Posted on

API Security Weekly: Issue 163

This week, we have an article on 7 reasons why API security strategies are failing, details on the recent keynote by Werner Vogels at AWS re:Invent on 6 rules for good API design, an article by Cisco on API discovery, and a review of some of the biggest API security attacks in 2021.

Article: 7 Reasons Your API Security Strategy Is Failing

This week, AmazicWorld featured a review of why API security strategies are failing to have the desired effect. The author’s view is that whilst developers are well-versed in how to create APIs, the security risks that APIs pose are an increasing threat to organizations. These risks are in large part a consequence of rapid API adoption: the sprawl of APIs is widening the threat landscape, and the fact that APIs are well-documented and can be easily reverse-engineered enables attackers to take advantage of them.

Posted on

API Security Weekly: Issue 158

This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools.

Breach: Sensitive Data of 400 000 German Students Exposed by API Flaw

Last week, the news broke of a breach on a popular German student community app, Scoolio, discovered by security researcher Lilith Wittmann. Conservative estimates put the number of affected students to 400 000 students, but how Scoolio creates user accounts throws some uncertainty to the exact figure here.

Posted on

API Security Weekly: Issue #144

This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security.

Vulnerability: JustDial

JustDial had a regression as they accidentally reintroduced the API vulnerability that they had fixed (and we reported) back in 2019. Ironically, it was found and resubmitted to the vendor by the same reporter as last time, Rajshekhar Rajaharia.

Posted on

API Security Weekly: Issue #140

This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities.

Vulnerability: LazyPay

LazyPay is a pay-later platform that has over 2 million active users in India.

Posted on

API Security Weekly: Issue #114

This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security.

Breach: SolarWinds

The SolarWinds hacking reported this weekend was not API-related as such. It was a supply chain attack in which hackers (likely a state actor) managed to add their backdoor in one of the DLL files of SolarWind’s IT monitoring and management software, Orion. After a dormant period, the malicious code would contact the command and control center (C2) to get further instructions and execute them. This was in turn used against SolarWinds’ customers, including multiple US government agencies.

Posted on

API Security Weekly: Issue #113

This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery.

Vulnerability: YouTube

Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses.

Posted on

API Security Weekly: Issue #111

This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes some talks on API security too.

Vulnerability: AWS Resource-Based Policy APIs

Researchers at Unit42 found that 22 APIs across 16 different AWS services can be exploited to leak Identity and Access Management (IAM) users and roles.

Posted on

API Security Weekly: Issue #109

This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs.

Vulnerability: Trump Campaign’s Post-Election Site

Although the campaigns are finally over, the US elections still feature in our newsletter. This time the dubious star of the week is the website that the Trump campaign launched to collect anecdotal evidence of voting issues. Researchers found that the APIs behind the site were poorly protected and leaking voter information.

Posted on

API Security Weekly: Issue #102

This week, we look into the recent API vulnerabilities at Facebook and the campaing apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers.

Vulnerability: Facebook

Marcos Ferreira found a Broken Object-Level Authorization (BOLA/IDOR) vulnerability in Facebook’s GraphQL API. The vulnerability allowed anyone to change the URL of a Facebook Page (so not your Facebook profile or user account), and then take over the old URL.

Posted on

API Security Weekly: Issue #98

This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020.

Vulnerability: Aura COVID-19 Tracing App

Another mandatory COVID-19 tracing app, was found to leak personal information and health status of users. This time it was Aura, an app that Albion College in Michigan has made mandatory for all students.

Posted on

API Security Weekly: Issue #94

This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security.

Vulnerability: WordPress

If you use WordPress, check if the REST API endpoint of WordPress is openly sharing usernames at your_domain/wp-json/wp/v2/users.

Posted on

API Security Weekly: Issue #92

This week, Pen Test Partners take a dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also look at a vulnerability in TP-LINK’s Kasa Cameras. On the sunny side of the street, we have helpful simulators to figure out the different OAuth2 and OpenID Connect (OIDC) flows, and another upcoming webinar on API security.

Vulnerability: SETracker and Smartwatches for Dementia Patients

This is one of those API vulnerabilities that can have life-or-death consequences: Pen Test Partners found serious API vulnerabilities in SETracker, a backend service behind kids’ smartwatches, car trackers, dementia patients’ devices, to name but a few.

Posted on

API Security Weekly: Issue #90

This week, we take a look at how Twitter API erroneously allowed browsers to cache sensitive data, and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data. Plus, there is a live demo of API hacking, as well as a new book on API security.

Vulnerability: Twitter

HTTP headers can play an important role in API security, like the case with Twitter API shows. The header cache-control:no-store had not been set on the API, which meant that the data that this API returned to the web page was stored in the browser cache.

Posted on

API Security Weekly: Issue #88

This week, we take a break from vulnerabilities and direct our gaze to the wider landscape of API security.

On the practical side, we have a toolkit for JSON Web Token (JWT) security. The more high-level items include a video on API discovery, an eBook on API security, and a discussion on the role of the OpenAPI standard in API security.

Posted on

API Security Weekly: Issue #82

Opinion: The 5 Most Common Vulnerabilities in GraphQL

Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.

Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:

Posted on

API Security Weekly: Issue #75

This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement.

Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out.