Issue 184: RCE in F5 BIG-IP suite, API security maturity, hardening GCP implementations

This week, we have news of a high severity remote code execution (RCE) vulnerability in the F5 BIG-IP security suite. We also feature an article from Curity on API security maturity, an article on hardening Google Cloud Platform implementations, and finally a threat matrix for GraphQL APIs. Vulnerability: RCE vulnerability in F5’s BIG-IP security suite […]

Read More…

Issue 183: API vulnerability in VeryFitPro, exposed Docker APIs targeted by botnets, TruffleHog finds stored credentials

This week, we have two API vulnerabilities: the first in the VeryFitPro app allowed attackers access to a backend API, while in the other LemonDuck botnet attacked exposed Docker APIs. On more positive side, we also have a new version of TruffleHog detecting of stored API credentials, as well as views on how to securely […]

Read More…

Issue 182: Drupal patches API vulnerability, Google Cloud on API security challenges, guide to OAuth2

This week, we have details of an API vulnerability in the Drupal platform, allowing an attacker to bypass access controls. We also feature views from Google Cloud on challenges to API security, a comprehensive guide to OAuth2, and finally a write up on how GitHub deviates from the implementation guidelines for OAuth2. Vulnerability: Drupal patches […]

Read More…

Webinar – Actively Monitor and Defend Your APIs with 42Crunch and the Azure Sentinel Platform

APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots. Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential […]

Read More…

Issue 181: Vulnerability in Wavlink router, API exposing system passwords, views on internal APIs

This week, we have two API vulnerabilities: a command injection vulnerability in the control API of the Wavlink WL-WN531P3 router, and another one on the website of a security regulator in South Africa. In addition, we have views on the management of internal and external APIs, and how the new Lambda Function URLs on AWS […]

Read More…

Issue 180: API vulnerability in Easy!Appointments platform, new APIs compromising security

This week, we have news of an API vulnerability in the scheduling platform Easy!Appointments allowing unauthorized access. We also have articles on whether the growth in APIs compromises security, how API traffic visibility is a key for API security, and some basic tips on locking down APIs to improve security. Vulnerability: API access control vulnerability […]

Read More…

Issue 179: Spring4Shell zero-day, CRI-O container runtime vulnerability, and REST API security reference

This week, we have two new vulnerabilities: firstly, the big news in the Spring4Shell zero-day vulnerability in the Spring Framework coming hot on the heels of the recent Log4Shell vulnerability, and secondly, a vulnerability in the CRI-O container runtime that allowed host access to attackers. We also feature a guide to REST API security and […]

Read More…

Issue 178: Six areas for Cloud-native security, API governance, DevOps for improved API security, locking down APIs

This week, we have articles covering six critical areas for cloud-native security in 2022, including of course API security. In addition there’s a beginner’s guide to API governance, thoughts on how to improve API security by embracing DevOps, and views on three ways to lock down APIs. Article: Six critical areas for cloud-native security in […]

Read More…

Issue 177: Vulnerabilities in Veeam product, RCE in Parse Server module, insecure API threat to mobile apps

This week, we have news of two critical vulnerabilities patched in the Veeam data backup solution, a remote code execution (RCE) vulnerability in the popular Parse Server API server module, views on how insecure APIs threaten mobile application security, and how attackers are increasingly focusing on APIs as the attack vector of choice. Vulnerability: Two […]

Read More…

Issue 176: Case study of API vulnerabilities, Riverbed vulnerability, API abuse, JWT safety

This week, we have an excellent write-up on a case study of API vulnerabilities, an API vulnerability in Riverbed’s SteelCentral AppInternals software, an article on how even the most “perfect” APIs can be abused, and a guide on the safer handling of JSON web tokens (JWTs). Vulnerability: A case study of API vulnerabilities This week, […]

Read More…

Issue 175: Vulnerabilities affecting Cisco platforms, GitLab instances, and campus access control

This week, we have three vulnerabilities: the first in the Cisco Expressway Series and TelePresence video communications service, another vulnerability in self-managed GitLab instances, and a bug affecting a campus access control system. On top of this, we also have views on privacy concerns for APIs. Vulnerability: Patches for critical issues in Cisco video communications […]

Read More…

Webinar: How to Extend Protection of your Data from API to Mobile Application

APIs are mobile app developer’s best friends as they help reduce development time and save costs. But the rapid deployment of mobile apps and the explosion in the development of new APIs present very real threats for most organizations. To defend your APIs, it is important to have a comprehensive approach to API security from […]

Read More…

Issue 174: APIs increasingly used for account takeover, API hacking book, OAuth in Postman

This week, we have new research in APIs that reveals how they are increasingly used for account takeover, a look at a great new book on hacking APIs, an article on using Postman for OAuth 2.0 authorization code grants, and a guide on documenting APIs. Article: APIs increasingly used for account takeover New research covered […]

Read More…

Issue 173: Coinbase vulnerability, AuthN/AuthZ best practices, bad bots, Elgato Key light hack

This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on […]

Read More…

Issue 172: Argo CD vulnerability, state of API security survey, API testing with Zap and Postman

This week, we have news of a vulnerability in Argo CD that allowed leaking application secrets, a survey of the state of API security across three regions, a quick read on how to use Postman and OWASP Zap for API security testing, and finally views on how to distribute authorization services in a microservice architecture. […]

Read More…

Issue 171: DPD parcel tracking flaw, Apache Pulsar and Casdoor vulnerabilities, trends in API industry

This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data;  an API vulnerability in the Apache Pulsar that allowed access data in different tenants; and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at […]

Read More…

Issue 170: DevSecOps approach to API security, F5 vulnerabilities, ten API integration trends

This week, we have an article on applying a DevSecOps approach to API security, by utilizing a shift-left and protect and monitor right approach; a pair of vulnerabilities patched by F5; views on the top 10 API integration trends by Brenton House: and finally, a view on the rise of bot attacks against APIs. Article: […]

Read More…

Issue 169: Insecure API in WordPress plugin, Tesla 3rd party vulnerability, introducing vAPI

This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article […]

Read More…

OWASP API Security Top 10 Challenges – Webinar Series

In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix […]

Read More…

Issue 168: Safari 15 IndexedDB API vulnerability, a pair of AWS vulnerabilities, and an API security podcast

This week, we have news of a vulnerability in the IndexedDB API in Safari 15 that exposed user information, a pair of vulnerabilities in AWS affecting AWS Glue and AWS CloudFormation, and a podcast featuring Rinki Sethi and Alissa Knight discussing API security. Last week, we featured an “awesome API security” guide from a 3rd-party […]

Read More…

Issue 167: Uber bug allows spoof emails, partner-facing APIs on the rise, omnichannel APIs increase risk

This week, we have a long-standing vulnerability on a public-facing internal API on Uber, which allowed attackers to spoof emails. In addition, there’s an article by NordicAPIs on the RapidAPI report into the rise on partner-facing APIs, IBM’s views on the API security risk posed by the growth in omnichannel APIs, and finally (another) awesome […]

Read More…

Issue 166: Securing large API ecosystems, creating OpenAPI from HTTP traffic, Frankenstein APIs, and API proliferation

This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations. Article: Securing large API ecosystems First up this week […]

Read More…

Issue 165: Vulnerability in All in One WordPress plugin, why to treat all APIs as public, a beginner’s guide to API security

This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner’s guide to API security, and finally an optimistic view […]

Read More…

Issue 164: Log4Shell vulnerability, API sprawl an increasing threat, API security design best practices, Zero Trust for APIs

This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there’s an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of zero trust approach for API security. […]

Read More…

Issue 162: Compromised Google Cloud accounts, GraphQL as API gateway, API security guide and training

This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API […]

Read More…

Issue 161: Vulnerability in Wipro Holmes Orchestrator, report into vulnerabilities in FinTech and banking apps

This week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files via path manipulation. There’s also a new report from researcher Alissa Knight on vulnerabilities in banking, cryptocurrency exchange, and FinTech APIs; an article on the impact of a shift-left approach for API security; and […]

Read More…

Issue 160: Vulnerability in AWS API gateway, Kubernetes API access hardening guide

This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what’s possibly on the next OWASP […]

Read More…

Issue 159: Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl

This week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system, allowing attackers to hijack secrets of downstream supply chains. There is also an excellent article on the journey of Raiffeisen Bank International toward full lifecycle API security, another article on how API security is hindering application delivery, and […]

Read More…

Issue 158: Data of 400 000 students exposed, 1 million sites affected by plugin vulnerabilities, views on GraphQL

This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools. Breach: Sensitive data of 400 […]

Read More…

Issue 157: Unsafe defaults in Prometheus, mapping API attack surfaces, OpenAPI file trend analysis

This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training […]

Read More…

Issue 156: FHIR APIs vulnerable to abuse, 3D printers facing hijacking risk, API security webinar

This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers. In addition, there’s an article summing up the increasing numbers of […]

Read More…

Issue 155: Vulnerability in BrewDog mobile app, APIClarity at KubeCon, API attacks in Open Banking

This week, we have a vulnerability in the BrewDog mobile app exposing users’ PII courtesy of hard-coded bearer tokens, Cisco has announced the arrival of their APIClarity at KubeCon 2021, F5 has published a report on API attacks in Open Banking, and finally, there’s a mega-guide on API security best practices. Vulnerability: Hard-coded API bearer […]

Read More…

Issue 154: Views on APIs and security, report into API misconfiguration, detecting malicious API activity

This week, we have a viewpoint on what security officers can do to address API security. There’s also a report from IBM revealing that two-thirds of cloud breaches are due to misconfigured APIs, the best practices for detecting malicious activity on API endpoints, and a description of common attack vectors on GraphQL implementations. Correction: In […]

Read More…

Issue 153: Rapid proliferation of APIs, WordPress API vulnerability, false-negative API scanning

This week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API , again through a third-party plugin. In addition, we look into the importance of false-negative API vulnerability scanning, and API protection as a key element of a cloud security strategy. Article: Rapid proliferation of […]

Read More…

Issue 152: Exposed API keys and tokens, SAST/DAST for API security testing, the value of API specifications

This week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI,  the shortcomings of static and dynamic application security testing (SAST/DAST) for API security, and the value that API specification frameworks bring. Breach: Exposed payment integration API keys The big news story this week was the leakage […]

Read More…

Issue 151: WordPress 5.8.1 security patch, API botnet attacks report, articles on API tokens and API discovery

This week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attacks on APIs, an article on everything you need to know about API tokens, and thoughts on API discovery. Vulnerability: Security patch to REST API in WordPress 5.8.1 Last […]

Read More…

Issue 150: Vulnerability in Fortress home security system, API fuzzing techniques, hardening GraphQL implementations, and central governance for APIs

This week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system, a guide on API fuzzing techniques and tools, best practice for hardening GraphQL implementations, and views on central governance for APIs. Vulnerability: Fortress home security vulnerability allows remote disarming This week, Rapid7 disclosed two […]

Read More…

Issue 149: Vulnerabilities on Cisco routers and Bumble, adopting Zero Trust for APIs, a hacker’s view on API security challenges

This week, we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user’s location, a view on adopting Zero Trust for APIs, and a hacker’s view on API security challenges. Vulnerability: Cisco releases critical patches Cisco Systems has released a total of six security patches for API vulnerabilities this […]

Read More…

Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

This week, we have Microsoft Power Apps demonstrating the dangers of lax default settings for data exposure, yet another Broken Object Level Authorization (BOLA/IDOR) vulnerability on the Topcoder portal, the newly release RFC 9101, and a guide to hacking APIs. Breach: Microsoft Power Apps records leaked via OData API The big news this week is […]

Read More…

Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey

This week, we have the recent API vulnerabilities in the SEOPress WordPress plugin and the Valve Software Steam portal, the results from a Dark Reading survey into application security, and details of the upcoming OpenAPI Initiative’s (OAI) API Specifications Conference. Vulnerability: XSS and REST API vulnerability in SEOPress On July 29, 2021, the Wordfence Threat […]

Read More…

Issue 146: Facebook API leaking private group membership, JWT Attacker plugin for Burp

This week, we have the recent API fix involving group membership at Facebook, a case study of a BOLA vulnerability leaking users’ credit coupons, a handy add-on for Burp Suite, plus an interview with a security expert on API security. Vulnerability: Facebook Facebook API was leaking information on users’ memberships in private groups. Muhammad Sholikhin […]

Read More…

Issue 145: APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0

This week, we take a look at the recently discovered (and fixed) API vulnerabilities in electric car charging stations, a Udemy course on OAuth 2.0, the recently released Gartner Hype Cycle on APIs, and how APIs in microservices architectures can be exploited if they construct backend calls without properly validating inputs. Vulnerability: Electric vehicle charging […]

Read More…

Issue 144: JustDial API vulnerability re-emerges, API key checker, the state of OAuth

This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security. Vulnerability: JustDial JustDial had a regression as they accidentally reintroduced the API vulnerability […]

Read More…

Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map

This week, we have a detailed write-up on finding credit card numbers leaking from a GraphQL API, a lab walkthrough on hacking JSON web tokens (JWT) through SQL injection, and HackerOne’s new Capture The Flag (CFT) API Security challenge. On the resource side, we have another good mind map, this time on XML attack vectors […]

Read More…

Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery

This week, we take a look at the recently reported API vulnerabilities at Coursera and in one of the Huawei home gateways. We also learn about rate-limiting for GraphQL APIs and GraphQL discovery using its autocorrect feature. Vulnerability: Coursera Coursera has fixed a number of API vulnerabilities reported by David Sopas, Paulo Silva, Ricardo Gonçalves, […]

Read More…

Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1

This week, we take a look at insecure API traffic in the VeryFitPro Android app, how APIs were used to scrape user profile data from Gettr, and some potential API vulnerabilities affecting AWS API Gateway and Lambda authorizers users. In addition, there is also the latest update to the AsyncAPI standard. Vulnerability: VeryFitPro Researchers from […]

Read More…

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap

This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities. Vulnerability: LazyPay LazyPay is a pay-later platform that has over 2 million […]

Read More…

Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar

This week, we take a look at the recent API vulnerabilities at Apple, Amazon, and the volunteer coordination app of the Philippine opposition coalition, and there is an upcoming API security webinar by Gartner. Vulnerability: Apple iCloud account takeover Laxman Muthiyah was able to demonstrate how he could brute-force his way into taking over someone […]

Read More…

Issue 138: Vulnerabilities in Microsoft Teams and Instagram

This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 conference. Vulnerability: Microsoft Teams Evan Grant found a way to break into Microsoft Teams accounts by leveraging Microsoft Power Apps. Microsoft Power Apps and Power Automate services are meant to provide easy tools […]

Read More…

Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks

This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on  how the API security vendor […]

Read More…

Issue 136: OAuth 2.0 security checklist and pentesting

This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing. Vulnerability: Russian opposition email list breach Companies typically avoid providing details […]

Read More…

Issue 135: Millions stolen from cryptoexchanges through APIs

This week, we take a look at how cybercriminals exploit leaked API keys to steal millions of dollars from cryptoexchanges. In addition, we also have the recent API vulnerabilities in Rocket.Chat, the upcoming change in Let’s Encrypt root certificate and its impact on APIs, and another video on common GraphQL API vulnerabilities. Vulnerability: API keys […]

Read More…

Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace

This week, we have three API vulnerabilities: in Echelon sports equipment, Instagram, and Facebook Workspace, as well as an interview with Forrester’s key API security expert, Sandy Carielli. Vulnerability: Echelon In our previous newsletter, we discussed API vulnerabilities at Peloton. This week, the same researcher, Jan Masters from Pen Test Partners, has published his research […]

Read More…

Issue 133: Vulnerable Peloton APIs, API contract generation for .NET

This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers. Vulnerability: Peloton Peloton is a producer of popular treadmills and […]

Read More…

Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab

This week, we take a look at the recent API vulnerabilities at Experian, Facebook, and possibly DigitalOcean and Geico. There is also a review of Burp plugins for API vulnerability discovery, and a new API security penetration testing lab. Vulnerability: Experian Bill Demirkapi found an unprotected Experian API that returned a credit score based simply […]

Read More…

Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL

This week, we check out the recent API vulnerability in John Deere farming machinery, the best practices in using Springfox annotations for API security, a new JWT penetration testing lab, and AutoGraphQL  – a tool for GraphQL authorization testing. Vulnerability: John Deere John Deere is one of the leading manufacturers of expensive farming equipment, such […]

Read More…

Issue 129: Facebook and Clubhouse profiles scraped through APIs, Forrester’s “State of Application Security, 2021”

This week, we obviously have to discuss the hundreds of millions of Facebook and Clubhouse user profiles that were scraped using APIs. In other news, Forrester has published their fresh and insightful report “The State of Application Security”, and there’s a new online training “Building an Identity Architecture for APIs”. Data leak: Facebook The biggest […]

Read More…

Issue 128: API flaws at VMware and GitLab, URL parameters and SSRF, webinar on recent breaches

This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws. Vulnerability: VMware vRealize Operations API VMware has just patched two critical security issues in their vRealize Operations API.  […]

Read More…

Issue 127: Hidden OAuth attack vectors, Methodology for BOLA/IDOR

This week, we look at an API vulnerability in Micro Focus Operation Bridge Reporter, new research on 3 hidden attack vectors in OAuth and OpenID Connect, a methodology for finding BOLA/IDOR, and research on OpenAPI adoption in the banking sector. Vulnerability: Micro Focus Operation Bridge Reporter Even authentication APIs may lead to direct remote code […]

Read More…

Issue 126: F5 iControl REST API under attack, Regexploit, Ford’s API security talk recording

This week, we check out the recent API vulnerabilities at F5 and Facebook, there’s a new tool to locate regular expressions vulnerable to Denial-of-Service (DoS) attacks, and we have the recording of Ford’s recent talk on their API security policies and lessons learned. Vulnerability: F5 iControl REST API This one appears to be the most […]

Read More…

Issue 125: iPhone call recorder API flaw, Burp and OpenAPI, GraphQL pentesting, FAPI

This week, we look at an API vulnerability in a popular call recorder app, newly added OpenAPI support in Burp, a GraphQL pentesting lab, and the just-released Financial-grade API (FAPI) standard. Vulnerability: iPhone Automatic call recorder Anand Prakash found an API vulnerability in one of the most popular call recording apps for iPhone – Automatic […]

Read More…

Issue 124: API vulnerabilities at Microsoft and Truecaller Guardians, Pentester labs, API security at Ford Motors

This week, we take a look at the recent API vulnerabilities reported at Microsoft and Truecaller Guardians, the new penetration testing labs for API security, and an upcoming webinar on the API security process at Ford Motors. Vulnerability: Microsoft online accounts API endpoints for resetting account passwords are a frequent attack vector. Attackers brute-force these […]

Read More…

Issue 123: API vulnerabilities VMWare vCenter and Facebook, mismatch between JSON parsers, API security fixes in VS Code

This week, we learn about the recent serious API vulnerability in VMware vCenter (if you have one, update ASAP!), why query and path parameters cannot be trusted for confidential data, how potential attacks can emerge from inconsistencies in JSON parser behavior, and how a VS Code extension can help fix API vulnerabilities. Vulnerability: VMware vCenter […]

Read More…

Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0

This week, we take a look at the recent data spill incident at Clubhouse, the (poor) state of API security in major healthcare mobile applications, how scope-based reconnaissance methodology works, and the latest update (v3.1.0) to the OpenAPI Specification. Vulnerability: Clubhouse Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a […]

Read More…

Issue 121: Vulnerability at chess.com, GraphQL security playground and checklist

This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget. Vulnerability: chess.com Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app. Community members can exchange messages, […]

Read More…

Issue 120: Video doorbells security flaws, intro to JWT attacks, security zines

This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization. Oh, and we also have a link to DZone community awards where you can vote […]

Read More…

Issue 119: NoxPlayer supply-chain attack through a hacked API

This week, we take a look at the recently discovered API attack in NoxPlayer, the latest annual “State of Web Application Security” report by Radware, a detailed step-by-step pentesting tutorial, and a recording of a session on API security and Azure API management from AppSec Israel. Vulnerability: NoxPlayer [UPDATE] We have been contacted by a […]

Read More…

Issue 118: Spring Framework ALPS, OAuth 2.0 attack mindmap, securing JWTs

This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week. Vulnerability: Spring Framework Application-Level Profile Semantics Frameworks make developer […]

Read More…

Issue 117: Vulnerabilities in YouTube and Ring Neighbors app, OAuth Mix-Up attacks, Tamper Dev

This week, we look into some recent API vulnerability reports on YouTube and Amazon’s Ring Neighbors app, there is a new proposed addition to the OAuth standard, and Google has developed an API proxy extension for Chrome. Vulnerability: YouTube David Schütz found a clever way to get (limited) access to private YouTube videos via a […]

Read More…

Issue 116: Facebook and Parler API vulnerabilities, clairvoyance

This week, we check out the recent API vulnerabilities at Facebook and Parler, there is a new GraphQL discovery tool called clairvoyance, and we have API security advice from Corey Ball. Vulnerability: Facebook Pouya Darabi found an API vulnerability in Facebook that allowed him to create posts on other users’ pages. The posts were not […]

Read More…

Issue 115: Vulnerabilities in SolarWinds, Ledger, Outlook. New plugin for JetBrains IDEs

Happy New Year 2021! This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs. Vulnerability: SolarWinds The now-infamous SolarWinds breach […]

Read More…

Issue 114: SolarWinds and PickPoint breaches, GitHub Code Scanning review, GraphQL security

This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security. Breach: SolarWinds The SolarWinds hacking reported this weekend was not API-related as such. It was a supply […]

Read More…

Issue 113: API vulnerabilities at YouTube and 1Password, OIDC security, Assetnote Wordlists

This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery. Vulnerability: YouTube Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses. When […]

Read More…

Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security

This week, we have the recently reported API vulnerability in Duffel’s Paginator, a new API fuzzer from Microsoft Research, an upcoming JWT security webinar, and a recorded talk on approaches to API authentication. Vulnerability: Paginator Peter Stöckli from Alphabot Security has posted a write-up on the API vulnerability he found in Duffel’s Paginator (CVE-2020-15150). Duffel […]

Read More…

Issue 111: API vulnerabilities in AWS, Tesla Backup Gateway, Twitter

Happy Thanksgiving to all of our readers in the US! This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes […]

Read More…

Issue 110: API flaws in Bumble and COVID-KAYA, Forrester on API security, ASC 2020 talks

This week, we check out API vulnerabilities in the dating app Bumble and COVID-KAYA, an app for front-line healthcare workers in the Philippines. There’s also a new Forrester report and an upcoming webinar on API security, as well as a couple of recordings of API security talks from the recent API Specification Conference (ASC). Vulnerability: […]

Read More…

Issue 109: API token best practices, Dredd, IDOR hunting tips

This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs. Vulnerability: Trump campaign’s post-election site Although the campaigns are […]

Read More…

Issue 108: API vulnerabilities in Thrillophilia and GitLab

This week, we have the recent API vulnerabilities in Thrillophilia and GitLab, there is a new free online course on OpenID Connect, and OpenAPI support has been recently added in Cloudflare. Vulnerability: Thrillophilia Thrillophilia is an Indian online platform for discovering and booking travel experiences and tours. Ehraz Ahmed found that Thrillophilia exposed about 2 […]

Read More…

Issue 107: Vulnerabilities in Waze, AWS, and NHS COVID-19 app, Forrester App Sec Tech Tide

This week, we check out three API vulnerability reports for Waze, Amazon Web Services (AWS), and the UK NHS COVID-19 app. In addition, the new Forrester study of the technologies constituting application security as of Q4 2020 has been published. Vulnerability: Waze Remember the fun “other cars” icons that Waze, Google’s social GPS navigation app […]

Read More…

Issue 106: API flaws at GitLab and Grindr, APICheck, API World and apidays conferences next week

This week, we have the recent API vulnerabilities at GitLab and Grindr, the APICheck tool gets donated to OWASP, there’s a summary on the basics of API authentication options, and complimentary registration links for the online conferences API World and apidays London next week. Vulnerability: GitLab Riccardo Padovani found an API vulnerability in GitLab related […]

Read More…

Issue 105: API vulnerabilities in HashiCorp, Azure App Services, and Qiui adult devices

This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and “smart” adult toys. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10. Vulnerability: HashiCorp Vault Felix Wilhelm from Google’s […]

Read More…

Issue 104: API vulnerabilities at Twitter and Grandstream, mTLS in AWS API Gateway, Application Security Podcast

This week, we check out the recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and the API security episode in the Application Security Podcast. Vulnerability: Twitter A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and […]

Read More…

Issue 103: API vulnerabilities at Cisco, Shopify, BrandBQ, a security guide to CORS

This week, we check out three recent API vulnerabilities or breaches and what we know about them, and take a deep dive into cross-origin resource sharing (CORS). Vulnerability: Cisco Cisco has released critical security updates to IOS XE Software run by many of its devices. Two of the issues they have fixed are critical API […]

Read More…

Issue 102: Vulnerabilities in Facebook and campaign apps, creating defensible APIs

This week, we look into the recent API vulnerabilities at Facebook and the campaign apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers. Vulnerability: Facebook Marcos Ferreira found a […]

Read More…

Issue 101: Vulnerabilities in Giggle, Google Cloud Platform, SonicWall, New Relic, Tesla

After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks. Vulnerability: Giggle Giggle is a women-only social network and mobile app. It […]

Read More…

Issue 100: API Security advice from top industry experts

Today is a special day for our newsletter – our centennial issue and the number of email subscribers crossing the 5,000 mark (and in addition to that we have about 1300 followers on Twitter and a similar number of members of the API Security LinkedIn group). This has definitely grown significantly bigger than the original […]

Read More…

Issue 99: API flaws in the Mercedes-Benz app and Russian inter-bank money transfer

This week, we check out the API vulnerabilities in the Mercedes-Benz connected cars and the Russian inter-bank money transfer system. We also have the upcoming ASC 2020 conference next week, as well as a recording of IIoT Cybersecurity panel discussion from the recent IIoT World event. Vulnerability: Mercedes-Benz car control The conference Black Hat USA […]

Read More…

Issue 97: Gym apps & home automation vulnerabilities, how to not leak API keys

This week, we check out the recent API vulnerabilities in the gym management platform Fizikal and the HDL smart home automation. We also have a great detailed write-up on the recent HacktivityCon 2020 Capture the Flag challenge, and a DEF CON talk on leaking API keys. Vulnerability: Fizikal Apps use platforms to get to the […]

Read More…

Issue 96: Vulnerabilities at Cisco and MGM Grand Resort, tutorial on Chrome DevTools and pentesting with GraphQL

This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and […]

Read More…

Issue 95: Vulnerabilities at Zoom and OkCupid, progress on OAuth 2.1, API Information Disclosure tutorial

This week, we have recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs. Vulnerability: Zoom Zoom has become the household name of the times, with plenty of face-to face activities moving online. While this helps to keep the bugs of the living kind […]

Read More…

Issue 94: Two-day API security training at Black Hat USA

This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security. Vulnerability: WordPress If you use WordPress, check if the REST API endpoint […]

Read More…

Issue 93: API authentication flaw in Chingari, a guide to OAuth Authorization Code grant

This week, we have a report of a vulnerability in Google Sign In in a popular Indian video-sharing app, a new guide on typical OAuth implementation flaws, a tool for importing OpenAPI definitions into Burp, and a virtual training on API security. Vulnerability: Chingari Chingari is a popular Indian video-sharing app. With the latest steps […]

Read More…

Issue 91: Homograph OAuth bypass, common JWT mistakes, ReDos attacks

This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect. Vulnerability: SEMrush OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir. The problem […]

Read More…

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts

This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all. Vulnerability: Starbucks Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer […]

Read More…

Issue 87: Vulnerabilities in Digilocker, Facebook, VMware Cloud Director

This week, we take a look at the recent API vulnerabilities in Digilocker, Facebook, and VMware Cloud Director. On top of that trio, there is also a new instructive video on REST API pentesting. Vulnerability: Digilocker A critical API vulnerability in India’s digital wallet system, Digilocker, exposed personal documents of more than 38 million citizens. […]

Read More…

Issue 86: Vulnerabilities in Sign in with Apple, Qatar’s COVID19 app, GitLab

This week, we have three API vulnerabilities in: Apple’s Sign in with Apple authentication endpoint Qatar’s COVID-19 tracking app GitLab’s Repository Files API In addition, there’s also a new Burp plugin that automatically handles authentication tokens in API calls. Vulnerability: Sign in with Apple Sign in with Apple is an OAuth-like social logon system from […]

Read More…

Issue 85: Vulnerability in Google Cloud Deployment Manager, a pentester’s guide to OAuth

This week, we check out the recently fixed vulnerability in Google Cloud Deployment Manager, and how to penetration test OAuth 2.0. On a higher level, we have Gartner’s classification of API security technology, and a recording of a panel discussion on API security. Vulnerability: Google Cloud Deployment Manager Google Cloud Deployment Manager is an infrastructure […]

Read More…

Issue 84: Unprotected APIs at Google Firebase, leaky Arkansas PUA portal

This week, we take a look at how thousands of Android apps inadvertently exposed Google Firebase APIs, and how Arkansas Pandemic Unemployment Assistance (PUA) portal was leaking sensitive personal data. We also have a new pentesting tool for identifying data transformations used in APIs and apps, and a case study of four recent high-profile API […]

Read More…

Issue 83: India’s COVID-19 tracing app, OAuth2 API attacks

This week, we check out an API vulnerability in India’s coronavirus tracing app, a couple of write-ups on OAuth2 API attacks, and a recording of a talk on REST API penetration testing. Vulnerability: India’s coronavirus tracing app Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is […]

Read More…

Issue 82: Most common GraphQL vulnerabilities, pentesting with Insomnia

This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security. Opinion: The 5 most common vulnerabilities in GraphQL Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. […]

Read More…

Issue 80: API vulnerabilities IBM Data Risk Manager and Cisco Unified Computing System

This week, API vulnerabilities have been reported in IBM and Cisco products, and some conferences and webinars related to API security are coming up soon. Vulnerability: IBM Data Risk Manager Pedro Ribeiro found a bunch of security vulnerabilities in IBM Data Risk Manager (IDRM). This is a control center that helps to locate, analyze, and […]

Read More…

Issue 78: Vulnerabilities in WordPress Rank Math, Tapplock, and TicTocTrack

This week, we check out the API vulnerabilities in the WordPress Rank Math plugin, Tapplock smartlock, and TicTocTrack, another kids’ smartwatch. In addition, an update to VS Code OpenAPI extension that adds static application security testing (SAST) for composite API contracts has been released. Vulnerability: WordPress Rank Math plugin A popular WordPress plugin, Rank Math, […]

Read More…

Issue 77: Vulnerabilities in GitLab, OAuth 2.1 draft is out

This week, GitLab has fixed several vulnerabilities, including API vulnerabilities, and the draft for OAuth 2.1 has been released. If you find yourself stuck at home with extra time in your hands, why not check out the free course on web security that Stanford University is offering? Vulnerability: GitLab GitLab has released a new security […]

Read More…

Issue 75: 98% of IoT traffic unencrypted, API DevSecOps in Azure Pipelines

This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement. Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out. Vulnerability: Zyxel Cloud CNM SecuManager Pierre Kim and Alexandre […]

Read More…

Issue 74: Vulnerability in Login with Facebook, API security talks

This week, we check out how Facebook’s OAuth implementation in their social login feature left the access tokens vulnerable. We also have some statistics and predictions on the rise of API security, and recordings of a couple of more API security talks have been published. Vulnerability: OAuth in Login with Facebook Doing a bullet-proof OAuth […]

Read More…

Issue 73: Up to 75% credential abuse attacks target APIs

This week, we check how Tinder’s API vulnerability has developed a life of its own, the latest statistics from Akamai on API security, the best current practices for JWT, and why API security needs both API firewalls and API management, not just either or. Vulnerability: Tinder Back in July 2019, we covered the OWASP API3:2019 — […]

Read More…

Issue 72: Vulnerabilities in WordPress ThemeREX Addons and Voatz, Facebook postmortem, JWT talks, OpenAPI Specification 3.0.3

