API Security Weekly: Issue #56
This week, check out API vulnerabilities that were reported in Rittal cooling systems, see an API vulnerability cheat sheet that you can print and put on your wall, and more.
Join the DZone community and get the full member experience.Join For Free
This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security.
You may also like: REST API Security Vulnerabilities
Vulnerability: Rittal Industrial Cooling
Applied Risk has found two critical vulnerabilities in Rittal industrial cooling equipment. If attackers know the URLs to invoke, they can bypass authentication and turn cooling on or off or set the temperature.
The second vulnerability is not any better: the system also has hard-coded credentials.
IoT remains a big source of API vulnerability news. Vendors in that space are often used to caring more about the physical side of the product and not paying enough attention to the security of the software and services components.
OWASP API Security Top 10 Cheat Sheet
We have covered the OWASP API Security Top 10 project in the past. This is a community effort (currently in the Release Candidate phase) to document the most frequent vulnerabilities in web APIs.
To make it easier for you to keep these in mind, we have created a cheat sheet that you can print and put on your wall.
The graphics and short descriptions make navigating the categories easier, and there’s also advice on how to mitigate the risks.
Hacking JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are one of the most frequently used methods to pass caller information with REST API calls.
Unfortunately, it is also frequently misused and misunderstood. Hackers can take advantage of that to launch successful attacks on your APIs.
Vickie Li has just published a good quick overview of JWT and the most frequent vulnerabilities in its use.
The most common JWT attacks are:
- Algorithm manipulation
Noneas the algorithm
- Using symmetric encryption (HMAC) instead of asymmetric RSA
- Lack of signature validation
- Bruteforcing weak secret keys
- Secret keys leaking through another attack (like directory traversal, XXE, or SSRF)
- Key ID (KID) manipulation
- Directory traversals
- SQL injections
- Command injections
- JKU/JWK/x5u/x5c headers used sending rogue keys
- Information leaks in JWT when developers forget that
base64encoding is not encrypting
Charlotte Dunlap from GlobalData has published a new report “API Security tops API Management”. The highlights from the report include:
- A new API lifecycle management approach is founded on emerging security innovations (AI, DevSecOps, API Security by design).
- Pure-play API security providers threaten to outshine API management leaders through the best-of-breed security.
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.