API Security Weekly: Issue #43
This week, we have a conference talk recording demonstrating API pen testing; see how the w3af web scanner can be used for APIs, and more.
Join the DZone community and get the full member experience.Join For Free
This week, we have a conference talk recording demonstrating API pen testing; see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly.
The OWASP Global AppSec Tel Aviv conference has published a video recording of the “Testing and Hacking APIs” talk by Inon Shkedy.
Shkedy demonstrates approaches to API penetration testing, including:
- Analyzing payloads and authentication
- Broken object-level access control (aka IDOR)
- Mass assignment
- Improper data filtering
- Expanding attack surface
Artem Smotrakov explains how the w3af web scanner can be used for REST API security testing. His article includes:
- API discovery
- Disabling validation
- Sample configuration
- Context-specific parameters
- Result analysis
SAP has published their API Security Best Practices in a blog series. The posts naturally promote SAP’s own tooling, but the detailed practices can be useful regardless of which technology you use.
The discussed best practices include:
- IP whitelisting
- Rate limiting
- Data masking
- JSON/XML/SQL injection attacks
Price of vulnerability
Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication. The basis for the fines is for ignoring the security issues for a long time while still continuing to sell the solution.
You can subscribe to this weekly newsletter at https://APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.