Issue 118: Spring Framework ALPS, OAuth 2.0 attack mindmap, securing JWTs


This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week.

Vulnerability: Spring Framework Application-Level Profile Semantics

Frameworks make developer life easier but may also increase your attack surface, as the recent research on Spring Framework demonstrates.

Spring Framework has Application-Level Profile Semantics (ALPS) interface that documents APIs. Joel A. Noguera discovered that ALPS API might potentially be left public and become a security risk.

Attackers could discover the ALPS interface, use it to obtain details from the API, and access and modify the underlying profiles and data. Unauthenticated users have full access to ALPS API endpoints.

Be mindful when seeking the balance between user-friendliness and security: as the other side of the coin, “easier” sometimes means “less secure.”

Resources: OAuth 2.0 attack mindmap

OAuth 2.0 and its security best practices remain a frequent topic in this newsletter, and for good reasons.

OAuth and OpenID Connect (OIDC), which is based on OAuth, remain the key protocols for authentication and delegated access. Yet, it is very easy to get the implementation wrong and leave your APIs potentially exposed.

Hack3rScr0lls has put together a mindmap of the common attacks on OAuth 2.0. Nice way to organize and visualize the scenarios.

Video: How to Best Leverage JWTs for API Security

Recently, Isabelle Mauny and I hosted a webinar on JWT security. 42Crunch has published the recording, slides, and Q&A transcript from the session.

We covered the following topics:

  • How JWT works (very briefly ;))
  • Common attacks
  • The 42Crunch approach to securing APIs against these attacks.

Conferences: Postman Galaxy

Next week is the Postman’s annual Galaxy event. Obviously, it is completely virtual this year, so easy to attend to from the comfort of your own home.

If you are taking part, make sure to attend the fireside chat “API Security for Enterprises.” Here’s the abstract from the conference site:

“How is API security and threat protection different for large-scale enterprises? This intimate discussion tackles challenges and offers solutions for mitigating risk and reducing your attack surface in modern architectures. Well-known breaches such as Parler or Starbucks are used to illustrate some of the key challenges faced by enterprises when protecting APIs.”

The speakers in the chat are:

  • Jeanine Jue, Head of Global Developer Relations at R3
  • Bernard Harguindeguy, CTO at Ping Identity
  • Isabelle Mauny, Co-founder and Field CTO of 42Crunch

Register here.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy