Issue 14: Hacked hot tubs, airlines, trading sites; JSON encoding best practices


Noam Rotem found a dangerous combination of vulnerabilities in the APIs of Amadeus flight booking system and El Al airline:

  • The Amadeus API allowed for brute force enumeration of booking identifiers, also known as passenger name record (PNR).
  • The El Al API provided both personal and booking details for any PNR.
  • Once attackers knew the PNR and thhe passenger name, they could log in and change the booking.

DX:Exchange, a popular trading site with over 600K users, had vulnerable APIs under the hood. The issues included, for example:

  • Non-expiring unsigned access tokens
  • JWT tokens leaking other users’ tokens

Researchers were able to get other users’ tokens and invoked the APIs on their behalf.

Balboa smart hot tubs’ APIs are extremely vulnerable:

  • The APIs are “protected” with a shared hardcoded password.
  • The mobile app controlling the hot tub is invoking the hot tub’s API over the internet.
  • Each hot tub comes with an unprotected WiFi hotspot.
  • The APIs use the WiFi hotspot ID as the device identifier.

Attackers can use WiFi hotspot directories to locate all Balboa hot tubs. This gives them both the ID and the location of a hot tub. After that, they can invoke the APIs of the hot tub, know when it is in use, and take over control.

To make things worse, the manufacturer is not responding or fixing the product. IoT security as bad as it gets.

A story of how Shopify found that their Kubernetes deployment was vulnerable. Shopify used a beta version of Kubernetes API that was susceptible to SSRF attack. Luckily, this got reported in their bug bounty program, so it only cost them $25K in reward money.

Best Practices

Does your API’s JSON get rendered in XHTML? If so, make sure to properly escape CDATA by using JSON stringifier. Encode <>& characters as well as non-ASCII chars like line and paragraph separators. Or better yet, avoid inline scripts altogether. See this StackOverflow discussion.


Skip Hovsmith gave his “Tour of API underprotection” session at OWASP AppSec California. Hovsmith used a scenario of a mobile app company protecting their API from a rogue app. His advice in a nutshell:

  • Authorize applications, not just users.
  • Remove secrets.
  • Use shortlived tokens.


Bernard Harguindeguy from Ping Identity takes a look at various API attacks, such as:

  • Login
  • DoS and DDoS
  • Application and Data

He argues that in these cases, AI is the solution to consider.

Subscribe to this weekly newsletter at

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy