API Security Weekly: Issue #60

DZone 's Guide to

API Security Weekly: Issue #60

This week, look at a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts.

· Integration Zone ·
Free Resource

Newspapers on news rack

API Security Weekly

This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to the take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks.

In other news, the recording of our OWASP API Security Top 10 webinar is now available, and we have a follow-up session coming up.

Vulnerability: Microsoft Azure Authentication

Microsoft Azure accounts were vulnerable to takeover due to a vulnerability in their OAuth2 implementation.

Omer Tsarfati and his team from CyberArk found that some of the reply URLs (redirect_uri) that the implementation trusted used wildcards and included domains and sub-domains available for registering. If attackers registered such a domain, they could use it to steal access tokens. In the worst case, this could compromise the whole Azure environment of the user under attack.

You might also be interested in:  API Security Weekly: Issue #59

Properly implemented, OAuth 2.0 is a great way to provide delegated security for APIs. However, as this case shows, not paying proper attention to the implementation can wreck it all while lulling you into a false sense of security. Wildcards are evil and you should be very careful to only trust domains under your control.

State of Security: API Flaws in Mobile Apps

Mobile security vendor Zimperium analyzed the top 30 shopping apps from both Apple and Google app stores. The results paint a bleak picture of their security.

A lot of the discovered flaws are API-related:

  • Apps accepting unencrypted HTTP traffic
  • Using outdated TLS versions
  • Overriding SSL/TLS chain validation
  • Using SSL CN with no validation

API security should be as much built-in during the design time of apps, not applied as an afterthought, if at all.

Threat Landscape: 5G

The 5G technology is based on REST API architecture, and thus API security is the key for 5G network security.

The EU Agency for Cybersecurity (ENISA) has published its 5G Networks Threat Landscape whitepaper. It looks into:

  • The core threats
  • Edge gateways
  • Threats in virtualization
  • Recommended mitigation options for these


A couple of weeks ago, we had the webinar on OWASP API Security Top 10. The recording is now available on the webinar page.

Next Thursday, December 12, there is a natural follow-up session Positive Security for APIs by Isabelle Mauny. This webinar covers practical steps that you can take to mitigate some of the vulnerabilities discussed in the previous webinar.

Positive security (aka whitelisting) is a powerful approach to protecting your APIs against the OWASP API security vulnerabilities A3, A6, and A8. The webinar will cover what positive security is, why it matters, and how to implement it.

If interested, you can click the link to the webinar page above and register to claim your spot.

You can subscribe to this newsletter at APIsecurity.io.

Further Reading

REST API Security

How to Secure APIs

apis ,api ,api security ,newsletter ,cybersecuity ,integration ,aip news ,api security news ,security news

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}