Issue 94: Two-day API security training at Black Hat USA


This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security.

Vulnerability: WordPress

If you use WordPress, check if the REST API endpoint of WordPress is openly sharing usernames at your_domain/wp-json/wp/v2/users.

Exposing a list of usernames of your site is a very bad idea. If attackers get their hands on that list, it will give them one half of the authentication. They can then launch brute-force attacks on these accounts, trying to use various passwords to find the missing half. As we have said earlier, do not make attackers’ lives easier.

For more details on this vulnerability as well as practical tips what you can do about it, see details in this write-up in Security Boulevard.

As a general note, allowing username enumeration through APIs in any system is not a good idea.

Training: “Attacking and Securing APIs” at Black Hat USA 2020

For obvious reasons, Black Hat USA 2020 conference is virtual this year. This is great, because it means you can access high-quality security content from the comfort (and safety) of your own home.

One of the best opportunities this provides is attending the 2-day training “Attacking and Securing APIs” by Mohammed Aldoub, on August 3โ€”4.

The training is extremely detailed and includes 50+ hands-on labs on web and cloud APIs, microservices, and serverless security. The space is limited, so sign up quickly if you want to participate.

For more details, see the full agenda of the course at the conference website.

Technology wars: WAFs

In the world of APIs and modern cloud apps, WAFs continue to get bad rap. In the latest study by Neustar International Security Council:

  • Four in 10 security professionals reported that at least half of the application-layer attacks lobbied against them ended up bypassing the WAF.
  • One in 10 said it’s more like 90% of attacks cruising through the WAF defenses.
  • One in three said some 50% of network requests made in the past 12 months have been flagged as false positives.

The stats do not exactly raise confidence in WAFs’ performance. We have covered earlier surveys among WAF users in our issue 32.

Industry stats: API security

Jaikumar Vijayan has compiled a list of 30 recent application security stats, and one of them is on API security:

“37%: Percentage of respondents who said API security is their top priority for cloud-native apps”

Feel free to use it in your presentations as another data point for API security.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy