Issue 32: WAFs missing API attacks for 86% of users

This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction, and a new podcast on API security.

Vulnerabilities: ASUS WebStorage

We reported Dell’s Support Assist vulnerability few issues ago — and now the ASUS update service got a similar one. The scenario is similar: ASUS WebStorage Update did not enforce HTTPS and signatures for downloaded files. These deficiencies allowed attackers to launch a man-in-the-middle (MitM) attack, intercept the traffic, and trick the update agent into installing rogue files.

Always use HTTPS, and never trust any unsigned data.

Vulnerabilities: Linksys routers

Over 25,000 Linksys Smart Wi-Fi routers have an unprotected API that leaks data about the devices connected to the routers, such as:

  • Name
  • MAC address
  • OS
  • Firewall status
  • WAN settings
  • Firmware updates
  • DDNS

Attackers can thus get that data, learn more about the devices in the user network, and use that information for other attacks, without any authentication.

The API also tells if the admin password is default or changed. Attacker can thus know which routers can be managed with default administrative credentials.

The bottom line is that security by obscurity does not work: if you have an unprotected API, the chances are that someone will find it. And default admin passwords are evil, too.

WAFs are failing to adapt

Only 40% of organizations are satisfied with their web application firewalls (WAF), according to the Ponemon Institute report published by Cequence Security:

“The State of Web Application Firewalls report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud.”

The rapid shift of web traffic to API traffic for mobile, web, IoT, and microservices has made it hard for WAFs to stay relevant:

  • 86% of WAF customers had in the last 12 months attacks that bypassed their WAF.
  • On average, customers need 2.5 full-time people maintaining the WAFs.
  • Average total cost of ownership is $620K/yr (of which $420K/yr is going to the WAF vendors).

API security podcast

Alissa Knight at Aite Group Radio podcast has released episode 6 specifically on API security. On the podcast, Alissa and I discuss the recent API breaches, their root causes, and what could be done to mitigate them:

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy