This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security.
Vulnerability: Rittal industrial cooling
Applied Risk has found two critical vulnerabilities in Rittal industrial cooling equipment. If attackers know the URLs to invoke, they can bypass authentication and turn cooling on or off or set the temperature.
From the description, it is hard to figure out whether this is API2:2019 — Broken authentication or API5:2019 — Broken function level authorization.
The second vulnerability is not any better: the system also has hard-coded credentials.
IoT remains a big source of API vulnerability news. Vendors in that space are often used to caring more about the physical side of the product and not paying enough attention to the security of the software and services components.
OWASP API Security Top 10 cheat sheet
We have covered the OWASP API Security Top 10 project in the past. This is a community effort (currently in the Release Candidate phase) to document the most frequent vulnerabilities in web APIs.
To make it easier for you to keep these in mind, we have created a cheat sheet that you can print and put on your wall.
The graphics and short descriptions make navigating the categories easier, and there’s also advice on how to mitigate the risks.
Download the OWASP API Security Top 10 cheat sheet here.
Hacking JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are one of the most frequently used methods to pass caller information with REST API calls.
Unfortunately, it is also frequently misused and misunderstood. Hackers can take advantage of that to launch successful attacks on your APIs.
Vickie Li has just published a good quick overview of JWT and the most frequent vulnerabilities in its use.
The most common JWT attacks are:
- Algorithm manipulation
- Using
None
as the algorithm - Using symmetric encryption (HMAC) instead of asymmetric RSA
- Using
- Lack of signature validation
- Bruteforcing weak secret keys
- Secret keys leaking through another attack (like directory traversal, XXE, or SSRF)
- Key ID (KID) manipulation
- Directory traversals
- SQL injections
- Command injections
- JKU/JWK/x5u/x5c headers used sending rogue keys
- Information leaks in JWT when developers forget that
base64
encoding is not encrypting
Analysts: GlobalData
Charlotte Dunlap from GlobalData has published a new report “API Security tops API Management”. The highlights from the report include:
- A new API lifecycle management approach is founded on emerging security innovations (AI, DevSecOps, API Security by design).
- Pure-play API security providers threaten to outshine API management leaders through the best-of-breed security.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy