Welcome to our May API newsletter, recapping some of the events of last month. As the old proverb goes, April showers bring May flowers – and this means the bees at the Wallarm hive have been in full foraging mode and the honey is flowing: lots of updates & improvements to the platform, and much more. After all, as the old nursery rhyme says: A swarm of bees in May is worth a load of hay – so read on for this month's bit o' honey!
I want to talk about the top 5️⃣ risky API development/coding practices 🚧 in various industries. We'll share anonymous examples 🕵️♀️ to learn from and tips on how to avoid them! 🛡️
1️⃣ No Authentication/Authorization 😱
🏥 Healthcare: An API allowed access to patient records without verifying user credentials. 🚑
🛡️ Avoid: Implement strong auth protocols like OAuth2.0, and always use role-based access control.
2️⃣ Weak Input Validation 😵
🏦 Banking: An API accepted user input without proper validation, enabling attackers to manipulate transactions. 💸
🛡️ Avoid: Always validate and sanitize user input, and use prepared statements for SQL queries.
3️⃣ Insufficient Rate Limiting 🚀
🛍️ E-commerce: An API allowed an unlimited number of requests, resulting in a DDoS attack that crashed the site. 🌐
🛡️ Avoid: Set rate limits based on user type and API usage to protect against abuse and maintain availability.
4️⃣ Insecure Data Transmission 🔓
🎓 Education: An API transmitted sensitive student data over an unencrypted connection. 📚
🛡️ Avoid: Always use HTTPS and enforce TLS for secure data transmission.
5️⃣ Poor Error Handling 💥
🚗 Transportation: An API exposed sensitive backend info in error messages, making it vulnerable to attacks. 🚦
🛡️ Avoid: Handle errors gracefully, log them internally, and provide generic error messages to users.
Remember, API security is 🔑! Follow these tips and keep your data safe! 💼💪
👩💻 Share your thoughts or experiences on risky API practices with me on LinkedIn!
– Ivan, CEO & Co-Founder, Wallarm
Let's talk OWASP. Less than six weeks after we walked thru the OWASP API Security Top-10 list release candidate (RC), it was officially released. Here's a brief recap to get everyone up to speed.
First, a lot of what we covered in the RC version is still pertinent. If you missed our coverage, here are some resources to catch up:
- Solution Brief: OWASP API Security Top-10 2023 (RC) Reference Guide (PDF)
- Blog Post: Insights into the New OWASP API Security Top-10 for CISOs
- On-Demand Webinar: A Practitioner’s Guide to the New 2023 OWASP API Security Update
- On-Demand Webinar: A CISOs Guide to the New 2023 OWASP API Security Update
Second, we wrote a "hot take" post on the changes from the RC version to the final release: OWASP API Security Top-10 Risks for 2023 Released. The tl;dr is:
- API6:2023RC (Server Side Request Forgery) is now API7:2023 – this seems to just be a step down in the rankings.
- API7:2023RC (Security Misconfiguration) is now API8:2023 – again, this just seems like a step down in the rankings.
- API8:2023RC (Lack of Protection from Automated Threats) is gone, replaced by (or at least combined into) API6:2023 (Unrestricted Access to Sensitive Business Data Flows).
- Injection risks are still "missing" from the final 2023 release, having been subsumed into API10:2023 (Unsafe Consumption of APIs).
Last, we noted that the risk rankings (namely, likelihood x impact) appear to have changed across the board, and in some cases substantially, in the final version. We took a deeper look at this in OWASP API Security Top-10 for 2023 Risk Ratings and found the minimum risk rating in the 2023 release exceeds the average of the entire RC version.
Stay tuned as we dig deeper into the details of the final OWASP API Security Top-10 2023 risks list, and help you understand the impact on your API security program.
The hive has been busy all month adding capabilities and making improvements. Here are some of the updates they’ve released:
- Shadow API Detection. We have enhanced the ability to identify undocumented APIs in your environment. The new API Specifications section allows you to easily upload OpenAPI specifications, and compare them with API Discovery findings. This real-time, targeted matching process integrates smoothly into existing workflows, enabling you to proactively identify and mitigate potential risks and vulnerabilities, to help secure undocumented Shadow APIs, and to ensure the overall integrity and safety of your API ecosystems. Watch the demo video.
- Integration with AWS S3. With the new integration, Wallarm exports detected malicious requests to AWS S3 for further analysis and security incident investigation. This allows security analysts to receive and analyze malicious requests, correlate data, and gain a comprehensive view of security events in other tools in your security stack.
- Integration with ServiceNow. By integrating Wallarm with ServiceNow, SecOps teams can optimize security operations and quickly identify and resolve vulnerabilities. Automated event creation eliminates manual information transfer, saving time and reducing the risk of errors. This integration empowers SecOps to proactively address vulnerabilities and maintain a strong security posture.
Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.
Webinar [2023-Jun-22] — CISO Hours: Three Key Principles for API Security
Join Tim Erlin, Head of Product, and Stepan Ilyin, Co-Founder, as they guide you through the essential components of a successful App and API security program: discovery, protection, and testing.
Webinar [On-demand] — Securing Apps and APIs in 2023: Wallarm Demo for CISOs and Practitioners
Listen to our recorded webinar as Tim Ebbers, Field CTO, and Stepan Ilyin, Co-Founder, for an insightful product democast of the Wallarm platform, highlighting key components and recent enhancements, including API Discovery & Risk Assessment, API Threat Mitigation, and API Abuse Prevention.
The Wallarm Threat Research team discovered several API vulnerabilities in May which may have an outsized impact on your vulnerability management program, your operations, and your users. [NOTE: unless otherwise noted, all these vulnerabilities have updates available.]
Google Cloud Platform ESPv2 | Authentication Bypass Vulnerability (CVSS v3.1 score: 9.8)
Certain versions of ESPv2 are vulnerable to malicious `X-HTTP-Method-Override` header value which can bypass JWT authentication in specific cases. (CVE-2023-30845)
European Chemicals Agency IUCLID | Weak Hard Coded Secret for JWT Signing (CVSS v3.1 score: 9.8)
Certain versions of IUCLID are vulnerable to authentication bypass because a weak hard-coded secret is used for JWT signing. (CVE-2023-26089)
NGINX Management Suite | Authorization Policy Bypass (CVSS v3.1 score: 8.1)
Certain versions of NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. (CVE-2023-28656)
SAP AS NetWeaver JAVA | Improper Access Control During Application Start-up (CVSS v3.1 score: 9.1)
Certain versions of SAP AS NetWeaver JAVA may allow an unauthenticated attacker to make use of an open naming and directory API without further authorization and authentication. (CVE-2023-30744)
IBM API Connect | Improper Access Control Vulnerability (CVSS v3.1 score: 8.8)
Certain versions of IBM API Connect V10 may allow an authenticated user to perform actions to which they should not have access. (CVE-2023-28522)
Cisco DNA Center Software | Command Injection Vulnerability (CVSS v3.1 score: 8.8)
Multiple vulnerabilities in the Cisco DNA Center Software API could allow authenticated, remote attackers to read information from restricted containers, enumerate user information, or execute arbitrary commands in a restricted container as the root user. (CVE-2023-20182)
Gitlab CE/EE | Arbitrary File Read via Uploads Path Traversal (CVSS v3.1 score: 7.5)
A path traversal vulnerability affecting only GitLab CE/EE version 16.0.0 could allow an unauthenticated user to read arbitrary files under some circumstances. (CVE-2023-2825)
Caton CTP Relay Server | SQL Injection Vulnerability (CVSS v3.1 score: 9.8)
A vulnerability in Caton CTP Relay Server 1.2.9 in /server/api/v1/login file allows remote manipulation of the argument username/password and leads to SQL injection. NOTE: The vendor has been contacted about this vulnerability but has not responded yet. (CVE-2023-2519)
Metabase | Permissionless SQL Snippets Creation and Editing (CVSS v3.1 score: 9.6)
Certain versions of Metabase do not enforce the requirement users be in at least one group with native query editing permissions to a database in order to edit SQL Snippets. (CVE-2023-32680)
Weaver e-cology | XML External Entity (XXE) Injection (CVSS v3.1 score: 8.8)
Certain versions of Weaver e-cology are vulnerable to manipulation of the RequestInfoByXml function, which could lead to XML External Entity (XXE) injection. NOTE: The vendor has been contacted about this vulnerability but has not responded yet. (CVE-2023-2806)
MXsecurity | Use of Hard-coded Credentials (CVSS v3.1 score: 9.8)
A hardcoded credential vulnerability is reported in MXsecurity version 1.0, which could be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs. (CVE-2023-33236)
MStore API plugin for WordPress | Authentication Bypass Vulnerabilities (CVSS v3.1 scores: 9.8)
Certain versions of the MStore API plugin for WordPress are susceptible to multiple authentication bypass vulnerabilities, allowing unauthenticated attackers to log in as any existing user, such as an administrator. (CVE-2023-2732, CVE-2023-2733, CVE-2023-2374)
We recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents. For more on notable API vulns, make sure to subscribe to our new API ThreatStats LinkedIn page.
US Teenager Indicted for Credential Stuffing Attack on Fantasy Sports Website
(SecurityWeek) A Wisconsin teenager has been charged with accessing tens of thousands of user accounts at a fantasy sports and betting website after launching a credential stuffing attack on the site.
GitLab 'strongly recommends' patching max severity flaw ASAP
(Bleeping Computer) DevOps platform GitLab this week resolved a critical-severity vulnerability impacting both GitLab Community Edition (CE) and Enterprise Edition (EE). An emergency security update, version 16.0.1, was released to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.
The Lucrative Economics of API Hacking
(Dana Epp's blog) I do believe that the economics of API security testing is far more lucrative than what others are seeing. Bug bounty hunters deserve to be earning those five-figure bounties on crit vulns. And API hacking can lead to finding more of those.
OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
(SC Magazine) A critical security flaw in the Expo framework has been discovered that could be exploited to reveal user data in various online services. The vulnerability (CVE-2023-28131) has a CVSS score of 9.6.
Discord discloses data breach after support agent got hacked
(Bleeping Computer) Discord experienced a data breach after a third-party support agent's account was hacked. While Discord believes the risk is minimal, it's advisable to stay vigilant for suspicious messages or phishing attempts.
FinServ Ahead Of The Pack In API Transformation
(Information Security Buzz) The Financial Services industry (FinServ) has left its mark on the API landscape and continues to provide new reasons for innovation. From the first UK bank that pioneered Open Banking to the booming mobile payment industry, FinServ has prompted – and supported – the growth of APIs and their ongoing evolution as everyday artifacts.
Web3 and Smart Contracts Enable a Scalable API Economy
(eWeek) Together, APIs and smart contracts are the foundational technologies that enable Web3. While the actual definition of Web3 is still ambiguous, businesses have the ability to do real work using this capability.
The Security Researcher’s Guide to Reporting Vulnerabilities to Vendors
(Dana Epp's blog) I won’t get into that debacle of poor communications and even worse police investigation and incident response on that specific case. But I do want to get to the heart of the matter, which is how to safely report security vulnerabilities to companies (aka vendors).
Why Honeytokens Are the Future of Intrusion Detection
(The Hacker News) Honeytokens, a subset of honeypots, are designed to appear like a legitimate credential or secret. When an attacker uses a honeytoken, an alert is immediately triggered, which allows defenders to take swift action based on the indicators of compromise (IOCs).
AppSec: How Do You Know Your app is 100% Secure? You Don’t
(Security Boulevard) Attackers are continually sweeping IP addresses to find new machines. The question is not if the machines will be found, it is when they will be found; that could be within the first minute and happens generally within 18 hours. And every device should be considered a target.
Honda API flaws exposed customer data, dealer panels, internal docs
(Bleeping Computer) Honda's e-commerce platform for power equipment, marine, lawn & garden, was vulnerable to unauthorized access by anyone due to API flaws that allow password reset for any account.
Last month we asked Are you using Generative AI (e.g., ChatGPT) for cybersecurity? It looks like many (70%) respondents are actively working with AI in some form or fashion, although the largest single answer was nope:
And we’d love to have you weigh in on our next LinkedIn poll we're conducting: Are you using the new OWASP APIsec Top-10 2023 in your API risk management efforts? Please let us know where you stand on this – connect with Ivan or follow us at Wallarm to register your vote.
And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we like to finish with an uplifting image. This month, a groaner for all the dads out there. Enjoy!