Issue 241: Two critical flaws in FortiSIEM product, making public APIs private, API security strategy

This week, we have news of two critical vulnerabilities in the Fortinet FortiSIEM product. We also have articles on making public APIs private and building an API security strategy. Dana Epp offers his thoughts on the difference between endpoints and routes, and we have two developer-focused tutorials, one on securing gRPC and the other on […]

Read More…

Issue 240: Spoutible API leakage, 15M Trello profiles scraped, API secret tokens leaked

This week, we have news of a record four API security related incidents. The first comes from Troy Hunt on a leakage on the new Spoutible social media site, with the second big ticket item being the leakage of 15 million profiles on Atlassian’s Trello. There’s also a report on the leakage of over 18,000 […]

Read More…

Issue 239: Hugging Face API token breach, SonicWall firewalls exploit, Kubernetes API gateway guide

This week, we have news of a recent API token breach affecting the popular Hugging Face AI portal and a vulnerability in the SonicWall firewall affecting 178,000 instances. We also have a comprehensive API security checklist and a guide on selecting the most suitable API gateway for Kubernetes environments. Finally, we have a practical guide […]

Read More…

Issue 238: APIs used to target business, cloud-native for APIs, and APIs becoming attractive targets

This week, we have views from Forbes on how APIs are being used to target businesses and articles on the role of cloud-native for APIs and how APIs are becoming attractive targets. We also have a doubleheader from Dana Epp covering his predictions for 2024 and structured format injection attacks. We also have news of […]

Read More…

Issue 236: Using a developer portal, dark data in APIs, an update on Ray AI framework, predictions for 2024

This week, we have an article on the value of using a developer portal for APIs, a guide from Dana Epp in finding “dark data” in an API, and an update from PortSwigger on their Web Security Academy resources for learning more about API security. We also have an update on the API vulnerabilities reported […]

Read More…

Issue 235: 25m loss at Kronos due to API key loss and three other API vulnerabilities

This week, we have news of four API-related security vulnerabilities, including Kronos’s $25m loss. Other vulnerabilities include a malware threat of DDoS on Docker APIs, a report on vulnerabilities on WordPress and Netflix, and an API vulnerability found in the Ray AI framework. We also have an article on why APIs are fertile ground for […]

Read More…

Issue 234: Sumo Logic breach leads to key reset, risk of RBAC vulnerabilities, automated API contracts

This week, we have news of another API key leak, this time affecting users of Sumo Logic, who have been advised to rotate their keys out of caution. We also have articles on the risk of RBAC vulnerabilities for APIs and why CFOs should prioritize API security as a cost-saver and business enabler. We also […]

Read More…

Issue 233: Flaws in OAuth social sign-in, securing API gateways, scalable SaaS security

This week, we have important news of a vulnerability in the OAuth social sign-in feature of many popular platforms, potentially impacting billions of users. We have two articles from The NewStack, the first a guide on securing your API gateway and the second how to design scalable SaaS API security. We also have news of […]

Read More…

Issue 231: API authentication bypass in Ivanti Sentry, Docker images expose API and keys

This week, we have news of an API authentication bypass vulnerability in the Ivanti Sentry cybersecurity product and a report into Docker images that are exposing APIs and private keys. We also have articles on API security’s role in protecting retail apps, how APIs and generative AI interoperate, and how attackers bypass Web Application Firewalls. […]

Read More…

Issue 229: Incidents with DuoLingo and JumpCloud, FastAPI for APIs, and five best practices

This week, we have news of two API security incidents: the reported leakage of the data of 2.6 million DuoLingo users and an incident at JumpCloud that resulted in resetting customer API keys. For the technically minded, we have two guides: the first discusses how to use API keys in an ASP.Net Core application, and […]

Read More…

Issue 228: 3rd party API security, OAuth2 step-up deep-dive, shadow and zombie APIs

This week, we have a timely article on the five best practices for ensuring the security of 3rd party APIs, a deep-dive guide into the OAuth2 step-up authentication protocol, and two separate articles on the danger of hidden APIs, namely shadow and zombie APIs. We conclude with not one but two excellent guides from Dana […]

Read More…

Issue 227: GhostToken on Google Cloud, Gartner on zero trust, API authentication

This week, we have news of the so-called “GhostToken” vulnerability affecting Google Cloud. We also have articles from Gartner on a report on zero trust not being a silver bullet, how authentication attacks threaten API security, and finally, why API security is everywhere except where you need it. Vulnerability: GhostToken vulnerability in Google Cloud This […]

Read More…

Issue 225 : API security needs a reset, vAPI walkthrough, five stages to attain API security

This week, we have views from Matias Madou (CTO of Secure Code Warrior) on why API security needs a reset to focus on people and not tools, another excellent walkthrough of the vAPI vulnerable API, an article covering the five stages necessary to attain API security, and a quick guide on exploiting GraphQL endpoints. Article: […]

Read More…

Issue 224 : API security is critical in 2023, API contract testing, and Fencer security testing tool

This week, we have an article from Forbes on why API security is critical in 2023, views from Kin Lane on being pedantic about API contract testing, and a preview of a new tool for API security testing. We also have details of an upcoming webinar on API security within a GitHub environment. Article: Why […]

Read More…

Issue 223 : Becoming an API security expert, AI for API hackers, building API cross-functional teams

This week, we have an article from The New Stack on mastering the skills necessary to become an API security expert and another fine read from Dana Epp on the applicability of artificial intelligence (AI) in API defense and attack. We also have an article from Forbes on building cross-functional API teams and, finally, a […]

Read More…

Issue 222: Attackers exploiting APIs faster than ever, DVGA walkthrough, Twitter outage

This week, we have a report on how attackers are exploiting APIs faster than previously based on research into over 650 API-related vulnerabilities and a walkthrough guide into DVGA, a vulnerable GraphQL application. We also have further coverage of the Twitter API (this time an outage) and, finally, views from Dana Epp on the new […]

Read More…

Issue 221: Credential leakage fueling API breaches, API gateway security, PCI DSS 4 impact on API security

This week, we have an article on the rise in API breaches as a result of credential leakage and how this can be addressed by using “MFA for APIs”. We also have a thought-provoking read on how to select an API gateway based on its security characteristics and a brief review of PCI DSS 4.0’s […]

Read More…

Issue 220: API flaw in Booking.com, apps leaking sensitive API data, API security testing checklist

This week, we have news of a vulnerability affecting the OAuth2 implementation on the Booking.com website. We have a report from Approov on their research into financial apps in the Google Play store and another great article from Dana Epp on API security checklists. Finally, we cover an interview with Matias Madou on the need […]

Read More…

Issue 219: Money Lover app exposes user data, most web API flaws missed by standard testing

This week, we have news of a recent vulnerability in the Money Lover finance app, and a report into a recent vulnerability in Toyota vehicles, which, according to Toyota, did not result in malicious access. We have an article featuring the views of popular contributor Corey Ball on missing API flaws by using conventional testing […]

Read More…

Issue 218: Three Argo CD API exploits, distributed identity for modern API security

This week, we have news of three separate API vulnerabilities within the popular cloud-native continuous deployment platform. We also have a report covering the views of Gartner on the current state of API security and an article on distributed identity as a key element of modern API security. Finally, we have a guide on how […]

Read More…

Issue 217: Wordle API exposes answers, Twitter API breach updates, AWS exposed dangerous API

This week, we have news of three vulnerabilities. The first is a vulnerability affecting the Wordle online puzzle allowing curious users to check solutions and even publish their own puzzles. The second is further coverage of the mass information leak from Twitter, and finally, we have coverage of an AWS IDAM API bypassing central CloudTrail […]

Read More…

Issue 216: Hacking a .Net application, state of API security report, myths of API security

This week, we have another excellent guide from Dana Epp, this time focusing on hacking .Net applications in the real world. We have coverage on the recent Radware 2022 state of API security report and views from Matthew Reinbold on using ChatGPT for API design. Article: Real-world guide to hacking a .Net application Dana Epp […]

Read More…

Issue 215: API flaws in Lego marketplace, API style guides, 42Crunch joins MISA

This week, we have news of API and web security flaws in the Lego marketplace, potentially allowing for a full account takeover. From NordicAPIs, we have a guide to seven examples of quality API style guides and coverage of the recent news from 42Crunch being admitted to the Microsoft Intelligent Security Association (MISA). Finally, we […]

Read More…

Issue 214: Google Cloud’s four pillars of API security, Cerbos for API permissions, attacking predictable GUIDs

This week, we have views from the Google Cloud team on their four pillars of API security and a great article from the NewStack on using Cerbos to add permissions to your APIs. Dana Epp shares his thoughts on attacking predictable GUIDs when hacking APIs and, finally, a quick read on the developer’s need for […]

Read More…

Issue 213: Supply chain vulnerability in IBM Cloud, hardcoded API keys in Algolia portal, JSON-based SQL attacks

This week, we have news of three vulnerabilities. First up is a supply chain vulnerability in the IBM Cloud platform, which is reported to be the first of its kind to affect a cloud provider. The second is another case of hardcoded API keys, this time in the Algolia AI search portal, and the third […]

Read More…

Issue 212: Remote control of vehicles, API hacking for QA teams, API Top 10 walkthrough

This week, we have news of a critical API vulnerability that allowed a researcher to demonstrate a proof of concept attack allowing remote vehicle takeover. We have articles on three reasons why QA teams should learn API hacking and the new changes GitHub has made to API versioning to future-proof client code. Finally, we have […]

Read More…

Issue 211: SQLi vulnerability in Zendesk Explore, Twitter API vulnerability, API threats to data-driven enterprises

This week, we have news of a vulnerability in the API of the Zendesk Explore platform allowing an attacker to inject malicious SQL payloads. We also have coverage of the recent breach affecting up to 5.4 million users of the Twitter platform. We also have two articles — the first is an article on the […]

Read More…

Issue 210: CSRF vulnerability in F5, supply chain attacks, hacking APIs, GCP API security report

This week, we have news of another CSRF vulnerability affecting an API, this time in the F5 BIG-IP device. We also have an article from Dark Reading on the next generation of supply chain attacks, a quick guide on how to hack APIs, and finally, a very illuminating report from Google Cloud on API security […]

Read More…

Issue 209: CSRF in Plesk API-enabled server, top five API security myths, Ory Hydra authentication server

This week, we have new research from FORTBRIDGE that reveals a client-side request forgery (CSRF) vulnerability in API-enabled instances of  Plesk, the popular server administration portal. We also have an article on the top five API security myths according to Hacker News, a quick look at the Ory Hydra OAuth2/OIDC server, and a guide to […]

Read More…

Issue 208: Urlscan.io leaks sensitive data, Dropbox phishing attack, contract test for microservices

This week, we have news of two API-related data breaches: the first in Urlscan.io API, which was found to be leaking sensitive URLs and data, and the second a phishing attack on Dropbox, where private GitHub repositories were copied. We also have an article on the importance of contract testing for microservices, and finally, another […]

Read More…

Issue 205: Manufacturing industry seeing more API incidents than other industries, two guides on developing secure APIs

This week, we have a report revealing that the manufacturing industry experiences more API-related incidents than other industries. To follow, we have two guides for developers: the first describes the REST protocol and common API vulnerabilities, and the second prescribes best practices for secure API design. Finally, we have a fun read on cracking API […]

Read More…

Issue 203: Optus data breach, API security guide, AuthN/AuthZ vulnerabilities

This week, the main news is coverage of the huge data breach affecting the Australian telecommunications company Optus, with APIs as a likely root cause. We also have articles on API security, authentication and authorization vulnerabilities, and how Docker REST API exposure can present risks. Breach: APIs at the root of Optus data breach? The […]

Read More…

Issue 202: Six top API security risks, why APIs have no clothes, and a guide on API security testing

This week, we have an article on the six top API security risks being favored by attackers, an article on why your APIs have no clothes, a guide on API security testing to improve security and data confidentiality, and finally, news of API security testing training courses being off by @theXSSRat. Due to annual vacation, […]

Read More…

Issue 201: API security in Kubernetes, Corey Ball podcast, broken access controls for APIs, 200th issue prize giveaway

This week, we have an article from the NewStack on API security best practices in Kubernetes, a podcast with Corey Ball discussing API security best practices, an article on broken access control concerns in APIs, and 42Crunch’s eBook on API security. Most importantly, we have news of last week’s winner in the 200th-issue giveaway and […]

Read More…

Issue 200: Injection vulnerability in BitBucket, OAuth2 exploitation, and 200th issue prize giveaways

Celebrating the 200th issue This week is a special one: it’s the 200th edition of this newsletter, and also my first anniversary as the curator. To celebrate, I have pulled out our three most popular articles and our three most popular guides, in case you missed them the first time around. We’ve also got views […]

Read More…

Issue 199: Vulnerability in Zulip server, broken access controls threat to APIs, introduction to BOLA

This week, we have news of a API vulnerability allowing privilege escalation in the team chat tool Zulip. We also have articles from PortSwigger on the threat of broken access controls and injection attacks to APIs, as well as a quick read on Broken Object Level Authorization vulnerabilities. Finally, we feature a guide from the […]

Read More…

Issue 198: API security certification, API authentication webinar, optimizing API security

This week, we have news of the recently released API security training course from Corey Ball and an excellent webinar from Redmonk and FusionAuth. Also, we have an article from TheNewStack on optimizing API security for cloud-native and coverage of a REST API fuzzing tool. Training: API security training with Corey Ball This week’s biggest […]

Read More…

Issue 197: Apps leaking Twitter tokens, parameter smuggling attack in Golang, API catalogs for security

This week, we have two vulnerabilities — the first is the revelation that thousands of applications are leaking Twitter access tokens, and the second is a parameter smuggling attack in Golang affecting some well-known Golang-based projects. We also have an article on the benefits of API catalogs in delivering security benefits and, finally, a fascinating […]

Read More…

Issue 196: Software supply chains, APIs in healthcare, Azure API management baselines

This week, we have articles on the importance of API security for the software supply chain, and how API adoption is increasing in the healthcare industry whilst addressing cyber security concerns. We also have new guidance from Microsoft Azure on security baselines for API management, and a free software security course from the Linux Foundation. […]

Read More…

Issue 194: API testing checklist, API security testing resources, CVSS for API security

This week, we have a very popular API testing checklist aimed at pen-testers, a comprehensive guide to tips & tricks, and resources related to API security and API pen-testing. We also have an article from Cisco on using CVSS to tackle API security, and finally, a 10-year journey in API security vulnerabilities with Ivan Novikov. […]

Read More…

Issue 192: Vulnerable APIs costing $75 billion, new Google API security platform

This week, we have a report from Imperva indicating that vulnerable APIs may be costing as much as $75 billion annually with the largest organizations being at the highest risk. We also have coverage of the new API security platform from Google, views from Curity on API-driven backends for frontends for increased API security, and […]

Read More…

Issue 191: API insecurity causing rising incidents, policy-as-code for API security

This week, we have a report from Imperva on the increasing security incidents caused by unsecured APIs. We also have articles on using policy-as-code to improve API security, views on how common assumptions may prevent effective API protection, and how open APIs are improving cloud-based security. Report: One in thirteen incidents blamed on API insecurity […]

Read More…

Issue 190: Akamai’s report on APIs, API security checklist, dangers of API security overconfidence

This week, we have a report from Akamai focusing on APIs which they describe as “the attack surface that connects us all”. We also feature an API security checklist that covers seven of the most important requirements, and an article on the dangers of API security overconfidence. Finally, we round off with a video from […]

Read More…

Issue 189: Vulnerability in Travis CI log API, Microsoft guide to API security, and why API security needs special attention

This week, we have news of an API vulnerability in the Travis CI platform that allowed to access logs on public instances, leading to leaking keys and tokens. Also this week, we have an excellent guide from Microsoft on their recommendations how to mitigate against API threats, some views from the Economic Times on why […]

Read More…

Issue 188: API security for smart cars, ownership of the API lifecycle, APIs a top CISO concern

This week, we have articles on API security considerations for smart cars, and an exploration of API ownership and its impacts on security. We also have a report surveying CISOs on their top security concerns (no surprise that API security tops the list), and finally, a beginner’s guide to API security focusing on testing. Article: […]

Read More…

Issue 186: Kubernetes API servers exposed, vulnerability in Swagger-UI library, Google views on API economy

This week, we have news of a report revealing that over 380 000 Kubernetes API servers are exposed on the internet due to possible misconfiguration, as well as details of a vulnerability allowing DOM XSS attacks in the popular Swagger-UI library. We also feature views from Google on the future of the API economy and […]

Read More…

Issue 184: RCE in F5 BIG-IP suite, API security maturity, hardening GCP implementations

This week, we have news of a high severity remote code execution (RCE) vulnerability in the F5 BIG-IP security suite. We also feature an article from Curity on API security maturity, an article on hardening Google Cloud Platform implementations, and finally a threat matrix for GraphQL APIs. Vulnerability: RCE vulnerability in F5’s BIG-IP security suite […]

Read More…

Issue 183: API vulnerability in VeryFitPro, exposed Docker APIs targeted by botnets, TruffleHog finds stored credentials

This week, we have two API vulnerabilities: the first in the VeryFitPro app allowed attackers access to a backend API, while in the other LemonDuck botnet attacked exposed Docker APIs. On more positive side, we also have a new version of TruffleHog detecting of stored API credentials, as well as views on how to securely […]

Read More…

Issue 182: Drupal patches API vulnerability, Google Cloud on API security challenges, guide to OAuth2

This week, we have details of an API vulnerability in the Drupal platform, allowing an attacker to bypass access controls. We also feature views from Google Cloud on challenges to API security, a comprehensive guide to OAuth2, and finally a write up on how GitHub deviates from the implementation guidelines for OAuth2. Vulnerability: Drupal patches […]

Read More…

Webinar – Actively Monitor and Defend Your APIs with 42Crunch and the Azure Sentinel Platform

APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots. Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential […]

Read More…

Issue 181: Vulnerability in Wavlink router, API exposing system passwords, views on internal APIs

This week, we have two API vulnerabilities: a command injection vulnerability in the control API of the Wavlink WL-WN531P3 router, and another one on the website of a security regulator in South Africa. In addition, we have views on the management of internal and external APIs, and how the new Lambda Function URLs on AWS […]

Read More…

Issue 180: API vulnerability in Easy!Appointments platform, new APIs compromising security

This week, we have news of an API vulnerability in the scheduling platform Easy!Appointments allowing unauthorized access. We also have articles on whether the growth in APIs compromises security, how API traffic visibility is a key for API security, and some basic tips on locking down APIs to improve security. Vulnerability: API access control vulnerability […]

Read More…

Issue 179: Spring4Shell zero-day, CRI-O container runtime vulnerability, and REST API security reference

This week, we have two new vulnerabilities: firstly, the big news in the Spring4Shell zero-day vulnerability in the Spring Framework coming hot on the heels of the recent Log4Shell vulnerability, and secondly, a vulnerability in the CRI-O container runtime that allowed host access to attackers. We also feature a guide to REST API security and […]

Read More…

Issue 178: Six areas for Cloud-native security, API governance, DevOps for improved API security, locking down APIs

This week, we have articles covering six critical areas for cloud-native security in 2022, including of course API security. In addition there’s a beginner’s guide to API governance, thoughts on how to improve API security by embracing DevOps, and views on three ways to lock down APIs. Article: Six critical areas for cloud-native security in […]

Read More…

Issue 177: Vulnerabilities in Veeam product, RCE in Parse Server module, insecure API threat to mobile apps

This week, we have news of two critical vulnerabilities patched in the Veeam data backup solution, a remote code execution (RCE) vulnerability in the popular Parse Server API server module, views on how insecure APIs threaten mobile application security, and how attackers are increasingly focusing on APIs as the attack vector of choice. Vulnerability: Two […]

Read More…

Issue 176: Case study of API vulnerabilities, Riverbed vulnerability, API abuse, JWT safety

This week, we have an excellent write-up on a case study of API vulnerabilities, an API vulnerability in Riverbed’s SteelCentral AppInternals software, an article on how even the most “perfect” APIs can be abused, and a guide on the safer handling of JSON web tokens (JWTs). Vulnerability: A case study of API vulnerabilities This week, […]

Read More…

Issue 175: Vulnerabilities affecting Cisco platforms, GitLab instances, and campus access control

This week, we have three vulnerabilities: the first in the Cisco Expressway Series and TelePresence video communications service, another vulnerability in self-managed GitLab instances, and a bug affecting a campus access control system. On top of this, we also have views on privacy concerns for APIs. Vulnerability: Patches for critical issues in Cisco video communications […]

Read More…

Webinar: How to Extend Protection of your Data from API to Mobile Application

APIs are mobile app developer’s best friends as they help reduce development time and save costs. But the rapid deployment of mobile apps and the explosion in the development of new APIs present very real threats for most organizations. To defend your APIs, it is important to have a comprehensive approach to API security from […]

Read More…

Issue 174: APIs increasingly used for account takeover, API hacking book, OAuth in Postman

This week, we have new research in APIs that reveals how they are increasingly used for account takeover, a look at a great new book on hacking APIs, an article on using Postman for OAuth 2.0 authorization code grants, and a guide on documenting APIs. Article: APIs increasingly used for account takeover New research covered […]

Read More…

Issue 173: Coinbase vulnerability, AuthN/AuthZ best practices, bad bots, Elgato Key light hack

This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on […]

Read More…

Issue 172: Argo CD vulnerability, state of API security survey, API testing with Zap and Postman

This week, we have news of a vulnerability in Argo CD that allowed leaking application secrets, a survey of the state of API security across three regions, a quick read on how to use Postman and OWASP Zap for API security testing, and finally views on how to distribute authorization services in a microservice architecture. […]

Read More…

Issue 171: DPD parcel tracking flaw, Apache Pulsar and Casdoor vulnerabilities, trends in API industry

This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data;  an API vulnerability in the Apache Pulsar that allowed access data in different tenants; and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at […]

Read More…

Issue 170: DevSecOps approach to API security, F5 vulnerabilities, ten API integration trends

This week, we have an article on applying a DevSecOps approach to API security, by utilizing a shift-left and protect and monitor right approach; a pair of vulnerabilities patched by F5; views on the top 10 API integration trends by Brenton House: and finally, a view on the rise of bot attacks against APIs. Article: […]

Read More…

Issue 169: Insecure API in WordPress plugin, Tesla 3rd party vulnerability, introducing vAPI

This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article […]

Read More…

OWASP API Security Top 10 Challenges – Webinar Series

In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix […]

Read More…

Issue 168: Safari 15 IndexedDB API vulnerability, a pair of AWS vulnerabilities, and an API security podcast

This week, we have news of a vulnerability in the IndexedDB API in Safari 15 that exposed user information, a pair of vulnerabilities in AWS affecting AWS Glue and AWS CloudFormation, and a podcast featuring Rinki Sethi and Alissa Knight discussing API security. Last week, we featured an “awesome API security” guide from a 3rd-party […]

Read More…

Issue 167: Uber bug allows spoof emails, partner-facing APIs on the rise, omnichannel APIs increase risk

This week, we have a long-standing vulnerability on a public-facing internal API on Uber, which allowed attackers to spoof emails. In addition, there’s an article by NordicAPIs on the RapidAPI report into the rise on partner-facing APIs, IBM’s views on the API security risk posed by the growth in omnichannel APIs, and finally (another) awesome […]

Read More…

Issue 166: Securing large API ecosystems, creating OpenAPI from HTTP traffic, Frankenstein APIs, and API proliferation

This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations. Article: Securing large API ecosystems First up this week […]

Read More…

Issue 165: Vulnerability in All in One WordPress plugin, why to treat all APIs as public, a beginner’s guide to API security

This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner’s guide to API security, and finally an optimistic view […]

Read More…

Issue 164: Log4Shell vulnerability, API sprawl an increasing threat, API security design best practices, Zero Trust for APIs

This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there’s an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of zero trust approach for API security. […]

Read More…

Issue 162: Compromised Google Cloud accounts, GraphQL as API gateway, API security guide and training

This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API […]

Read More…

Issue 161: Vulnerability in Wipro Holmes Orchestrator, report into vulnerabilities in FinTech and banking apps

This week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files via path manipulation. There’s also a new report from researcher Alissa Knight on vulnerabilities in banking, cryptocurrency exchange, and FinTech APIs; an article on the impact of a shift-left approach for API security; and […]

Read More…

Issue 160: Vulnerability in AWS API gateway, Kubernetes API access hardening guide

This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what’s possibly on the next OWASP […]

Read More…

Issue 159: Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl

This week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system, allowing attackers to hijack secrets of downstream supply chains. There is also an excellent article on the journey of Raiffeisen Bank International toward full lifecycle API security, another article on how API security is hindering application delivery, and […]

Read More…

Issue 158: Data of 400 000 students exposed, 1 million sites affected by plugin vulnerabilities, views on GraphQL

This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools. Breach: Sensitive data of 400 […]

Read More…

Issue 157: Unsafe defaults in Prometheus, mapping API attack surfaces, OpenAPI file trend analysis

This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training […]

Read More…

Issue 156: FHIR APIs vulnerable to abuse, 3D printers facing hijacking risk, API security webinar

This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers. In addition, there’s an article summing up the increasing numbers of […]

Read More…

Issue 155: Vulnerability in BrewDog mobile app, APIClarity at KubeCon, API attacks in Open Banking

This week, we have a vulnerability in the BrewDog mobile app exposing users’ PII courtesy of hard-coded bearer tokens, Cisco has announced the arrival of their APIClarity at KubeCon 2021, F5 has published a report on API attacks in Open Banking, and finally, there’s a mega-guide on API security best practices. Vulnerability: Hard-coded API bearer […]

Read More…

Issue 154: Views on APIs and security, report into API misconfiguration, detecting malicious API activity

This week, we have a viewpoint on what security officers can do to address API security. There’s also a report from IBM revealing that two-thirds of cloud breaches are due to misconfigured APIs, the best practices for detecting malicious activity on API endpoints, and a description of common attack vectors on GraphQL implementations. Correction: In […]

Read More…

Issue 153: Rapid proliferation of APIs, WordPress API vulnerability, false-negative API scanning

This week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API , again through a third-party plugin. In addition, we look into the importance of false-negative API vulnerability scanning, and API protection as a key element of a cloud security strategy. Article: Rapid proliferation of […]

Read More…

Issue 152: Exposed API keys and tokens, SAST/DAST for API security testing, the value of API specifications

This week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI,  the shortcomings of static and dynamic application security testing (SAST/DAST) for API security, and the value that API specification frameworks bring. Breach: Exposed payment integration API keys The big news story this week was the leakage […]

Read More…

Issue 151: WordPress 5.8.1 security patch, API botnet attacks report, articles on API tokens and API discovery

This week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attacks on APIs, an article on everything you need to know about API tokens, and thoughts on API discovery. Vulnerability: Security patch to REST API in WordPress 5.8.1 Last […]

Read More…

Issue 150: Vulnerability in Fortress home security system, API fuzzing techniques, hardening GraphQL implementations, and central governance for APIs

This week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system, a guide on API fuzzing techniques and tools, best practice for hardening GraphQL implementations, and views on central governance for APIs. Vulnerability: Fortress home security vulnerability allows remote disarming This week, Rapid7 disclosed two […]

Read More…

Issue 149: Vulnerabilities on Cisco routers and Bumble, adopting Zero Trust for APIs, a hacker’s view on API security challenges

This week, we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user’s location, a view on adopting Zero Trust for APIs, and a hacker’s view on API security challenges. Vulnerability: Cisco releases critical patches Cisco Systems has released a total of six security patches for API vulnerabilities this […]

Read More…

Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

This week, we have Microsoft Power Apps demonstrating the dangers of lax default settings for data exposure, yet another Broken Object Level Authorization (BOLA/IDOR) vulnerability on the Topcoder portal, the newly release RFC 9101, and a guide to hacking APIs. Breach: Microsoft Power Apps records leaked via OData API The big news this week is […]

Read More…

Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey

This week, we have the recent API vulnerabilities in the SEOPress WordPress plugin and the Valve Software Steam portal, the results from a Dark Reading survey into application security, and details of the upcoming OpenAPI Initiative’s (OAI) API Specifications Conference. Vulnerability: XSS and REST API vulnerability in SEOPress On July 29, 2021, the Wordfence Threat […]

Read More…

Issue 146: Facebook API leaking private group membership, JWT Attacker plugin for Burp

This week, we have the recent API fix involving group membership at Facebook, a case study of a BOLA vulnerability leaking users’ credit coupons, a handy add-on for Burp Suite, plus an interview with a security expert on API security. Vulnerability: Facebook Facebook API was leaking information on users’ memberships in private groups. Muhammad Sholikhin […]

Read More…

Issue 145: APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0

This week, we take a look at the recently discovered (and fixed) API vulnerabilities in electric car charging stations, a Udemy course on OAuth 2.0, the recently released Gartner Hype Cycle on APIs, and how APIs in microservices architectures can be exploited if they construct backend calls without properly validating inputs. Vulnerability: Electric vehicle charging […]

Read More…

Issue 144: JustDial API vulnerability re-emerges, API key checker, the state of OAuth

This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security. Vulnerability: JustDial JustDial had a regression as they accidentally reintroduced the API vulnerability […]

Read More…

Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map

This week, we have a detailed write-up on finding credit card numbers leaking from a GraphQL API, a lab walkthrough on hacking JSON web tokens (JWT) through SQL injection, and HackerOne’s new Capture The Flag (CFT) API Security challenge. On the resource side, we have another good mind map, this time on XML attack vectors […]

Read More…

Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery

This week, we take a look at the recently reported API vulnerabilities at Coursera and in one of the Huawei home gateways. We also learn about rate-limiting for GraphQL APIs and GraphQL discovery using its autocorrect feature. Vulnerability: Coursera Coursera has fixed a number of API vulnerabilities reported by David Sopas, Paulo Silva, Ricardo Gonçalves, […]

Read More…

Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1

This week, we take a look at insecure API traffic in the VeryFitPro Android app, how APIs were used to scrape user profile data from Gettr, and some potential API vulnerabilities affecting AWS API Gateway and Lambda authorizers users. In addition, there is also the latest update to the AsyncAPI standard. Vulnerability: VeryFitPro Researchers from […]

Read More…

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap

This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities. Vulnerability: LazyPay LazyPay is a pay-later platform that has over 2 million […]

Read More…

Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar

This week, we take a look at the recent API vulnerabilities at Apple, Amazon, and the volunteer coordination app of the Philippine opposition coalition, and there is an upcoming API security webinar by Gartner. Vulnerability: Apple iCloud account takeover Laxman Muthiyah was able to demonstrate how he could brute-force his way into taking over someone […]

Read More…

Issue 138: Vulnerabilities in Microsoft Teams and Instagram

This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 conference. Vulnerability: Microsoft Teams Evan Grant found a way to break into Microsoft Teams accounts by leveraging Microsoft Power Apps. Microsoft Power Apps and Power Automate services are meant to provide easy tools […]

Read More…

Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks

This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on  how the API security vendor […]

Read More…

Issue 136: OAuth 2.0 security checklist and pentesting

This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing. Vulnerability: Russian opposition email list breach Companies typically avoid providing details […]

Read More…

Issue 135: Millions stolen from cryptoexchanges through APIs

This week, we take a look at how cybercriminals exploit leaked API keys to steal millions of dollars from cryptoexchanges. In addition, we also have the recent API vulnerabilities in Rocket.Chat, the upcoming change in Let’s Encrypt root certificate and its impact on APIs, and another video on common GraphQL API vulnerabilities. Vulnerability: API keys […]

Read More…

Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace

This week, we have three API vulnerabilities: in Echelon sports equipment, Instagram, and Facebook Workspace, as well as an interview with Forrester’s key API security expert, Sandy Carielli. Vulnerability: Echelon In our previous newsletter, we discussed API vulnerabilities at Peloton. This week, the same researcher, Jan Masters from Pen Test Partners, has published his research […]

Read More…

Issue 133: Vulnerable Peloton APIs, API contract generation for .NET

This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers. Vulnerability: Peloton Peloton is a producer of popular treadmills and […]

Read More…

Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab

This week, we take a look at the recent API vulnerabilities at Experian, Facebook, and possibly DigitalOcean and Geico. There is also a review of Burp plugins for API vulnerability discovery, and a new API security penetration testing lab. Vulnerability: Experian Bill Demirkapi found an unprotected Experian API that returned a credit score based simply […]

Read More…

Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL

This week, we check out the recent API vulnerability in John Deere farming machinery, the best practices in using Springfox annotations for API security, a new JWT penetration testing lab, and AutoGraphQL  – a tool for GraphQL authorization testing. Vulnerability: John Deere John Deere is one of the leading manufacturers of expensive farming equipment, such […]

Read More…

Issue 129: Facebook and Clubhouse profiles scraped through APIs, Forrester’s “State of Application Security, 2021”

This week, we obviously have to discuss the hundreds of millions of Facebook and Clubhouse user profiles that were scraped using APIs. In other news, Forrester has published their fresh and insightful report “The State of Application Security”, and there’s a new online training “Building an Identity Architecture for APIs”. Data leak: Facebook The biggest […]

Read More…

Issue 128: API flaws at VMware and GitLab, URL parameters and SSRF, webinar on recent breaches

This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws. Vulnerability: VMware vRealize Operations API VMware has just patched two critical security issues in their vRealize Operations API.  […]

Read More…

Issue 127: Hidden OAuth attack vectors, Methodology for BOLA/IDOR

This week, we look at an API vulnerability in Micro Focus Operation Bridge Reporter, new research on 3 hidden attack vectors in OAuth and OpenID Connect, a methodology for finding BOLA/IDOR, and research on OpenAPI adoption in the banking sector. Vulnerability: Micro Focus Operation Bridge Reporter Even authentication APIs may lead to direct remote code […]

Read More…

Issue 126: F5 iControl REST API under attack, Regexploit, Ford’s API security talk recording

This week, we check out the recent API vulnerabilities at F5 and Facebook, there’s a new tool to locate regular expressions vulnerable to Denial-of-Service (DoS) attacks, and we have the recording of Ford’s recent talk on their API security policies and lessons learned. Vulnerability: F5 iControl REST API This one appears to be the most […]

Read More…

Issue 125: iPhone call recorder API flaw, Burp and OpenAPI, GraphQL pentesting, FAPI

This week, we look at an API vulnerability in a popular call recorder app, newly added OpenAPI support in Burp, a GraphQL pentesting lab, and the just-released Financial-grade API (FAPI) standard. Vulnerability: iPhone Automatic call recorder Anand Prakash found an API vulnerability in one of the most popular call recording apps for iPhone – Automatic […]

Read More…

Issue 124: API vulnerabilities at Microsoft and Truecaller Guardians, Pentester labs, API security at Ford Motors

This week, we take a look at the recent API vulnerabilities reported at Microsoft and Truecaller Guardians, the new penetration testing labs for API security, and an upcoming webinar on the API security process at Ford Motors. Vulnerability: Microsoft online accounts API endpoints for resetting account passwords are a frequent attack vector. Attackers brute-force these […]

Read More…

Issue 123: API vulnerabilities VMWare vCenter and Facebook, mismatch between JSON parsers, API security fixes in VS Code

This week, we learn about the recent serious API vulnerability in VMware vCenter (if you have one, update ASAP!), why query and path parameters cannot be trusted for confidential data, how potential attacks can emerge from inconsistencies in JSON parser behavior, and how a VS Code extension can help fix API vulnerabilities. Vulnerability: VMware vCenter […]

Read More…

Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0

This week, we take a look at the recent data spill incident at Clubhouse, the (poor) state of API security in major healthcare mobile applications, how scope-based reconnaissance methodology works, and the latest update (v3.1.0) to the OpenAPI Specification. Vulnerability: Clubhouse Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a […]

Read More…

Issue 121: Vulnerability at chess.com, GraphQL security playground and checklist

This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget. Vulnerability: chess.com Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app. Community members can exchange messages, […]

Read More…

Issue 120: Video doorbells security flaws, intro to JWT attacks, security zines

This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization. Oh, and we also have a link to DZone community awards where you can vote […]

Read More…

Issue 119: NoxPlayer supply-chain attack through a hacked API

This week, we take a look at the recently discovered API attack in NoxPlayer, the latest annual “State of Web Application Security” report by Radware, a detailed step-by-step pentesting tutorial, and a recording of a session on API security and Azure API management from AppSec Israel. Vulnerability: NoxPlayer [UPDATE] We have been contacted by a […]

Read More…

Issue 118: Spring Framework ALPS, OAuth 2.0 attack mindmap, securing JWTs

This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week. Vulnerability: Spring Framework Application-Level Profile Semantics Frameworks make developer […]

Read More…

Issue 117: Vulnerabilities in YouTube and Ring Neighbors app, OAuth Mix-Up attacks, Tamper Dev

This week, we look into some recent API vulnerability reports on YouTube and Amazon’s Ring Neighbors app, there is a new proposed addition to the OAuth standard, and Google has developed an API proxy extension for Chrome. Vulnerability: YouTube David Schütz found a clever way to get (limited) access to private YouTube videos via a […]

Read More…

Issue 116: Facebook and Parler API vulnerabilities, clairvoyance

This week, we check out the recent API vulnerabilities at Facebook and Parler, there is a new GraphQL discovery tool called clairvoyance, and we have API security advice from Corey Ball. Vulnerability: Facebook Pouya Darabi found an API vulnerability in Facebook that allowed him to create posts on other users’ pages. The posts were not […]

Read More…

Issue 115: Vulnerabilities in SolarWinds, Ledger, Outlook. New plugin for JetBrains IDEs

Happy New Year 2021! This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs. Vulnerability: SolarWinds The now-infamous SolarWinds breach […]

Read More…

Issue 114: SolarWinds and PickPoint breaches, GitHub Code Scanning review, GraphQL security

This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security. Breach: SolarWinds The SolarWinds hacking reported this weekend was not API-related as such. It was a supply […]

Read More…

Issue 113: API vulnerabilities at YouTube and 1Password, OIDC security, Assetnote Wordlists

This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery. Vulnerability: YouTube Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses. When […]

Read More…

Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security

This week, we have the recently reported API vulnerability in Duffel’s Paginator, a new API fuzzer from Microsoft Research, an upcoming JWT security webinar, and a recorded talk on approaches to API authentication. Vulnerability: Paginator Peter Stöckli from Alphabot Security has posted a write-up on the API vulnerability he found in Duffel’s Paginator (CVE-2020-15150). Duffel […]

Read More…

Issue 111: API vulnerabilities in AWS, Tesla Backup Gateway, Twitter

Happy Thanksgiving to all of our readers in the US! This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes […]

Read More…

Issue 110: API flaws in Bumble and COVID-KAYA, Forrester on API security, ASC 2020 talks

This week, we check out API vulnerabilities in the dating app Bumble and COVID-KAYA, an app for front-line healthcare workers in the Philippines. There’s also a new Forrester report and an upcoming webinar on API security, as well as a couple of recordings of API security talks from the recent API Specification Conference (ASC). Vulnerability: […]

Read More…

Issue 109: API token best practices, Dredd, IDOR hunting tips

This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs. Vulnerability: Trump campaign’s post-election site Although the campaigns are […]

Read More…

Issue 108: API vulnerabilities in Thrillophilia and GitLab

This week, we have the recent API vulnerabilities in Thrillophilia and GitLab, there is a new free online course on OpenID Connect, and OpenAPI support has been recently added in Cloudflare. Vulnerability: Thrillophilia Thrillophilia is an Indian online platform for discovering and booking travel experiences and tours. Ehraz Ahmed found that Thrillophilia exposed about 2 […]

Read More…

Issue 107: Vulnerabilities in Waze, AWS, and NHS COVID-19 app, Forrester App Sec Tech Tide

This week, we check out three API vulnerability reports for Waze, Amazon Web Services (AWS), and the UK NHS COVID-19 app. In addition, the new Forrester study of the technologies constituting application security as of Q4 2020 has been published. Vulnerability: Waze Remember the fun “other cars” icons that Waze, Google’s social GPS navigation app […]

Read More…

Issue 106: API flaws at GitLab and Grindr, APICheck, API World and apidays conferences next week

This week, we have the recent API vulnerabilities at GitLab and Grindr, the APICheck tool gets donated to OWASP, there’s a summary on the basics of API authentication options, and complimentary registration links for the online conferences API World and apidays London next week. Vulnerability: GitLab Riccardo Padovani found an API vulnerability in GitLab related […]

Read More…

Issue 105: API vulnerabilities in HashiCorp, Azure App Services, and Qiui adult devices

This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and “smart” adult toys. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10. Vulnerability: HashiCorp Vault Felix Wilhelm from Google’s […]

Read More…

Issue 104: API vulnerabilities at Twitter and Grandstream, mTLS in AWS API Gateway, Application Security Podcast

This week, we check out the recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and the API security episode in the Application Security Podcast. Vulnerability: Twitter A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and […]

Read More…

Issue 103: API vulnerabilities at Cisco, Shopify, BrandBQ, a security guide to CORS

This week, we check out three recent API vulnerabilities or breaches and what we know about them, and take a deep dive into cross-origin resource sharing (CORS). Vulnerability: Cisco Cisco has released critical security updates to IOS XE Software run by many of its devices. Two of the issues they have fixed are critical API […]

Read More…

Issue 102: Vulnerabilities in Facebook and campaign apps, creating defensible APIs

This week, we look into the recent API vulnerabilities at Facebook and the campaign apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers. Vulnerability: Facebook Marcos Ferreira found a […]

Read More…

Issue 101: Vulnerabilities in Giggle, Google Cloud Platform, SonicWall, New Relic, Tesla

After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks. Vulnerability: Giggle Giggle is a women-only social network and mobile app. It […]

Read More…

Issue 100: API Security advice from top industry experts

Today is a special day for our newsletter – our centennial issue and the number of email subscribers crossing the 5,000 mark (and in addition to that we have about 1300 followers on Twitter and a similar number of members of the API Security LinkedIn group). This has definitely grown significantly bigger than the original […]

Read More…

Issue 99: API flaws in the Mercedes-Benz app and Russian inter-bank money transfer

This week, we check out the API vulnerabilities in the Mercedes-Benz connected cars and the Russian inter-bank money transfer system. We also have the upcoming ASC 2020 conference next week, as well as a recording of IIoT Cybersecurity panel discussion from the recent IIoT World event. Vulnerability: Mercedes-Benz car control The conference Black Hat USA […]

Read More…

Issue 97: Gym apps & home automation vulnerabilities, how to not leak API keys

This week, we check out the recent API vulnerabilities in the gym management platform Fizikal and the HDL smart home automation. We also have a great detailed write-up on the recent HacktivityCon 2020 Capture the Flag challenge, and a DEF CON talk on leaking API keys. Vulnerability: Fizikal Apps use platforms to get to the […]

Read More…

Issue 96: Vulnerabilities at Cisco and MGM Grand Resort, tutorial on Chrome DevTools and pentesting with GraphQL

This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and […]

Read More…

Issue 95: Vulnerabilities at Zoom and OkCupid, progress on OAuth 2.1, API Information Disclosure tutorial

This week, we have recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs. Vulnerability: Zoom Zoom has become the household name of the times, with plenty of face-to face activities moving online. While this helps to keep the bugs of the living kind […]

Read More…

Issue 94: Two-day API security training at Black Hat USA

This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security. Vulnerability: WordPress If you use WordPress, check if the REST API endpoint […]

Read More…

Issue 93: API authentication flaw in Chingari, a guide to OAuth Authorization Code grant

This week, we have a report of a vulnerability in Google Sign In in a popular Indian video-sharing app, a new guide on typical OAuth implementation flaws, a tool for importing OpenAPI definitions into Burp, and a virtual training on API security. Vulnerability: Chingari Chingari is a popular Indian video-sharing app. With the latest steps […]

Read More…

Issue 91: Homograph OAuth bypass, common JWT mistakes, ReDos attacks

This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect. Vulnerability: SEMrush OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir. The problem […]

Read More…

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts

This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all. Vulnerability: Starbucks Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer […]

Read More…

Issue 87: Vulnerabilities in Digilocker, Facebook, VMware Cloud Director

This week, we take a look at the recent API vulnerabilities in Digilocker, Facebook, and VMware Cloud Director. On top of that trio, there is also a new instructive video on REST API pentesting. Vulnerability: Digilocker A critical API vulnerability in India’s digital wallet system, Digilocker, exposed personal documents of more than 38 million citizens. […]

Read More…

Issue 86: Vulnerabilities in Sign in with Apple, Qatar’s COVID19 app, GitLab

This week, we have three API vulnerabilities in: Apple’s Sign in with Apple authentication endpoint Qatar’s COVID-19 tracking app GitLab’s Repository Files API In addition, there’s also a new Burp plugin that automatically handles authentication tokens in API calls. Vulnerability: Sign in with Apple Sign in with Apple is an OAuth-like social logon system from […]

Read More…

Issue 85: Vulnerability in Google Cloud Deployment Manager, a pentester’s guide to OAuth

This week, we check out the recently fixed vulnerability in Google Cloud Deployment Manager, and how to penetration test OAuth 2.0. On a higher level, we have Gartner’s classification of API security technology, and a recording of a panel discussion on API security. Vulnerability: Google Cloud Deployment Manager Google Cloud Deployment Manager is an infrastructure […]

Read More…

Issue 84: Unprotected APIs at Google Firebase, leaky Arkansas PUA portal

This week, we take a look at how thousands of Android apps inadvertently exposed Google Firebase APIs, and how Arkansas Pandemic Unemployment Assistance (PUA) portal was leaking sensitive personal data. We also have a new pentesting tool for identifying data transformations used in APIs and apps, and a case study of four recent high-profile API […]

Read More…

Issue 83: India’s COVID-19 tracing app, OAuth2 API attacks

This week, we check out an API vulnerability in India’s coronavirus tracing app, a couple of write-ups on OAuth2 API attacks, and a recording of a talk on REST API penetration testing. Vulnerability: India’s coronavirus tracing app Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is […]

Read More…

Issue 82: Most common GraphQL vulnerabilities, pentesting with Insomnia

This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security. Opinion: The 5 most common vulnerabilities in GraphQL Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. […]

Read More…

Issue 80: API vulnerabilities IBM Data Risk Manager and Cisco Unified Computing System

This week, API vulnerabilities have been reported in IBM and Cisco products, and some conferences and webinars related to API security are coming up soon. Vulnerability: IBM Data Risk Manager Pedro Ribeiro found a bunch of security vulnerabilities in IBM Data Risk Manager (IDRM). This is a control center that helps to locate, analyze, and […]

Read More…

Issue 78: Vulnerabilities in WordPress Rank Math, Tapplock, and TicTocTrack

This week, we check out the API vulnerabilities in the WordPress Rank Math plugin, Tapplock smartlock, and TicTocTrack, another kids’ smartwatch. In addition, an update to VS Code OpenAPI extension that adds static application security testing (SAST) for composite API contracts has been released. Vulnerability: WordPress Rank Math plugin A popular WordPress plugin, Rank Math, […]

Read More…

Issue 77: Vulnerabilities in GitLab, OAuth 2.1 draft is out

This week, GitLab has fixed several vulnerabilities, including API vulnerabilities, and the draft for OAuth 2.1 has been released. If you find yourself stuck at home with extra time in your hands, why not check out the free course on web security that Stanford University is offering? Vulnerability: GitLab GitLab has released a new security […]

Read More…

Issue 75: 98% of IoT traffic unencrypted, API DevSecOps in Azure Pipelines

This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement. Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out. Vulnerability: Zyxel Cloud CNM SecuManager Pierre Kim and Alexandre […]

Read More…

Issue 74: Vulnerability in Login with Facebook, API security talks

This week, we check out how Facebook’s OAuth implementation in their social login feature left the access tokens vulnerable. We also have some statistics and predictions on the rise of API security, and recordings of a couple of more API security talks have been published. Vulnerability: OAuth in Login with Facebook Doing a bullet-proof OAuth […]

Read More…

Issue 73: Up to 75% credential abuse attacks target APIs

This week, we check how Tinder’s API vulnerability has developed a life of its own, the latest statistics from Akamai on API security, the best current practices for JWT, and why API security needs both API firewalls and API management, not just either or. Vulnerability: Tinder Back in July 2019, we covered the OWASP API3:2019 — […]

Read More…

Issue 72: Vulnerabilities in WordPress ThemeREX Addons and Voatz, Facebook postmortem, JWT talks, OpenAPI Specification 3.0.3

This week, we take a look at how WordPress got exploited by a 3rd-party plugin, and how API security research can sometimes be a very ungrateful endeavor. In addition, we also have the cost of ignoring API security as showcased by Facebook, as well as several good JSON Web Token (JWT) talks. And as a […]

Read More…

Issue 71: Vulnerabilities in SoundCloud and Lime e-scooters, NIST Microservices security strategies

This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security. Vulnerability: SoundCloud Paulo Silva has published a very systematic and thorough report on API vulnerabilities that […]

Read More…

Issue 70: Vulnerabilities in Twitter, Likud, Iowa caucus apps, two API security talks

This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in USA. We also have two API security talks: one recorded and one upcoming webinar. […]

Read More…

Issue 69: Vulnerabilities in Azure Stack and Cisco TelePresence, API fuzzing

This week, we look at the recently patched API vulnerabilities in Microsoft Azure Stack and  Azure Cloud infrastructure, and in Cisco TelePresence and RoomOS. In addition, there is a recorded conference talk on API pentesting, and Yelp has released an open-source tool for API fuzzing. Vulnerability: Azure Cloud infrastructure Ronen Shustin from Checkpoint Research has […]

Read More…

Issue 68: API security in Gartner Hype Cycle, McAfee threat predictions for 2020

This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like to be according to McAfee, and a SANS Institute whitepaper on DevSecOps. Analysts: API security in Gartner Hype Cycle Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The […]

Read More…

Issue 66: Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020

This week, we check how several API vulnerabilities in TikTok can lead to attackers taking over the social media account, and how an admin plugin for WordPress had an API allowing for an authentication bypass. In other news, the OWASP security conference kicks off next week in California, and we take a look at API […]

Read More…

Issue 65: Vulnerabilities at Siemens, Cisco, D-Link, OWASP API Security Top 10 2019 out

This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security. Vulnerability: Siemens SPPA-T3000 The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API […]

Read More…

Issue 64: API Vulnerabilities in Plenty of Fish, SonyLIV, SharePoint, Facebook

It is all about vulnerable APIs this week. We are looking at the ones in Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint. Also, there is a big leak of Facebook users’ phone numbers presumably harvested via APIs. Vulnerability: Plenty of Fish Dating apps contain highly personal information and thus are a […]

Read More…

Issue 63: Microsoft and Google dropping Basic Auth, Thinkrace exposing 47mln+ devices

This week, we are looking into a huge API vulnerability exposing more than 47 million devices. Also, Microsoft and Google are dropping Basic Authentication support, and there is an opinion piece on the top risks of API security. Vulnerability: Thinkrace The platforms you are using to power your systems can add vulnerabilities. PenTestPartners looked at […]

Read More…

Issue 62: Vulnerabilities in Amazon Ring Neighbors and Droom, WebSocket API security

This week we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars. Vulnerability: Amazon Ring Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data […]

Read More…

Issue 61: Exposed patient records, vulnerabilities at Airtel and Kaspersky

This week we check out recent API vulnerabilities in India’s statewide patient portal, at the mobile operator Airtel, and in Kaspersky Internet Security products. In addition, the results of Radware Web App Security survey are out. Vulnerability: India’s ORS patient portal A broken object level authorization (aka IDOR) vulnerability in India’s nationwide patient portal, Online Registration […]

Read More…

Issue 60: Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars

This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks. In other news, the recording of our OWASP API Security Top 10 webinar is now […]

Read More…

Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch

This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app,  an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security. Vulnerability: Fortinet Researchers from SEC Consult have found bad implementation in various […]

Read More…

Issue 58: Broken Object Level Authorization explained, plus practical tips on API security

This week, we continue to look at the upcoming OWASP API Security Top 10, discuss organizational changes that can make organizations more cybersecure, check out another security checklist, and upcoming API security conferences. API vulnerability explained: Broken Object Level Authorization Broken Object Level Authorization (BOLA, aka IDOR) holds the #1 spot in the  OWASP API […]

Read More…

Issue 57: Vulnerabilities at Facebook, Amazon Ring, and GitHub, OWASP API Security Top 10 Webinar

This week we look at the recent API vulnerabilities at Facebook, Amazon Ring, and GitHub. There is also an upcoming webinar on OWASP API Security Top 10 that you can attend. Vulnerability: Facebook Facebook has reported and fixed a vulnerability in their Groups API. This API and the information it exposes had been potentially abused […]

Read More…

Issue 56: Common JWT Attacks, OWASP API Security Top 10 cheat sheet

This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security. Vulnerability: Rittal industrial cooling Applied Risk has […]

Read More…

Issue 55: Vulnerabilities in eIDAS and Cisco routers, Instagram API program locked down

This week, we check out the vulnerabilities fixed in EU’s eIDAS (electronic IDentification, Authentication, and trust Services) system and Cisco routers, how Instagram is seeking to avoid the privacy controversies that Facebook itself has had, and interesting predictions from Gartner’s latest API report. Vulnerability: EU eIDAS EU has patched the reference implementation of the eIDAS […]

Read More…

Issue 54: API vulnerabilities in eRosary, Kubernetes, Harbor

This week, we take a look at the recent API vulnerabilities in smart prayer beads, Kubernetes, and Harbor, as well as analogies between API security and airport security. Vulnerability: ClickToPray eRosary Vatican has released ClickToPray eRosary, the smart rosary beads that — naturally — come with the accompanying mobile app. Unfortunately, the app had a […]

Read More…

Issue 53: Vulnerabilities in TwitterKit, JustDial, Voi e-scooters

This week, we take a look at how out-of-date library compromises login to Twitter, how simple parameter switch gave access to over 150 million JustDial user accounts, and how holes in API security can lead a business to give out uncontrolled freebies. In addition, there is an update on Google’s decision to change the access […]

Read More…

Issue 52: NIST Zero Trust Architecture Guidelines

This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in. Vulnerabilities: Kubernetes The Kubernetes API server is currently vulnerable to the so-called Billion laughs attack. This is the […]

Read More…

Issue 51: Gartner releases full report on API security

This week, we ponder when is an API vulnerability a vulnerability, and check out Gartner’s new report and OWASP’s new API security project. Vulnerability: Cisco Webex and Zoom Definitions of API vulnerabilities can vary: what someone considers a vulnerability may be design to someone else. This is exactly the case with this week’s vulnerability. Cequence […]

Read More…

Issue 50: Harbor API vulnerability, and the dangers of CRUD APIs

This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling. Vulnerability: Harbor Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability. The vulnerability is a classical case […]

Read More…

Issue 48: Vulnerabilities at Verizon and GPS trackers, S3 bucket names leaking

This week, we look at the recent vulnerabilities at Verizon and Shenzhen i365-Tech GPS trackers, leaking S3 bucket names, and Facebook cutting API access for some of its partners. Vulnerability: Verizon 2 million Verizon Wireless Pay Monthly contracts were found open for anyone to access. The researcher managed to get a valid cookie while browsing […]

Read More…

Issue 47: Cisco and MuleSoft vulnerabilities, API World passes

This week we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA. Vulnerabilities: Cisco Cisco has implemented their REST API as a virtual service container for IOS XE. This […]

Read More…

Issue 46: Cisco and Facebook patch APIs, Solr API parameter injection

This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories. Vulnerabilities: Cisco Cisco has released patches for several critical API security flaws  in its Cisco Unified Computing System (UCS) software and Small Business 220 […]

Read More…

Issue 45: Hacked dating apps and smartlocks, “Egregious 11” cloud security issues

This week, we take look at the recent location API vulnerabilities in dating apps and smartlocks. In addition, we have an API security video from RSA Conference in Singapore, and the survey results and API security recommendations from Cloud Security Alliance. Vulnerability: dating apps BBC has run a story on the common API vulnerability pattern […]

Read More…

Issue 44: ACS 2019 Agenda

This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIC 2019 conference presentation. Vulnerabilities: Kubernetes Kubernetes has fixed the API vulnerability CVE-2019-11247. This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic […]

Read More…

Issue 42: HTTP Security Headers

This week, we look into a validation vulnerability in Cisco APIs, security best practices for HTTP headers and OAuth 2.0, and the effect of microservice architectures on API security. Vulnerabilities: Cisco Cisco has fixed an API vulnerability in their Vision Dynamic Signage Director. The vulnerability stemmed from insufficient validation of incoming HTTP requests. An unauthenticated […]

Read More…

Issue 41: Tinder and Axway API Vulnerability, Equifax fined

This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news,  FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted. Vulnerability: Tinder Sanskar Jethi has found that Tinder enforces their premium features (such as […]

Read More…

Issue 40: Vulnerabilities in Instagram, 7-Eleven, Zipato

This week, we have a lot of high-profile API vulnerabilities, like Instagram, Zipato, and 7-Eleven. Also, 42Crunch has released a native API firewall for microservices in Kubernetes. Vulnerability: Instagram Laxman Muthiyah got his $30K bug bounty for reporting this vulnerability to Instagram: He managed to use the Instagram API to take over an arbitrary account. The […]

Read More…

Issue 38: Cracked smartlocks, X-Frame-Options, standards gaining adoption

This week, we have seen some major adoption milestones for the OpenAPI and the DNS over HTTPS standards, we discuss the way to go about with TLS pinning and the X-Frame-Options header, some not-so-smart locks, and the updated API security tooling from 42Crunch. Vulnerabilities: Ultraloq smartlocks Ultraloq smartlocks come with a mobile app, and its APIs […]

Read More…

Issue 37: Vulnerabilities with WebLogic and OnePlus, the Black Hat API workshop, and OAuth in action

This week, we look into the latest API vulnerabilities in Oracle WebLogic and OnePlus, API security workshop at Black Hat, API security tech landscape, and a new tool for OAuth and OpenID Connect debugging. Vulnerabilities: Oracle WebLogic Oracle WebLogic has issued a critical API security patch. Just like with an earlier similar issue, the flaw […]

Read More…

Issue 36: Vulnerabilities at TP-Link, Venmo, Amcrest, and GateHub

This week, we discuss API vulnerabilities in TP-Link Wi-Fi extenders, Amcrest cameras, Venmo transaction feed, and GateHub cryptocurrency wallet. We also take a look at the API security aspects of microservices architectures. Vulnerabilities: TP-Link Wi-Fi extenders TP-Link Wi-Fi extenders are a popular way to get a better Wi-Fi coverage in houses and other spaces. Unfortunately, […]

Read More…

Issue 35: IDE support for OpenAPI

This week, we take a look at API vulnerabilities at NVIDIA and Supra, an OpenAPI extension for Visual Studio Code, and an upcoming API security webinar from NordicAPIs. Vulnerabilities: NVIDIA GeForce Experience NVIDIA GeForce Experience (GFE) is a supplementary application that users install with other NVIDIA products to “capture and share videos, screenshots, and livestreams […]

Read More…

Issue 33: First American leaks 885 million mortgage records

Vulnerability: First American First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details. Presumably, the company did not want to secure the documents to simplify the access […]

Read More…

Issue 32: WAFs missing API attacks for 86% of users

This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction, and a new podcast on API security. Vulnerabilities: ASUS WebStorage We reported Dell’s Support Assist vulnerability few issues ago — and now the ASUS update service got a similar […]

Read More…

Issue 31: Samsung SmartThings repo token leaks, and Facebook fined for API vulnerability

This week, Samsung has leaked a token that provides full access to their SmartThings code repository, and Facebook fixed one API flaw but got fined for another. We also have a discussion of API security and DevOps, and look into a survey that Postman runs on the future of OpenAPI support. API keys We have […]

Read More…

Issue 30: 5G going to REST. Breaches in Dell, Cisco, WebLogic, DockerHub, JustDial, iLnkP2P

This week, there were a lot of API vulnerabilities including: Dell Cisco (a whopping three of them!) Oracle WebLogic DockerHub JustDial Millions of IoT devices based on iLnkP2P We also look into what implications 5G transitioning to REST and HTTPS brings to API security. Vulnerabilities and breaches Dell Probably the highest profile issue of the […]

Read More…

Issue 29: OAuth2 attacks, car GPS vulnerabilities, and honeypot stats

This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints. Vulnerabilities and breaches Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile […]

Read More…

Issue 27: MyCar vulnerability, serverless, IoT API security

This week, we had vulnerabilities in remote car control apps and GPS-enabled watches. We also take a look at the API security trends in microservices and serverless architectures, and consumer electronics. Vulnerabilities MyCar is a remote control system that is installed in some cars under its own name or under a variety of brands, such […]

Read More…

Issue 26: Verizon routers patched for API vulnerability

This week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices webinars and recommendations. Vulnerabilities Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in device’s API. […]

Read More…

Issue 25: NIST microservices guidelines, Facebook opens up to pentesting

This week, NIST has released their microservice security guidelines, Facebook has removed some of their security for whitehat researchers, and we continue the discussion on how to store API secrets safely. Industry standards and best practices US National Institute of Standards and Technology (NIST) published their draft on “Security Strategies for Microservices-based Application Systems”. The document includes […]

Read More…

Issue 23: Hacking ML, AWS Gateway Security, Gartner advice to CISO

This week, we had another mobile app leaking user data, and the first ever CEO resignation because of an API breach. There’s also: The best practices for AWS API Gateway security Gartner’s advice to CISOs on cloud security Security implications of the OpenAPI Specification (OAS) Vulnerabilities in machine learning Vulnerabilities The mobile application 63red Safe had […]

Read More…

Issue 22: SANS SWAT list, 42Crunch Platform launch

This week, we have seen vulnerabilities in 3 million car alarms, snowboard helmets, and virtual worlds. In other news, there is a new API security platform built around OpenAPI contracts. We also take a look at the SANS checklists and HTTPS/TLS tutorials. Vulnerabilities This was a good week for PenTestPartners. They have uncovered a couple […]

Read More…

Issue 21: Amazon Ring Doorbell camera hacked, open APIs coming to healthcare

This week, we got vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US changes in attack trends between 2017 and 2018. Vulnerabilities Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it […]

Read More…

Issue 20: Drupal APIs hacked, EU releases IoT standards

This week we look into vulnerabilities at Uber and Drupal, the best practices from the ICANN DNS security checklist, the upcoming European IoT security standards, and more vulnerability stats from 2018. Vulnerabilities This is the worst API vulnerability of the year so far. Drupal‘s RESTful Web Services (rest), JSON:API, and other web services modules allowed […]

Read More…

Issue 19: Half of Amazon’s top-selling smart devices found vulnerable

This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security. Vulnerabilities You’d think casinos are at the forefront of security, after all they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. […]

Read More…

Issue 18: Tool for API security audit, Google limits Gmail API access

Vulnerabilities We have reported on API vulnerabilities in kids’ smartwatches before. The watches remain vulnerable to API attacks, these stories just keep pouring in: The European Union is recalling Enox Safe-Kid-One smartwatches because of vulnerable APIs. The APIs have no authentication or encryption, so attackers can access them, retrieve any information on them (like location), change […]

Read More…

Issue 17: 83 percent of web traffic is API, and why query parameters are bad for secrets

This week we are mostly discussing best practices and tools, such as: The best methods to pass API keys and other sensitive data Tools that attackers use to discover APIs Why API security is never set-&-forget Risks Never put API keys or other sensitive information in URLs or query parameters. These are visible to browser […]

Read More…

Issue 16: DHS DNS hijacking directive, plus 5 API security rules

Vulnerabilities Another CPU DoS vulnerability in Go TLS (CVE-2019-6486) got fixed. This vulnerability impacts APIs implemented as Go microservices. The vulnerability enables attackers to exploit: TLS handshakes X.509 certificates JWT tokens ECDH shares ECDSA signatures. To fix the vulnerability, upgrade to Go versions 1.11.5 or 1.10.8. Best Practices DNS infrastructure is critical for web and […]

Read More…

Issue 15: Fortnite hack, TLS MITM attacks, SQL injections for NoSQL

Vulnerabilities A team from Check Point Research reported a serious vulnerability in Fortnite authentication API: An old unused subdomain had a misconfigured web application firewall (WAF) that relied only on blacklisting. Attackers could perform a SQL injection in the subdomain to plant their XSS script. Fortnite allowed log in with Facebook and Google credentials using […]

Read More…

Issue 14: Hacked hot tubs, airlines, trading sites; JSON encoding best practices

Vulnerabilities Noam Rotem found a dangerous combination of vulnerabilities in the APIs of Amadeus flight booking system and El Al airline: The Amadeus API allowed for brute force enumeration of booking identifiers, also known as passenger name record (PNR). The El Al API provided both personal and booking details for any PNR. Once attackers knew the […]

Read More…

Issue 13: Microsoft services and Chromecast hacks, the limitations of WAF

Vulnerabilities Another OAuth hack, and another reason why using OAuth for authentication can be dangerous. Researches by SafetyDetective found that Microsoft had 400 million users exposed. Outlook, Store, and other services allowed wildcard *.office.com as a valid wreply URL for tokens from login.live.com. Attackers noticed that and managed to grab the success.office.com domain in Azure. Now, […]

Read More…

Issue 12: Car APIs leaking location, breached security cameras, regulation that helps

Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays. Vulnerabilities We have previously covered NUUO security cameras vulnerabilities, this time critical API flaws have been reported in Guardzilla cameras. Bitdefender Labs reported multiple issues including: Hardcoded credentials for cloud APIs, Sequential IDs used for user-level […]

Read More…

Understanding Golang TLS mutual authentication DoS – CVE-2018-16875

TL; DR; If your source code is written in Go and it uses one-way or mutual TLS authentication, you are vulnerable to CPU denial of service (DoS) attacks. The attacker can formulate inputs in a way that makes the verification algorithm in Go’s crypto/x509 standard library hog all available CPU resources as it tries to verify […]

Read More…

Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast

Vulnerabilities Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide access to user profile data even if the data was […]

Read More…

Issue 9: Patch your Kubernetes and security cameras, check out the Node.js security guide

Vulnerabilities If you are using Kubernetes, you should install a patch for it as soon as possible. There is a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing […]

Read More…

Issue 8: USPS API broken, APIdays, ETSI downgrades TLS

Vulnerabilities United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of: Developers not expecting outsiders to bypass the web page and use the API directly Insecure Direct Object Reference (IDOR), authenticating as one user and getting data of another user Leaky API where wildcards were not […]

Read More…

Issue 7: OAuth attacks, vulnerabilities in drones and kids’ watches

Vulnerabilities This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference (IDOR), meaning that as long as you have […]

Read More…

Issue 6: Steam API leaks keys, and why WAF does not help DevSecOps

Vulnerabilities An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random string as a partner name and 0 as the request count) and get thousands of keys in the […]

Read More…

Issue 5: Bad TLS client authentication, how not to use cURL, State of Software Security

Vulnerabilities Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user. Hundreds of thousands of projects use cURL and purposefully disable the verification of TLS host […]

Read More…

Issue 4: Remini hacked, perils of free APIs, TLS explained, ATMs & SWIFT get APIs

Vulnerabilities Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mobile app knows that the API exists, and account IDs used were sequential, so hackers could simply […]

Read More…

Issue 3: TLS 1.3, securing JWT, US banks release a common API standard

Vulnerabilities The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is […]

Read More…

Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities

Vulnerabilities GoDaddy 2-step authentication API found to be vulnerable.  The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor. AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. […]

Read More…

Issue 1: APIStrat, CORS, Samsung, Google, Facebook, GitLab, Apple

API Vulnerabilities Samsung smart TV security flaw: the equipment would basically accept commands from any source, so someone knowing the device ID would be able to invoke various functions remotely. API allowed hackers to “change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection”. Firmware update […]

Read More…