This week, we explore the opportunities and challenges in API security as we look ahead to the new year. We also include several newly discovered vulnerabilities and exploits of the embarrassingly common path traversal attack, and a look at OWASP insecure design.
Before we dive into this week’s newsletter, the entire team at APISecurity.io extends our warmest wishes for a successful and fulfilling new year in 2025, both personally and professionally. To those of you taking some well-deserved time off this holiday season, we hope you enjoy a peaceful and restful break, free from API security incidents! Happy New Year!
Article: Why API Security is a top priority for 2025
A recent article on TechTarget explores potential trends shaping the API ecosystem in 2025. Will we see a transformative shift in API development powered by AI-driven services and integrations? Will the adoption of GraphQL and AsyncAPI continue to accelerate? And how might emerging specifications for REST APIs influence development?
These evolving trends and technologies will drive the conversations around API security in the coming year. As the article notes, teams still relying on traditional centralized security approaches will find themselves struggling to manage the increasing complexity of API-based integrations and supply chains.
Moreover, with the surge in API breaches reported across critical industries—ranging from finance and telecommunications to healthcare and automotive—the call for secure-by-design initiatives is likely to grow louder. This shift will place the responsibility for addressing security vulnerabilities squarely on API producers, alleviating the burden on users and customers.
Article: API Security skills paramount for FinTech in 2025
In an interview earlier this month, Mastercard’s Olivia Leonard shared her insights on the anticipated technical skills that will be in demand for the financial sector in the coming year.
As in many other industries, the opportunities and challenges created by AI will be top of mind for organizations in 2025. Leonard highlighted the importance of building a workforce that is “comfortable using AI-powered tools” to stay competitive in the evolving digital landscape. At the same time she also noted that cybersecurity expertise will be paramount due to the rapid expansion of digital payments and services.
Open banking is another trend driving the rapid expansion of digital financial services and is expected to increase the demand for skills in API security. In the UK, organizations such as NatWest have already seen the benefits of open banking this year, which will help drive the deployment of more API-based services. Meanwhile in the US, new consumer financial protection rules introduced this year create a requirement for open banking and the sharing of financial data through secure and reliable API services.
All of this comes at a time when APIs are already a prime target for threat actors, which should place a premium on API security skills and expertise.
For technical professionals looking to stay ahead in the financial sector, a worthwhile New Year’s resolution might be to enhance their understanding of API security best practices.
Article: 2025 breach predictions in AI, API, and OpenSource
Nanhi Singh, General manager of application security at Imperva, shares her predictions for the major security headlines we can expect in 2025.
A rapidly evolving AI industry brings with it a host of new risks, including prompt injection attacks. It also lowers the barrier to entry for novice hackers, enabling them to execute sophisticated attacks using immensely powerful AI tools.
The article also calls out how a growing reliance on insecure open-source software is likely to trigger a significant incident next year. As software supply chains become increasingly complex, developers are placing greater trust in third-party components, which can be the source of malicious data and attacks.
While APIs are predicted to be a primary attack vector for applications leveraging large language models (LLMs) and will likely continue to attract the attention of hackers, there is a silver lining in the prediction. The heightened risk may drive more teams to adopt a DevSecOps approach, embedding API security practices directly into the development process to address vulnerabilities at their source.
An interesting article, though a little foreboding in its predictions.
Article: Avoid OWASP insecure design vulnerabilities
Many API security incidents and vulnerabilities are caused by a relatively small set of root causes. We can often track those causes back to mistakes in API design or implementation.
For example, a common mistake in API design is to assume security checks are performed on the client side, and so failing to enforce those security checks at the API level. We see this regularly in incident reports for mobile apps and single-page applications. It allows hackers to easily circumvent client-side security checks and attack an unprotected API directly. This leads to all manner of vulnerabilities and exploits, including authentication by-pass, escalated privilege and account takeover attacks.
This technical article on the Hackerone website delves into more insecure design vulnerabilities. It’s a very useful educational piece to understand the underlying causes of security breaches, and how adherence to API best practices and principles can help to prevent them.
Vulnerability: Private files exposed on Mitel platform
A vulnerability was discovered in a URL path for Mitel’s communications platform MiCollab, that allowed arbitrary files to be read from unauthorized parts of the platform.
The path in question (/npm-pwg) was vulnerable to a path traversal attack, which allows an attacker to access other unauthorized paths or directories in the system (e.g. /npm-admin).
GET /npm-pwg/..;/npm-admin/ HTTP/1.1
The researchers who discovered and reported the vulnerability provide an in-depth technical analysis. In it, they describe how using a special sequence of characters in the URL path ..;/ can be used to trick a vulnerable server into traversing out of the proper context and inadvertently giving access to private resources.
Path traversal attacks are similar to other common attacks like SQL injection, whose success depends on APIs that fail to adequately validate user supplied input.
In this case, the vulnerable input was the request path, which should always be carefully validated to ensure an exact match for any exposed endpoint.
Vulnerability: Path Traversal vulnerability in Sailpoint IdentityIQ
In another example of a path traversal vulnerability, a recent report on The Register website describes a bug discovered in Sailpoint’s identity and access management platform IdentityIQ.
The vulnerability received a severity rating of critical 10/10 from the National Vulnerability Database where it’s described as allowing “HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.”The article describes how path traversal vulnerabilities have previously been described as “unforgivable” and “embarrassingly easy to exploit”.
These incidents serve as a reminder to incorporate recommended security practices into API design to avoid being embarrassed by similar exploits of path traversal vulnerabilities. It’s also one to watch out for during API security testing.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
