API Security Weekly: Issue #82

DZone 's Guide to

API Security Weekly: Issue #82

This week, check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and more!

· Security Zone ·
Free Resource

Opinion: The 5 Most Common Vulnerabilities in GraphQL

Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.

Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:

  1. Inconsistent authorization checks
  2. REST proxies allow attacks on underlying APIs
  3. Missing validation of custom scalars
  4. No appropriate rate limiting
  5. Introspection reveals non-public information

They have also provided a link to the sample API they used for the blog post for a more hands-on experience. If you work with or are interested in GraphiQL, definitely worth checking out.

Cheat Sheets: OAuth 2.0 and JWT Security

Every now and then, Philippe De Ryck releases great cheat sheets on cybersecurity. His two latest are highly relevant to API security:

  • OAuth 2.0 best practices for developers
  • JSON Web Tokens (JWT)

Grab them at his site here, and keep him on your radar for further handy resources.

Tools: REST API Pentesting With Insomnia and Burp

Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing. He covers, for example:

  • Getting and installing Insomnia
  • Using Insomnia to post REST requests
  • Proxying Insomnia through Burp
  • Chaining requests

This is a sequel to his series on Postman and Burp that we covered in our issue 34.

Analysts: Alexei Balanagski (KuppingerCole)

The latest KuppingerCole podcast episode features Alexei Balaganski explaining the cyber security consequences of API proliferation, and what needs to be done about it.

His topics include things like:

  • Proliferation of APIs
  • Examples of breaches
  • Why API security is different from web security and API management, and thus needs specialized solutions
  • How API security needs to span everything from design, development, testing, runtime protection, and monitoring

You can subscribe to this newsletter at APIsecurity.io.

api ,api security ,api vulnerabilities ,apis ,cybersecurity ,integration ,newsletter ,rest api

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}