DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Hear from the experts in our "DZone 2023 Preview: DevOps Edition" on Fri, Jan 27!
Save your seat
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #41

API Security Weekly: Issue #41

This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Jul. 24, 19 · News
Like (2)
Save
Tweet
Share
9.54K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news, FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted.

Vulnerability: Tinder

Sanskar Jethi has found that Tinder enforces its premium features (such as unblurred images of those who like you) to be available for premium membership only in the app, not in the API. Their API actually delivers regular, unblurred images to everyone.

This is a similar vulnerability to the one in Facebook Marketplace API that we have discussed earlier. Vendors need to treat their API features and API security as product features and security. Relying on just the application frontend and ignoring the expanded attack surface can bite you.

Vulnerability: Axway SecureTransport

Axway SecureTransport is a system for sharing, securing, managing, and tracking files. It is used by a variety of government and military organizations, as well as some large businesses.

This week, Dominik Penner reported a vulnerability in the password reset API of SecureTransport. The API does not require authentication and accepts XML payloads.

Dominic found that these XMLs can include Doctype and Entity elements. This opens the system up to various attacks, including denial of service (DoS) through entity expansion, server-side request forgery (SSRF), and Document Type Definition (DTD) repurposing.

Price of API security flaws: Equifax

In 2017, Equifax was breached and private information of 147 million people got exposed. The breach started with unpatched Apache Struts exploit. The system was not enforcing formats on incoming API calls and specifically crafted Content-Type header allowed attackers to get in.

This week, a settlement between Equifax and FTC was announced. Equifax is set to pay up to $700 million in various fines and compensations.

Slides: Applying API Security at Scale

Isabelle Mauny published slides from her “Applying API Security at Scale” webinar with NordicAPIs. Here’s a quick summary of the contents:

  1. Know your APIs and risks
  2. Implementation principles
  3. Self-hacking
  4. Deployment principles
  5. Visibility
  6. Next steps
  7. Resources

You can subscribe to this newsletter at APIsecurity.io.

API security

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How Do the Docker Client and Docker Servers Work?
  • Simulate Network Latency and Packet Drop In Linux
  • Spring Boot Docker Best Practices
  • Project Hygiene
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: