March has arrived and is roaring like a very confused lion, at least in the northern hemisphere. And much like in the wild, brood production is increasing. We've already seen some fruits of that labor, such as the Q4-2022 and 2022 Year-End ThreatStats™ Report, and some very tasty product upgrades. Read on for this month's bit o' honey.
We've been keeping an eye on the API threat landscape, and some notable API vulnerabilities that you should be aware of. But don't worry, we're here to help with our latest threat research and product updates.
Our recent API vulnerability, exploit and attack data analysis has yielded both Q4-focused results and a 2022 year-end review, with predictions for 2023 including continued rise in API vulnerabilities, growth in API attacks, and worsening time-to-exploit window.
As you'll also learn from the report, OWASP API Security Top-10 does not perfectly cover real API exploits; therefore, we’re hoping the new one will be much better. To learn more about the recently released first draft and what to expect of OWASP API Top-10 2023, join us on March 16th for what promises to be a lively webinar.
On the product front, we're continuing to release improvements to ensure users are getting the best end-to-end security for their APIs. We've recently dropped enhancements in API Discovery (which is really all about security posture), and SSRF protection. Find the details below.
As a spoiler, this month you will also find my API security predictions for 2023 in an upcoming Forbes article. I'm expecting that API token leaks will be part of kill-chains which will result in different types of attacks in 2023. I also expect to see an increase in API abuse attacks due to authentication and authorization issues, as well as a rise in data decoding attacks targeting APIs. My thoughts are based on vulnerability, exploit & attack data analyzed in our 2022 Year-End ThreatStats™ Report, and the many data breaches which happened last year.
– Ivan, CEO & Co-Founder, Wallarm
The 2022 API vulnerability, exploit and attack data have been crunched and the latest API ThreatStats™ Report season is complete. The team provided both Q4-focused results and, perhaps more importantly, a 2022 year-end review. Lots to explore, including:
Too much to recap here, but be sure to read check out our predictions for 2023, including:
- Continued rise in API vulnerabilities, in numbers and severity.
- Unceasing growth in API attacks, which will lead to even more breaches.
- Worsening time-to-exploit window, which will put even more pressure on security and DevOps teams.
Read the 2022 year-end collection to know what to prepare for, and look at the Q4-2022 collection to learn how we got here. Dig In!
The hive has served up some sweet ambrosia for Wallarm users in the past month.
API Discovery Dashboard Upgrades
With this update, you can now more easily monitor sensitive data (to maintain compliance), track API changes (to monitor drift), identify risky endpoints (to reduce your API attack surface), and more. Read more in this changelog entry.
SSRF Attack Mitigation
Server-Side Request Forgery (SSRF) attacks can allow malicious actors to read server configurations, connect to internal services, perform unintended post requests, or circumvent input validation. With this update, which requires Node v 4.4.3, you can now more easily protect against this attack vector. Read more in this changelog entry.
Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.
Webinar [Mar 16, 2023] — A CISOs Guide To The New 2023 OWASP API Security Update
Join our upcoming webinar as we explore the new Top-10 API risks Release Candidate (RC) for 2023, and the implications of these updates to your API security posture.
Webinar [on-demand] — API ThreatStats™ Report: 2022 Year-in-Review & Q4 Results
The Wallarm Research team looked through all published API vulnerabilities and exploits for 2022 and aggregated these into our year-end report. Watch our recording of our recap of the highlights and trends we saw in 2022, and hear our predictions for what’s to come in 2023.
Read this write-up from the Wallarm Detect team regarding exploit attempts in the wild of CVE-2022-31678 (CVSS score: 9.1) and CVE-2021-39144 (CVSS score: 8.5) impacting VMware NSX Manager. If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure.
Read this write-up from the Wallarm Detect team regarding three (3) vulnerabilities impacting Argo CD, a popular open-source CD tool used by many DevOps teams to manage their apps. These include:
- CVE-2023-22736 – an authorization bypass vulnerability (CVSS score: 8.5)
- CVE-2023-22482 – an improper authorization vulnerability (CVSS score: 8.8)
- CVE-2023-25163 – results in leakage of repository access credentials in error messages (CVSS score: 6.5)
Read this write-up from the Wallarm Detect team regarding CVE-2022-44267 (CVSS score: 6.5) and CVE-2022-44268 (CVSS score: 6.5) which allow attackers to arbitrarily read files in ImageMagick, a popular open-source image editing suite, and to cause denial-of-service (DoS) disruptions.
React-admin XSS Attack on RichTextField (CVSS score: 5.4)
All React applications built with react-admin and using the <RichTextField> are affected. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack. An exploit POC has been published. (CVE-2023-25572)
Directus SSRF Attack on File Import (CVSS score: 5.0)
Some versions of Directus are vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An exploit POC has been published. (CVE-2023-26492)
ZoneMinder SQL Injection Attack via Malicious JWT (CVSS score: 8.1)
Some versions of Zoneminder are susceptible to SQL Injection via malicious JSON web token (JWT). A patch has been released. (CVE-2023-26032)
Apache Kafka Connect Unrestricted Deserialization of Untrusted Data (CVSS score: 8.8)
Some versions of Apache Kafka Connect might be subject to possible Remote Code Execution (RCE) or Denial of Service (DoS) attacks via SASL JAAS configs which allow JNDI requests to be performed. An upgrade is available. (CVE-2023-25194)
TinaCMS Sensitive Information Leak via Script File (CVSS score: 7.5)
Some versions of TinaCMS which store sensitive credentials such as environment variables (e.g., Algolia API keys) are impacted. Users are advised to rotate exposed keys. An upgrade is available. (CVE-2023-25164)
Gitpod Cross-Site WebSocket Hijacking Vulnerability (CVSS score: 8.2)
Some versions of Gitpod are vulnerable to a takeover of shared workspaces due to a a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An upgrade is available. (CVE-2023-0957)
We recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents. For more on notable API vulns, make sure to subscribe to our new API ThreatStats LinkedIn page.
(SecLists) Get access to the entire API using accessid and accesskey, found in log file.
(GBHackers) A high-severity format string vulnerability in F5 BIG-IP that could result in a denial-of-service (DoS) issue and possibly execute arbitrary code.
(Data Breach Today) A study of 2,037 e-commerce shops found that 250 of them had backups that contained private information and that were stored in publicly accessible folders with no access restrictions.
(Praetorian blog) An interesting method to bypass the cross-site scripting (XSS) filtering functionality within the Akamai Web Application Firewall (WAF) solution.
(Dana Epp’s blog) APIs are a prime target for exploitation and need to be protected, so developers must also introduce security testing into their existing QA strategy to protect applications from malicious attacks and vulnerabilities.
(GBHackers) Application mapping helps identify potential vulnerabilities and areas of risk, and supports security testing, incident response, and overall application security planning.
(The CISO Perspective) Attackers are finding ways are using ChatGPT for nefarious purposes on underground hacking forums.
(Dana Epp’s blog) This red team checklist enumerates how to approach the API target, how to attack it, and how to leave little to no trace.
(The Daily Swig) APIs can become less of a liability by including security-focused team members during design, encouraging secure coding, conducting regular security tests, and monitoring programming calls for attacks and misuse.
(Forrester blog) Forrester’s Security Survey, 2022, shows that 83% of global large enterprises are reporting that senior leadership has committed their organizations to the adoption of Zero Trust.
(Dark Reading) One notable trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment.
(IT Security Guru) In many ways, considered the “new battleground for cybersecurity” in 2023, APIs can make – or break – a business in the coming year.
Last month we asked about leaked API keys and other secrets. It looks like only a few are truly confident, while about 50% are somewhat or completely blind to this issue:
And we’d love to have you weigh in on our next LinkedIn poll we're conducting: How mature is your API vulnerability assessment / management process? Please let us know where you stand on this – connect with Ivan or follow us at Wallarm to register your vote.
Where APIs Meet Apis
And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we like to finish with an uplifting image. Since it’s March, the flowers are beginning to bloom and our namesakes are preparing for flight, as you can see. Enjoy!
Source: Cyan-Biologist Tumblr | First Bee GIF of the Year