Issue 88: JWT pentesting, API discovery, the present and future of OpenAPI


This week, we take a break from vulnerabilities and direct our gaze to the wider landscape of API security.

On the practical side, we have a toolkit for JSON Web Token (JWT) security. The more high-level items include a video on API discovery, an eBook on API security, and a discussion on the role of the OpenAPI standard in API security.

Tool: JWT toolkit

With modern APIs, JWTs are the most commonly used security tokens. This means that JWT security serves as the cornerstone of REST API security in general (check out the JWT security videos that we posted in issue 72).

Now there are two more open-source resources available:

  • The JSON Web Token Toolkit: a Python script jwt-tool for validating, forging and cracking JWTs.
  • JWT Attack Playbook: A wiki on what JWTs are, how they work, how to test them for vulnerabilities, and common weaknesses and unintended coding errors with them. The wiki is closely related to the jwt_tool.

Video: Automated Web Application & API Discovery & Other Things That Sound Simple

This is a recording of a presentation that Jeremy Brooks and Stuart Lane from Aaron’s Inc. held in the BSides Atlanta 2020.

Brooks and Lane talk about their experiences in locating shadow APIs in their network:

  • Using DNS enumeration
  • Web host discovery
  • API discovery
  • Risk factor identification

eBook: Understanding API Security

Manning has published a free eBook “Understanding API Security” by Justin Richer and Antonio Sanso.

Quoting the book abstract:

“Gone are the days when it was acceptable for a piece of software to live in its own little silo, disconnected from the outside world. Today, services are expected to be available for programming, mixing, and building into new applications.

Understanding API Security is a selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.”

Opinion: API security and the OpenAPI Specification standard

The New Stack has posted a conversation on API security between Jesse Casman and Dmitry Sotnikov (that’s me :)) on the OpenAPI Specification (OAS) and API security. We discuss a bunch of topics including:

  • What makes API security different from web app security
  • The role of standards and OpenAPI Initiative (OAI)
  • Gaps in standards
  • Top 3 API vulnerabilities
  • The future of API security

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy