This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security.
Opinion: The 5 most common vulnerabilities in GraphQL
Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.
Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:
- Inconsistent authorization checks
- REST proxies allow attacks on underlying APIs
- Missing validation of custom scalars
- No appropriate rate limiting
- Introspection reveals non-public information
They have also provided a link to the sample API they used for the blog post for a more hands-on experience. If you work with or are interested in GraphiQL, definitely worth checking out.
Cheat sheets: OAuth 2.0 and JWT security
Every now and then, Philippe De Ryck releases great cheat sheets on cybersecurity. His two latest are highly relevant to API security:
- OAuth 2.0 best practices for developers
- JSON Web Tokens (JWT)
Grab them at his site here, and keep him on your radar for further handy resources.
Tools: REST API pentesting with Insomnia and Burp
Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing. He covers, for example:
- Getting and installing Insomnia
- Using Insomnia to post REST requests
- Proxying Insomnia through Burp
- Chaining requests
This is a sequel to his series on Postman and Burp that we covered in our issue 34.
Analysts: Alexei Balanagski (KuppingerCole)
The latest KuppingerCole podcast episode features Alexei Balaganski explaining the cyber security consequences of API proliferation, and what needs to be done about it.
His topics include things like:
- Proliferation of APIs
- Examples of breaches
- Why API security is different from web security and API management, and thus needs specialized solutions
- How API security needs to span everything from design, development, testing, runtime protection, and monitoring
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy