 48: Vulnerabilities at Verizon and GPS trackers, S3 bucket names leaking
This week, we look at the recent vulnerabilities at Verizon and Shenzhen i365-Tech GPS trackers, leaking S3 bucket names, and Facebook cutting API access for some of its partners. Vulnerability: Verizon 2 million Verizon Wireless Pay Monthly contracts were found open for anyone to access. The researcher managed to get a valid cookie while browsing […]
Issue 47: Cisco and MuleSoft vulnerabilities, API World passes
This week we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA. Vulnerabilities: Cisco Cisco has implemented their REST API as a virtual service container for IOS XE. This […]
Issue 46: Cisco and Facebook patch APIs, Solr API parameter injection
This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories. Vulnerabilities: Cisco Cisco has released patches for several critical API security flaws in its Cisco Unified Computing System (UCS) software and Small Business 220 […]
Issue 45: Hacked dating apps and smartlocks, “Egregious 11” cloud security issues
This week, we take look at the recent location API vulnerabilities in dating apps and smartlocks. In addition, we have an API security video from RSA Conference in Singapore, and the survey results and API security recommendations from Cloud Security Alliance. Vulnerability: dating apps BBC has run a story on the common API vulnerability pattern […]
Issue 44: ACS 2019 Agenda
This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIC 2019 conference presentation. Vulnerabilities: Kubernetes Kubernetes has fixed the API vulnerability CVE-2019-11247. This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic […]
Issue 43: REST API Security Testing
This week, we have a conference talk recording demonstrating API pentesting; see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly. Conference talks The OWASP Global AppSec Tel Aviv conference has published a video recording of the […]
Issue 42: HTTP Security Headers
This week, we look into a validation vulnerability in Cisco APIs, security best practices for HTTP headers and OAuth 2.0, and the effect of microservice architectures on API security. Vulnerabilities: Cisco Cisco has fixed an API vulnerability in their Vision Dynamic Signage Director. The vulnerability stemmed from insufficient validation of incoming HTTP requests. An unauthenticated […]
Issue 41: Tinder and Axway API Vulnerability, Equifax fined
This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news, FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted. Vulnerability: Tinder Sanskar Jethi has found that Tinder enforces their premium features (such as […]
Issue 40: Vulnerabilities in Instagram, 7-Eleven, Zipato
This week, we have a lot of high-profile API vulnerabilities, like Instagram, Zipato, and 7-Eleven. Also, 42Crunch has released a native API firewall for microservices in Kubernetes. Vulnerability: Instagram Laxman Muthiyah got his $30K bug bounty for reporting this vulnerability to Instagram: He managed to use the Instagram API to take over an arbitrary account. The […]
Issue 39: Vulnerable local Zoom webservers on 4+ mln Macs
This week, we take a look at Zoom’s insecure API snafu that affects millions of Mac users, improvements to the OpenAPI support in Visual Studio Code (VS Code), the PolarProxy tool for TLS traffic decoding, the latest API breach fines, and a new survey on cloud security. Vulnerabilities: Zoom Zoom is a popular video conferencing […]
Issue 38: Cracked smartlocks, X-Frame-Options, standards gaining adoption
This week, we have seen some major adoption milestones for the OpenAPI and the DNS over HTTPS standards, we discuss the way to go about with TLS pinning and the X-Frame-Options header, some not-so-smart locks, and the updated API security tooling from 42Crunch. Vulnerabilities: Ultraloq smartlocks Ultraloq smartlocks come with a mobile app, and its APIs […]
Issue 37: Vulnerabilities with WebLogic and OnePlus, the Black Hat API workshop, and OAuth in action
This week, we look into the latest API vulnerabilities in Oracle WebLogic and OnePlus, API security workshop at Black Hat, API security tech landscape, and a new tool for OAuth and OpenID Connect debugging. Vulnerabilities: Oracle WebLogic Oracle WebLogic has issued a critical API security patch. Just like with an earlier similar issue, the flaw […]
Issue 36: Vulnerabilities at TP-Link, Venmo, Amcrest, and GateHub
This week, we discuss API vulnerabilities in TP-Link Wi-Fi extenders, Amcrest cameras, Venmo transaction feed, and GateHub cryptocurrency wallet. We also take a look at the API security aspects of microservices architectures. Vulnerabilities: TP-Link Wi-Fi extenders TP-Link Wi-Fi extenders are a popular way to get a better Wi-Fi coverage in houses and other spaces. Unfortunately, […]
Issue 35: IDE support for OpenAPI
This week, we take a look at API vulnerabilities at NVIDIA and Supra, an OpenAPI extension for Visual Studio Code, and an upcoming API security webinar from NordicAPIs. Vulnerabilities: NVIDIA GeForce Experience NVIDIA GeForce Experience (GFE) is a supplementary application that users install with other NVIDIA products to “capture and share videos, screenshots, and livestreams […]
Issue 34: OWASP launches API Security Top 10 project
This week, OWASP launched their Top 10 project for API Security. We also look at the changing landscape of OAuth 2.0 security, and the use of Postman and Burp for API penetration testing. OWASP API Top 10 The Open Web Application Security Project (OWASP) has long been popular for their Top 10 of web application […]
Issue 33: First American leaks 885 million mortgage records
Vulnerability: First American First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details. Presumably, the company did not want to secure the documents to simplify the access […]
Issue 32: WAFs missing API attacks for 86% of users
This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction, and a new podcast on API security. Vulnerabilities: ASUS WebStorage We reported Dell’s Support Assist vulnerability few issues ago — and now the ASUS update service got a similar […]
Issue 31: Samsung SmartThings repo token leaks, and Facebook fined for API vulnerability
This week, Samsung has leaked a token that provides full access to their SmartThings code repository, and Facebook fixed one API flaw but got fined for another. We also have a discussion of API security and DevOps, and look into a survey that Postman runs on the future of OpenAPI support. API keys We have […]
Issue 30: 5G going to REST. Breaches in Dell, Cisco, WebLogic, DockerHub, JustDial, iLnkP2P
This week, there were a lot of API vulnerabilities including: Dell Cisco (a whopping three of them!) Oracle WebLogic DockerHub JustDial Millions of IoT devices based on iLnkP2P We also look into what implications 5G transitioning to REST and HTTPS brings to API security. Vulnerabilities and breaches Dell Probably the highest profile issue of the […]
Issue 29: OAuth2 attacks, car GPS vulnerabilities, and honeypot stats
This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints. Vulnerabilities and breaches Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile […]
Issue 28: Breaches in Tchap, Shopify, and JustDial
This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial. Elsewhere, Gartner reports a whopping 77% increase in inquiries on API security. And finally, we take a look at how an API’s OpenAPI definition can be the foundation for API security. Vulnerabilities Tchap Tchap is a messaging app […]
Issue 27: MyCar vulnerability, serverless, IoT API security
This week, we had vulnerabilities in remote car control apps and GPS-enabled watches. We also take a look at the API security trends in microservices and serverless architectures, and consumer electronics. Vulnerabilities MyCar is a remote control system that is installed in some cars under its own name or under a variety of brands, such […]
Issue 26: Verizon routers patched for API vulnerability
This week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices webinars and recommendations. Vulnerabilities Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in device’s API. […]
Issue 25: NIST microservices guidelines, Facebook opens up to pentesting
This week, NIST has released their microservice security guidelines, Facebook has removed some of their security for whitehat researchers, and we continue the discussion on how to store API secrets safely. Industry standards and best practices US National Institute of Standards and Technology (NIST) published their draft on “Security Strategies for Microservices-based Application Systems”. The document includes […]
Issue 24: Unprotected APIs in implants, storing API secrets
This week, we dive under the skin with unprotected APIs on implanted cardiac defibrillators, and take a spin with a hacked tornado warning system in Texas. We have a story on how Uber used API vulnerability to drive competition out of business. And finally, we also look into how to store API keys and prevent […]
Issue 23: Hacking ML, AWS Gateway Security, Gartner advice to CISO
This week, we had another mobile app leaking user data, and the first ever CEO resignation because of an API breach. There’s also: The best practices for AWS API Gateway security Gartner’s advice to CISOs on cloud security Security implications of the OpenAPI Specification (OAS) Vulnerabilities in machine learning Vulnerabilities The mobile application 63red Safe had […]
Issue 22: SANS SWAT list, 42Crunch Platform launch
This week, we have seen vulnerabilities in 3 million car alarms, snowboard helmets, and virtual worlds. In other news, there is a new API security platform built around OpenAPI contracts. We also take a look at the SANS checklists and HTTPS/TLS tutorials. Vulnerabilities This was a good week for PenTestPartners. They have uncovered a couple […]
Issue 21: Amazon Ring Doorbell camera hacked, open APIs coming to healthcare
This week, we got vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US changes in attack trends between 2017 and 2018. Vulnerabilities Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it […]
Issue 20: Drupal APIs hacked, EU releases IoT standards
This week we look into vulnerabilities at Uber and Drupal, the best practices from the ICANN DNS security checklist, the upcoming European IoT security standards, and more vulnerability stats from 2018. Vulnerabilities This is the worst API vulnerability of the year so far. Drupal‘s RESTful Web Services (rest), JSON:API, and other web services modules allowed […]
Issue 19: Half of Amazon’s top-selling smart devices found vulnerable
This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security. Vulnerabilities You’d think casinos are at the forefront of security, after all they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. […]
Issue 18: Tool for API security audit, Google limits Gmail API access
Vulnerabilities We have reported on API vulnerabilities in kids’ smartwatches before. The watches remain vulnerable to API attacks, these stories just keep pouring in: The European Union is recalling Enox Safe-Kid-One smartwatches because of vulnerable APIs. The APIs have no authentication or encryption, so attackers can access them, retrieve any information on them (like location), change […]
Issue 17: 83 percent of web traffic is API, and why query parameters are bad for secrets
This week we are mostly discussing best practices and tools, such as: The best methods to pass API keys and other sensitive data Tools that attackers use to discover APIs Why API security is never set-&-forget Risks Never put API keys or other sensitive information in URLs or query parameters. These are visible to browser […]
Issue 16: DHS DNS hijacking directive, plus 5 API security rules
Vulnerabilities Another CPU DoS vulnerability in Go TLS (CVE-2019-6486) got fixed. This vulnerability impacts APIs implemented as Go microservices. The vulnerability enables attackers to exploit: TLS handshakes X.509 certificates JWT tokens ECDH shares ECDSA signatures. To fix the vulnerability, upgrade to Go versions 1.11.5 or 1.10.8. Best Practices DNS infrastructure is critical for web and […]
Issue 15: Fortnite hack, TLS MITM attacks, SQL injections for NoSQL
Vulnerabilities A team from Check Point Research reported a serious vulnerability in Fortnite authentication API: An old unused subdomain had a misconfigured web application firewall (WAF) that relied only on blacklisting. Attackers could perform a SQL injection in the subdomain to plant their XSS script. Fortnite allowed log in with Facebook and Google credentials using […]
Issue 14: Hacked hot tubs, airlines, trading sites; JSON encoding best practices
Vulnerabilities Noam Rotem found a dangerous combination of vulnerabilities in the APIs of Amadeus flight booking system and El Al airline: The Amadeus API allowed for brute force enumeration of booking identifiers, also known as passenger name record (PNR). The El Al API provided both personal and booking details for any PNR. Once attackers knew the […]
Issue 13: Microsoft services and Chromecast hacks, the limitations of WAF
Vulnerabilities Another OAuth hack, and another reason why using OAuth for authentication can be dangerous. Researches by SafetyDetective found that Microsoft had 400 million users exposed. Outlook, Store, and other services allowed wildcard *.office.com as a valid wreply URL for tokens from login.live.com. Attackers noticed that and managed to grab the success.office.com domain in Azure. Now, […]
Issue 12: Car APIs leaking location, breached security cameras, regulation that helps
Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays. Vulnerabilities We have previously covered NUUO security cameras vulnerabilities, this time critical API flaws have been reported in Guardzilla cameras. Bitdefender Labs reported multiple issues including: Hardcoded credentials for cloud APIs, Sequential IDs used for user-level […]
Issue 11: Mutual TLS authentication in Golang open to DoS, XSS in Google Code-in
As we are wrapping up 2018, you can’t help looking back at the record number of high profile API breaches that happened this year and wondering what can be expected next year. However, it is not all about the holiday mood: this week was also marked by a security hole in mutual TLS authentication in […]
Understanding Golang TLS mutual authentication DoS – CVE-2018-16875
TL; DR; If your source code is written in Go and it uses one-way or mutual TLS authentication, you are vulnerable to CPU denial of service (DoS) attacks. The attacker can formulate inputs in a way that makes the verification algorithm in Go’s crypto/x509 standard library hog all available CPU resources as it tries to verify […]
Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast
Vulnerabilities Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide access to user profile data even if the data was […]
Issue 9: Patch your Kubernetes and security cameras, check out the Node.js security guide
Vulnerabilities If you are using Kubernetes, you should install a patch for it as soon as possible. There is a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing […]
Issue 8: USPS API broken, APIdays, ETSI downgrades TLS
Vulnerabilities United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of: Developers not expecting outsiders to bypass the web page and use the API directly Insecure Direct Object Reference (IDOR), authenticating as one user and getting data of another user Leaky API where wildcards were not […]
Issue 7: OAuth attacks, vulnerabilities in drones and kids’ watches
Vulnerabilities This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference (IDOR), meaning that as long as you have […]
Issue 6: Steam API leaks keys, and why WAF does not help DevSecOps
Vulnerabilities An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random string as a partner name and 0 as the request count) and get thousands of keys in the […]
Issue 5: Bad TLS client authentication, how not to use cURL, State of Software Security
Vulnerabilities Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user. Hundreds of thousands of projects use cURL and purposefully disable the verification of TLS host […]
Issue 4: Remini hacked, perils of free APIs, TLS explained, ATMs & SWIFT get APIs
Vulnerabilities Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mobile app knows that the API exists, and account IDs used were sequential, so hackers could simply […]
Issue 3: TLS 1.3, securing JWT, US banks release a common API standard
Vulnerabilities The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is […]
Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities
Vulnerabilities GoDaddy 2-step authentication API found to be vulnerable. The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor. AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. […]
Issue 1: APIStrat, CORS, Samsung, Google, Facebook, GitLab, Apple
API Vulnerabilities Samsung smart TV security flaw: the equipment would basically accept commands from any source, so someone knowing the device ID would be able to invoke various functions remotely. API allowed hackers to “change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection”. Firmware update […]