Posted on

API Security Weekly: Issue 160

This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what's possible on the next OWASP API security Top 10.

Vulnerability: AWS API Gateway Vulnerable to HTTP Header-Smuggling Attack

At the recent BlackHat Europe security conference, web security researcher Daniel Thatcher disclosed vulnerabilities relating to the AWS API gateway that allowed HTTP header smuggling. Currently, AWS has not responded to this research nor offered a comment regarding the potential vulnerabilities in their API gateway.

Posted on

API Security Weekly: Issue 158

This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools.

Breach: Sensitive Data of 400 000 German Students Exposed by API Flaw

Last week, the news broke of a breach on a popular German student community app, Scoolio, discovered by security researcher Lilith Wittmann. Conservative estimates put the number of affected students to 400 000 students, but how Scoolio creates user accounts throws some uncertainty to the exact figure here.

Posted on

API Security Weekly: Issue #72

This week, we take a look at how WordPress got exploited by a 3rd-party plugin and how API security research can sometimes be a very ungrateful endeavor. In addition, we also have the cost of ignoring API security as showcased by Facebook as well as several good JSON Web Token (JWT) talks. And as a cherry on top, we have a patch release to the OpenAPI Specification (OAS).

Vulnerability: WordPress ThemeREX Addons Plugin

WordPress REST APIs got exposed and exploited through ThemeREX Addons plugin, installed on about 44,000 sites.

Posted on

API Security Weekly: Issue #70

This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of a theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in the USA. We also have two API security talks: one recorded and one upcoming webinar.

Vulnerability: Twitter

Twitter has disclosed a recent API exploit. The API endpoints to make finding friends in Twitter by their phone numbers easier were abused, possibly by state-sponsored actors, to mine accounts by mapping them to phone numbers. Detecting and throttling the exploit was hard because the phone numbers were not sequential and attackers used multiple accounts and IP addresses in their attacks.

Posted on

API Security Weekly: Issue #65

This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security.

Vulnerability: Siemens SPPA-T3000

The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API was accessible without authentication as long as you had network access to it and knew how to craft requests for it.

Posted on

API Security Weekly: Issue #62

This week, we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars.

Vulnerability: Amazon Ring

Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data through API calls. The coordinates included in the posted videos are so detailed that the locations of cameras and the users are exposed with extremely accurate precision.

Posted on

API Security Weekly: Issue #60

API Security Weekly

This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to the take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks.

In other news, the recording of our OWASP API Security Top 10 webinar is now available, and we have a follow-up session coming up.

Posted on

API Security Weekly: Issue #56

API Security News — Vulnerabilities

This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security.

You may also like:  REST API Security Vulnerabilities

Vulnerability: Rittal Industrial Cooling

Applied Risk has found two critical vulnerabilities in Rittal industrial cooling equipment. If attackers know the URLs to invoke, they can bypass authentication and turn cooling on or off or set the temperature.