This week, we take a look at how WordPress got exploited by a 3rd-party plugin, and how API security research can sometimes be a very ungrateful endeavor. In addition, we also have the cost of ignoring API security as showcased by Facebook, as well as several good JSON Web Token (JWT) talks. And as a […]

Read More…

Issue 71: Vulnerabilities in SoundCloud and Lime e-scooters, NIST Microservices security strategies

This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security. Vulnerability: SoundCloud Paulo Silva has published a very systematic and thorough report on API vulnerabilities that […]

Read More…

Issue 70: Vulnerabilities in Twitter, Likud, Iowa caucus apps, two API security talks

This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in USA. We also have two API security talks: one recorded and one upcoming webinar. […]

Read More…

Issue 69: Vulnerabilities in Azure Stack and Cisco TelePresence, API fuzzing

This week, we look at the recently patched API vulnerabilities in Microsoft Azure Stack and  Azure Cloud infrastructure, and in Cisco TelePresence and RoomOS. In addition, there is a recorded conference talk on API pentesting, and Yelp has released an open-source tool for API fuzzing. Vulnerability: Azure Cloud infrastructure Ronen Shustin from Checkpoint Research has […]

Read More…

Issue 68: API security in Gartner Hype Cycle, McAfee threat predictions for 2020

This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like to be according to McAfee, and a SANS Institute whitepaper on DevSecOps. Analysts: API security in Gartner Hype Cycle Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The […]

Read More…

Issue 66: Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020

This week, we check how several API vulnerabilities in TikTok can lead to attackers taking over the social media account, and how an admin plugin for WordPress had an API allowing for an authentication bypass. In other news, the OWASP security conference kicks off next week in California, and we take a look at API […]

Read More…

Issue 65: Vulnerabilities at Siemens, Cisco, D-Link, OWASP API Security Top 10 2019 out

This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security. Vulnerability: Siemens SPPA-T3000 The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API […]

Read More…

Issue 64: API Vulnerabilities in Plenty of Fish, SonyLIV, SharePoint, Facebook

It is all about vulnerable APIs this week. We are looking at the ones in Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint. Also, there is a big leak of Facebook users’ phone numbers presumably harvested via APIs. Vulnerability: Plenty of Fish Dating apps contain highly personal information and thus are a […]

Read More…

Issue 63: Microsoft and Google dropping Basic Auth, Thinkrace exposing 47mln+ devices

This week, we are looking into a huge API vulnerability exposing more than 47 million devices. Also, Microsoft and Google are dropping Basic Authentication support, and there is an opinion piece on the top risks of API security. Vulnerability: Thinkrace The platforms you are using to power your systems can add vulnerabilities. PenTestPartners looked at […]

Read More…

Issue 62: Vulnerabilities in Amazon Ring Neighbors and Droom, WebSocket API security

This week we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars. Vulnerability: Amazon Ring Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data […]

Read More…

Issue 61: Exposed patient records, vulnerabilities at Airtel and Kaspersky

This week we check out recent API vulnerabilities in India’s statewide patient portal, at the mobile operator Airtel, and in Kaspersky Internet Security products. In addition, the results of Radware Web App Security survey are out. Vulnerability: India’s ORS patient portal A broken object level authorization (aka IDOR) vulnerability in India’s nationwide patient portal, Online Registration […]

Read More…

Issue 60: Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars

This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks. In other news, the recording of our OWASP API Security Top 10 webinar is now […]

Read More…

Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch

This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app,  an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security. Vulnerability: Fortinet Researchers from SEC Consult have found bad implementation in various […]

Read More…

Issue 58: Broken Object Level Authorization explained, plus practical tips on API security

This week, we continue to look at the upcoming OWASP API Security Top 10, discuss organizational changes that can make organizations more cybersecure, check out another security checklist, and upcoming API security conferences. API vulnerability explained: Broken Object Level Authorization Broken Object Level Authorization (BOLA, aka IDOR) holds the #1 spot in the  OWASP API […]

Read More…

Issue 57: Vulnerabilities at Facebook, Amazon Ring, and GitHub, OWASP API Security Top 10 Webinar

This week we look at the recent API vulnerabilities at Facebook, Amazon Ring, and GitHub. There is also an upcoming webinar on OWASP API Security Top 10 that you can attend. Vulnerability: Facebook Facebook has reported and fixed a vulnerability in their Groups API. This API and the information it exposes had been potentially abused […]

Read More…

Issue 56: Common JWT Attacks, OWASP API Security Top 10 cheat sheet

This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security. Vulnerability: Rittal industrial cooling Applied Risk has […]

Read More…

Issue 55: Vulnerabilities in eIDAS and Cisco routers, Instagram API program locked down

This week, we check out the vulnerabilities fixed in EU’s eIDAS (electronic IDentification, Authentication, and trust Services) system and Cisco routers, how Instagram is seeking to avoid the privacy controversies that Facebook itself has had, and interesting predictions from Gartner’s latest API report. Vulnerability: EU eIDAS EU has patched the reference implementation of the eIDAS […]

Read More…

Issue 54: API vulnerabilities in eRosary, Kubernetes, Harbor

This week, we take a look at the recent API vulnerabilities in smart prayer beads, Kubernetes, and Harbor, as well as analogies between API security and airport security. Vulnerability: ClickToPray eRosary Vatican has released ClickToPray eRosary, the smart rosary beads that — naturally — come with the accompanying mobile app. Unfortunately, the app had a […]

Read More…

Issue 53: Vulnerabilities in TwitterKit, JustDial, Voi e-scooters

This week, we take a look at how out-of-date library compromises login to Twitter, how simple parameter switch gave access to over 150 million JustDial user accounts, and how holes in API security can lead a business to give out uncontrolled freebies. In addition, there is an update on Google’s decision to change the access […]

Read More…

Issue 52: NIST Zero Trust Architecture Guidelines

This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in. Vulnerabilities: Kubernetes The Kubernetes API server is currently vulnerable to the so-called Billion laughs attack. This is the […]

Read More…

Issue 51: Gartner releases full report on API security

This week, we ponder when is an API vulnerability a vulnerability, and check out Gartner’s new report and OWASP’s new API security project. Vulnerability: Cisco Webex and Zoom Definitions of API vulnerabilities can vary: what someone considers a vulnerability may be design to someone else. This is exactly the case with this week’s vulnerability. Cequence […]

Read More…

Issue 50: Harbor API vulnerability, and the dangers of CRUD APIs

This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling. Vulnerability: Harbor Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability. The vulnerability is a classical case […]

Read More…

Issue 48: Vulnerabilities at Verizon and GPS trackers, S3 bucket names leaking

This week, we look at the recent vulnerabilities at Verizon and Shenzhen i365-Tech GPS trackers, leaking S3 bucket names, and Facebook cutting API access for some of its partners. Vulnerability: Verizon 2 million Verizon Wireless Pay Monthly contracts were found open for anyone to access. The researcher managed to get a valid cookie while browsing […]

Read More…

Issue 47: Cisco and MuleSoft vulnerabilities, API World passes

This week we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA. Vulnerabilities: Cisco Cisco has implemented their REST API as a virtual service container for IOS XE. This […]

Read More…

Issue 46: Cisco and Facebook patch APIs, Solr API parameter injection

This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories. Vulnerabilities: Cisco Cisco has released patches for several critical API security flaws  in its Cisco Unified Computing System (UCS) software and Small Business 220 […]

Read More…

Issue 45: Hacked dating apps and smartlocks, “Egregious 11” cloud security issues

This week, we take look at the recent location API vulnerabilities in dating apps and smartlocks. In addition, we have an API security video from RSA Conference in Singapore, and the survey results and API security recommendations from Cloud Security Alliance. Vulnerability: dating apps BBC has run a story on the common API vulnerability pattern […]

Read More…

Issue 44: ACS 2019 Agenda

This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIC 2019 conference presentation. Vulnerabilities: Kubernetes Kubernetes has fixed the API vulnerability CVE-2019-11247. This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic […]

Read More…

Issue 42: HTTP Security Headers

This week, we look into a validation vulnerability in Cisco APIs, security best practices for HTTP headers and OAuth 2.0, and the effect of microservice architectures on API security. Vulnerabilities: Cisco Cisco has fixed an API vulnerability in their Vision Dynamic Signage Director. The vulnerability stemmed from insufficient validation of incoming HTTP requests. An unauthenticated […]

Read More…

Issue 41: Tinder and Axway API Vulnerability, Equifax fined

This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news,  FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted. Vulnerability: Tinder Sanskar Jethi has found that Tinder enforces their premium features (such as […]

Read More…

Issue 40: Vulnerabilities in Instagram, 7-Eleven, Zipato

This week, we have a lot of high-profile API vulnerabilities, like Instagram, Zipato, and 7-Eleven. Also, 42Crunch has released a native API firewall for microservices in Kubernetes. Vulnerability: Instagram Laxman Muthiyah got his $30K bug bounty for reporting this vulnerability to Instagram: He managed to use the Instagram API to take over an arbitrary account. The […]

Read More…

Issue 38: Cracked smartlocks, X-Frame-Options, standards gaining adoption

This week, we have seen some major adoption milestones for the OpenAPI and the DNS over HTTPS standards, we discuss the way to go about with TLS pinning and the X-Frame-Options header, some not-so-smart locks, and the updated API security tooling from 42Crunch. Vulnerabilities: Ultraloq smartlocks Ultraloq smartlocks come with a mobile app, and its APIs […]

Read More…

Issue 37: Vulnerabilities with WebLogic and OnePlus, the Black Hat API workshop, and OAuth in action

This week, we look into the latest API vulnerabilities in Oracle WebLogic and OnePlus, API security workshop at Black Hat, API security tech landscape, and a new tool for OAuth and OpenID Connect debugging. Vulnerabilities: Oracle WebLogic Oracle WebLogic has issued a critical API security patch. Just like with an earlier similar issue, the flaw […]

Read More…

Issue 36: Vulnerabilities at TP-Link, Venmo, Amcrest, and GateHub

This week, we discuss API vulnerabilities in TP-Link Wi-Fi extenders, Amcrest cameras, Venmo transaction feed, and GateHub cryptocurrency wallet. We also take a look at the API security aspects of microservices architectures. Vulnerabilities: TP-Link Wi-Fi extenders TP-Link Wi-Fi extenders are a popular way to get a better Wi-Fi coverage in houses and other spaces. Unfortunately, […]

Read More…

Issue 35: IDE support for OpenAPI

This week, we take a look at API vulnerabilities at NVIDIA and Supra, an OpenAPI extension for Visual Studio Code, and an upcoming API security webinar from NordicAPIs. Vulnerabilities: NVIDIA GeForce Experience NVIDIA GeForce Experience (GFE) is a supplementary application that users install with other NVIDIA products to “capture and share videos, screenshots, and livestreams […]

Read More…

Issue 33: First American leaks 885 million mortgage records

Vulnerability: First American First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details. Presumably, the company did not want to secure the documents to simplify the access […]

Read More…

Issue 32: WAFs missing API attacks for 86% of users

This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction, and a new podcast on API security. Vulnerabilities: ASUS WebStorage We reported Dell’s Support Assist vulnerability few issues ago — and now the ASUS update service got a similar […]

Read More…

Issue 31: Samsung SmartThings repo token leaks, and Facebook fined for API vulnerability

This week, Samsung has leaked a token that provides full access to their SmartThings code repository, and Facebook fixed one API flaw but got fined for another. We also have a discussion of API security and DevOps, and look into a survey that Postman runs on the future of OpenAPI support. API keys We have […]

Read More…

Issue 30: 5G going to REST. Breaches in Dell, Cisco, WebLogic, DockerHub, JustDial, iLnkP2P

This week, there were a lot of API vulnerabilities including: Dell Cisco (a whopping three of them!) Oracle WebLogic DockerHub JustDial Millions of IoT devices based on iLnkP2P We also look into what implications 5G transitioning to REST and HTTPS brings to API security. Vulnerabilities and breaches Dell Probably the highest profile issue of the […]

Read More…

Issue 29: OAuth2 attacks, car GPS vulnerabilities, and honeypot stats

This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints. Vulnerabilities and breaches Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile […]

Read More…

Issue 27: MyCar vulnerability, serverless, IoT API security

This week, we had vulnerabilities in remote car control apps and GPS-enabled watches. We also take a look at the API security trends in microservices and serverless architectures, and consumer electronics. Vulnerabilities MyCar is a remote control system that is installed in some cars under its own name or under a variety of brands, such […]

Read More…

Issue 26: Verizon routers patched for API vulnerability

This week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices webinars and recommendations. Vulnerabilities Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in device’s API. […]

Read More…

Issue 25: NIST microservices guidelines, Facebook opens up to pentesting

This week, NIST has released their microservice security guidelines, Facebook has removed some of their security for whitehat researchers, and we continue the discussion on how to store API secrets safely. Industry standards and best practices US National Institute of Standards and Technology (NIST) published their draft on “Security Strategies for Microservices-based Application Systems”. The document includes […]

Read More…

Issue 23: Hacking ML, AWS Gateway Security, Gartner advice to CISO

This week, we had another mobile app leaking user data, and the first ever CEO resignation because of an API breach. There’s also: The best practices for AWS API Gateway security Gartner’s advice to CISOs on cloud security Security implications of the OpenAPI Specification (OAS) Vulnerabilities in machine learning Vulnerabilities The mobile application 63red Safe had […]

Read More…

Issue 22: SANS SWAT list, 42Crunch Platform launch

This week, we have seen vulnerabilities in 3 million car alarms, snowboard helmets, and virtual worlds. In other news, there is a new API security platform built around OpenAPI contracts. We also take a look at the SANS checklists and HTTPS/TLS tutorials. Vulnerabilities This was a good week for PenTestPartners. They have uncovered a couple […]

Read More…

Issue 21: Amazon Ring Doorbell camera hacked, open APIs coming to healthcare

This week, we got vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US changes in attack trends between 2017 and 2018. Vulnerabilities Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it […]

Read More…

Issue 20: Drupal APIs hacked, EU releases IoT standards

This week we look into vulnerabilities at Uber and Drupal, the best practices from the ICANN DNS security checklist, the upcoming European IoT security standards, and more vulnerability stats from 2018. Vulnerabilities This is the worst API vulnerability of the year so far. Drupal‘s RESTful Web Services (rest), JSON:API, and other web services modules allowed […]

Read More…

Issue 19: Half of Amazon’s top-selling smart devices found vulnerable

This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security. Vulnerabilities You’d think casinos are at the forefront of security, after all they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. […]

Read More…

Issue 18: Tool for API security audit, Google limits Gmail API access

Vulnerabilities We have reported on API vulnerabilities in kids’ smartwatches before. The watches remain vulnerable to API attacks, these stories just keep pouring in: The European Union is recalling Enox Safe-Kid-One smartwatches because of vulnerable APIs. The APIs have no authentication or encryption, so attackers can access them, retrieve any information on them (like location), change […]

Read More…

Issue 17: 83 percent of web traffic is API, and why query parameters are bad for secrets

This week we are mostly discussing best practices and tools, such as: The best methods to pass API keys and other sensitive data Tools that attackers use to discover APIs Why API security is never set-&-forget Risks Never put API keys or other sensitive information in URLs or query parameters. These are visible to browser […]

Read More…

Issue 16: DHS DNS hijacking directive, plus 5 API security rules

Vulnerabilities Another CPU DoS vulnerability in Go TLS (CVE-2019-6486) got fixed. This vulnerability impacts APIs implemented as Go microservices. The vulnerability enables attackers to exploit: TLS handshakes X.509 certificates JWT tokens ECDH shares ECDSA signatures. To fix the vulnerability, upgrade to Go versions 1.11.5 or 1.10.8. Best Practices DNS infrastructure is critical for web and […]

Read More…

Issue 15: Fortnite hack, TLS MITM attacks, SQL injections for NoSQL

Vulnerabilities A team from Check Point Research reported a serious vulnerability in Fortnite authentication API: An old unused subdomain had a misconfigured web application firewall (WAF) that relied only on blacklisting. Attackers could perform a SQL injection in the subdomain to plant their XSS script. Fortnite allowed log in with Facebook and Google credentials using […]

Read More…

Issue 14: Hacked hot tubs, airlines, trading sites; JSON encoding best practices

Vulnerabilities Noam Rotem found a dangerous combination of vulnerabilities in the APIs of Amadeus flight booking system and El Al airline: The Amadeus API allowed for brute force enumeration of booking identifiers, also known as passenger name record (PNR). The El Al API provided both personal and booking details for any PNR. Once attackers knew the […]

Read More…

Issue 13: Microsoft services and Chromecast hacks, the limitations of WAF

Vulnerabilities Another OAuth hack, and another reason why using OAuth for authentication can be dangerous. Researches by SafetyDetective found that Microsoft had 400 million users exposed. Outlook, Store, and other services allowed wildcard *.office.com as a valid wreply URL for tokens from login.live.com. Attackers noticed that and managed to grab the success.office.com domain in Azure. Now, […]

Read More…

Issue 12: Car APIs leaking location, breached security cameras, regulation that helps

Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays. Vulnerabilities We have previously covered NUUO security cameras vulnerabilities, this time critical API flaws have been reported in Guardzilla cameras. Bitdefender Labs reported multiple issues including: Hardcoded credentials for cloud APIs, Sequential IDs used for user-level […]

Read More…

Understanding Golang TLS mutual authentication DoS – CVE-2018-16875

TL; DR; If your source code is written in Go and it uses one-way or mutual TLS authentication, you are vulnerable to CPU denial of service (DoS) attacks. The attacker can formulate inputs in a way that makes the verification algorithm in Go’s crypto/x509 standard library hog all available CPU resources as it tries to verify […]

Read More…

Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast

Vulnerabilities Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide access to user profile data even if the data was […]

Read More…

Issue 9: Patch your Kubernetes and security cameras, check out the Node.js security guide

Vulnerabilities If you are using Kubernetes, you should install a patch for it as soon as possible. There is a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing […]

Read More…

Issue 8: USPS API broken, APIdays, ETSI downgrades TLS

Vulnerabilities United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of: Developers not expecting outsiders to bypass the web page and use the API directly Insecure Direct Object Reference (IDOR), authenticating as one user and getting data of another user Leaky API where wildcards were not […]

Read More…

Issue 7: OAuth attacks, vulnerabilities in drones and kids’ watches

Vulnerabilities This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference (IDOR), meaning that as long as you have […]

Read More…

Issue 6: Steam API leaks keys, and why WAF does not help DevSecOps

Vulnerabilities An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random string as a partner name and 0 as the request count) and get thousands of keys in the […]

Read More…

Issue 5: Bad TLS client authentication, how not to use cURL, State of Software Security

Vulnerabilities Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user. Hundreds of thousands of projects use cURL and purposefully disable the verification of TLS host […]

Read More…

Issue 4: Remini hacked, perils of free APIs, TLS explained, ATMs & SWIFT get APIs

Vulnerabilities Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mobile app knows that the API exists, and account IDs used were sequential, so hackers could simply […]

Read More…

Issue 3: TLS 1.3, securing JWT, US banks release a common API standard

Vulnerabilities The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is […]

Read More…

Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities

Vulnerabilities GoDaddy 2-step authentication API found to be vulnerable.  The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor. AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. […]

Read More…

Issue 1: APIStrat, CORS, Samsung, Google, Facebook, GitLab, Apple

API Vulnerabilities Samsung smart TV security flaw: the equipment would basically accept commands from any source, so someone knowing the device ID would be able to invoke various functions remotely. API allowed hackers to “change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection”. Firmware update […]

Read More…