This week, we have news of an API vulnerability in the popular Jetpack WordPress plugin affecting millions of websites, an article on how to address growing API security vulnerabilities in 2023, and an article on why API security is the need of the hour. Finally, we have a guide from Port Swigger on how to use Burp Suite to discover GraphQL vulnerabilities.
Vulnerability: Jetpack WordPress plug-in API vulnerability affects millions of websites
The popular WordPress plugin Jetpack forced an update to all installations to address a critical API vulnerability in their plugin. The plugin is extremely popular with WordPress users and has over 5 million downloads globally. This vulnerability has existed in all versions since the original 2.0 release in 2012.
There is scant detail regarding the nature of the vulnerability in the official announcement from Jetpack, except that if affects an API and could allow access to the filesystem of affected hosts. The article lists all the affected versions but insists that no known exploits of the vulnerability exist.
Users are asked to ensure that they are using the most current plugin version, Jetpack 12.1.1.
Article: How to address growing API security vulnerabilities in 2023
In the first of two articles addressing API security challenges this week, we have Katrina Thompson’s thoughts, writing in IT Security Guru. The author highlights the importance of APIs in building today’s digital infrastructure. Unfortunately, this increases the risk of attackers who realize that APIs represent the “sweet spot” when attacking an organization. According to the article “a recent study indicated that 97% of enterprise leaders classify API use as essential to future growth, and another shows the average number of APIs used grew 82% over last year.”
The author identifies five types of API security vulnerability and suggests how to deal with them, as follows:
- Overly permissive APIs: APIs frequently have access to more data than they should and often execute at a higher privilege than they ought to. APIs should be granted the least privilege required to perform their business objective and no more.
- Faults in the code: As our readers are aware, many API vulnerabilities are due to flaws in the code base, leading to vulnerabilities such as BOLA, BFLA, and broken authentication. Always make sure API code bases are scanned for vulnerabilities and reviewed manually on any major changes.
- Speed over security: Coupled with the topic of faults in API code is the topic of favoring speed over security. In many cases, the business needs tend to dominate, and the API team publishes APIs before they have been fully validated for security. This results in costly outages in production, including expensive hotfixes and reworks. Addressing security in the early stages of development is far more effective.
- Exposed (and hidden) APIs: Readers of the newsletter will be familiar with the problems caused for security teams by shadow and zombie APIs. It is impossible to secure if you do not know what APIs you own and operate.
- Every API is unique: Ensure you understand the specific needs of securing each of your APIs, as they may have very different characteristics and security requirements.
A quick read on some of the basic issues facing API security in 2023.
Article:ย API security is the need of the hour
The next article features the thoughts of various security luminaries in India featured in CIO.com and Indiatimes.com.
Nikhil Chawla, Head – Global Information Security & Cyber Security at Colgate-Palmolive believes that people and threats cause many challenges to API security. In many cases, developers are not fully aligned with the threats that can be created for their APIs by neglecting important topics such as rate-limiting, DDoS attacks, and cross-site scripting attacks. By understanding these better, they are likely to have better success in protecting their APIs.
Babitha B P, CISO at The CSB Bank Ltd. focused on the important topic of API visibility. The key to securing APIs at scale is to ensure that they are monitored in an automated fashion and that there is minimal reliance on manual discovery and audit of APIs.
Navneet Daga, Sales Director of Cloud Security Services at Radware concludes by stressing that improved API security requires greater collaboration between security and development teams and that API security is not a point solution but rather requires a layered strategy for defense in depth.
Guide: Using Burp Suite to find GraphQL vulnerabilities
Recently, we have had a lot of great coverage on GraphQL security, and this week, Port Swigger provides an excellent walkthrough on using their Burp Suite tool to identify GraphQL vulnerabilities.
The first step in exploiting a GraphQL API is to discover the endpoints. This can be done manually with Burp Suite or by sending a universal query to common GrahpQL API endpoints such as the following:
/graphql
/api
/api/graphql
/graphql/api
/graphql/graphql
Once the endpoint has been identified, you can identify the different request methods supported by the endpoint, including the supported data types.
The next step is to identify unsanitized arguments and discover different ways to inject malicious content via these arguments. Discovering schema information offers insight into the structure of the API, and allows an attacker to gain insight into how to attack the API further. Burp Suite also offers an extension that automates much of this discovery process, this is the popular InQL
extension.
InQL is a Burp Suite extension that helps you to audit GraphQL APIs securely. It issues an introspection query requesting all queries and mutations given a URL (either via links to live endpoints or via JSON files) and presents a structured view to help you explore the results.
From a security perspective, the article concludes with some useful advice for defending GraphQL APIs, namely:
- Disable introspection on the API endpoint unless there is an explicit and well-understood reason to enable it. This prevents an attacker from understanding the workings of the endpoint.
- Review the API’s schema to ensure it does not expose unintended fields to the public.
- Ensure that suggestions are disabled to prevent attackers from being able to use tools to glean information about the underlying schema.
- Ensure that your API’s schema does not expose private user fields, such as PII or similar information.
GraphQL is a complex topic for API security and guides such as this are always welcomed by our readers – thanks to Port Swigger.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy