Posted on

API Security Weekly: Issue 173

This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on how to hack the Elgato Key light API.

Vulnerability: Coinbase API Bug Allowed Unlimited Cryptocurrency Trading

This week’s major news story has been the disclosure of a major vulnerability in an API on Coinbase, a cryptocurrency trading platform. This vulnerability potentially allowed an attacker to make unlimited cryptocurrency trades between different currency accounts.

Posted on

How Spring Security Concurrent Session Control Works: Part 1

Introduction

Spring security provides a mechanism to control and limit the maximum number of single-user open sessions. This mechanism prevents users from exceeding the number of allowed simultaneous connections. For example, Netflix limits the number of screens you can watch at the same time according to your subscription plan.

In part 1, we will understand how this mechanism works, how to use it, and being aware of the default spring security implementation limitations. In part 2, we will see how to overcome those limitations in a clustered environment.

Posted on

Mule 4 TOTP Connector to Generate Code Compatible to Google Authentication

Agenda

  • Introduction
  • TOTP Connector Details
  • Usage Scenarios

Introduction

In this article, we'll enable a MuleSoft application to validate am authentication code generated by Google Authentication where a user's account is registered based on a key.

TOTP Connector Details

While accepting the input key as an input, it will be decoded with the Base32 class.

Posted on

How to Spot Vulnerabilities of Custom SAML Implementations Before They Happen

SAML (Security Assertion Markup Language) is often prone to vulnerabilities as an XML based markup language used to expedite identity checks for bigger applications. This article will go over the usual roadblocks developers might come in contact with when working with the custom SAML solutions, as well as looking into preventative measures for developers to take, stopping vulnerabilities before they happen.

Crash Course in SAML

SAML is used for exchanging authentication and authorization data between identity providers and service providers. One of the most common use cases for SAML is facilitating browser-based Single Sign-On (SSO).

Posted on

Open ID Connect Authentication With OAuth2.0 Authorization

In the previous decade, Open Authorization (OAuth) has emerged as an industry-standard protocol for authorization. Today, almost, every web application, mobile application uses OAuth 2.0 (latest version of OAuth) for authorization.

OAuth 2.0 is used by tech giants like Facebook, Google, and Twitter. It allows the users to give information about their accounts with third-party applications or websites. It is also used to provide mechanisms for user authentication. So, this has led many developers and API providers to incorrectly conclude that OAuth is itself an authentication protocol and, thus, they use it to perform authentication. The question here is: are they right in doing that?

Posted on

Develop a REST API in PHP

REST APIs are the definition of modern web development. While they are easy to build in just about any modern framework, most PHP developers choose to use Lumen/Laravel or Symfony. These frameworks make it easy to handle complex issues like authentication/authorization, request validation, data transformation, filters, rate throttling, complex endpoints with sub-resources, and API documentation.

A complex framework isn’t necessarily needed to build a secure API. In this post, you’ll build a simple REST API in PHP from scratch. You’ll secure your API with Okta by implementing the Client Credentials Flow.