This week, we look into the latest API vulnerabilities in Oracle WebLogic and OnePlus, API security workshop at Black Hat, API security tech landscape, and a new tool for OAuth and OpenID Connect debugging.
Vulnerabilities: Oracle WebLogic
Oracle WebLogic has issued a critical API security patch. Just like with an earlier similar issue, the flaw lies in XML workload deserialization.
To protect themselves against malformed payload attacks, API providers should start with defining and enforcing schemas on all payloads.
Vulnerabilities: OnePlus
The wallpaper crowdsourcing functionality of OnePlus phones had an API that was leaking personal data of every customer who had uploaded their pictures: name, email, country. In addition, the key required to invoke this API was easily discoverable.
Advice to API providers:
- Make sure that APIs never expose more than the minimal set of data that the API consumer needs. In this particular case, the actual wallpaper app didn’t need the personal information at all — it was just bundled into the whole set of everything that the API grabbed from the backend database!
- Use best practices for authentication that make it harder for attackers to invoke your APIs outside your apps.
- Ensure that automated enumeration of records to enable bulk downloads is not possible.
- Have monitoring and reporting to detect any bulk activity.
Conferences: Black Hat
If you are attending Black Hat USA on August 3—8 in Las Vegas, or Black Hat Europe December 2—5 in London this year, consider taking the two-day workshop “Attacking and Securing APIs” by Mohammed Aldoub. This is a hands-on, practical preconference workshop that boosts your knowledge on possible API attack vectors and how to be prepared for them. See details for US and Europe.
WAF vs API management vs API security
Alissa Knight from the Aite Group published part two of her API and Container Security series. This time she talks about the differences between web application firewalls (WAF), API management, and API security products.
Tools: OAuth and OpenID Connect
Curity has launched their OAuth Tools site that lets you play with various OAuth and OpenID Connect flows.
Connect to any OAuth server and run the flows of your choice, see all interactions, and inspect tokens. They have also posted a tutorial video that you can watch here.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
