API Security Weekly: Issue #56

DZone 's Guide to

API Security Weekly: Issue #56

This week, check out API vulnerabilities that were reported in Rittal cooling systems, see an API vulnerability cheat sheet that you can print and put on your wall, and more.

· Integration Zone ·
Free Resource

API Security News — Vulnerabilities

API Security News — Vulnerabilities

This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security.

You may also like:  REST API Security Vulnerabilities

Vulnerability: Rittal Industrial Cooling

Applied Risk has found two critical vulnerabilities in Rittal industrial cooling equipment. If attackers know the URLs to invoke, they can bypass authentication and turn cooling on or off or set the temperature.

From the description, it is hard to figure out whether this is API2:2019 — Broken authentication or API5:2019 — Broken function-level authorization.

The second vulnerability is not any better: the system also has hard-coded credentials.

IoT remains a big source of API vulnerability news. Vendors in that space are often used to caring more about the physical side of the product and not paying enough attention to the security of the software and services components.

OWASP API Security Top 10 Cheat Sheet

We have covered the OWASP API Security Top 10 project in the past. This is a community effort (currently in the Release Candidate phase) to document the most frequent vulnerabilities in web APIs.

To make it easier for you to keep these in mind, we have created a cheat sheet that you can print and put on your wall.

The graphics and short descriptions make navigating the categories easier, and there’s also advice on how to mitigate the risks.

Image title

Download the OWASP API Security Top 10 cheat sheet here.

Hacking JSON Web Tokens (JWT)

JSON Web Tokens (JWT) are one of the most frequently used methods to pass caller information with REST API calls.

Unfortunately, it is also frequently misused and misunderstood. Hackers can take advantage of that to launch successful attacks on your APIs.

Vickie Li has just published a good quick overview of JWT and the most frequent vulnerabilities in its use.

The most common JWT attacks are:

  • Algorithm manipulation
    • Using None as the algorithm
    • Using symmetric encryption (HMAC) instead of asymmetric RSA
  • Lack of signature validation
  • Bruteforcing weak secret keys
  • Secret keys leaking through another attack (like directory traversal, XXE, or SSRF)
  • Key ID (KID) manipulation
    • Directory traversals
    • SQL injections
    • Command injections
  • JKU/JWK/x5u/x5c headers used sending rogue keys
  • Information leaks in JWT when developers forget that base64 encoding is not encrypting

Analysts: GlobalData

Charlotte Dunlap from GlobalData has published a new report “API Security tops API Management”. The highlights from the report include:

  • A new API lifecycle management approach is founded on emerging security innovations (AI, DevSecOps, API Security by design).
  • Pure-play API security providers threaten to outshine API management leaders through the best-of-breed security.

You can subscribe to this newsletter at APIsecurity.io.

Further Reading

Common Causes of REST API Security Vulnerabilities

API Security Weekly: Issue #55

api, api news, api security, api security news, apis, cybersecurity, integration, newsletter, security news

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}