API Security Weekly: Issue #82
This week, check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and more!
Join the DZone community and get the full member experience.Join For Free
Opinion: The 5 Most Common Vulnerabilities in GraphQL
Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.
Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:
- Inconsistent authorization checks
- REST proxies allow attacks on underlying APIs
- Missing validation of custom scalars
- No appropriate rate limiting
- Introspection reveals non-public information
They have also provided a link to the sample API they used for the blog post for a more hands-on experience. If you work with or are interested in GraphiQL, definitely worth checking out.
Cheat Sheets: OAuth 2.0 and JWT Security
Every now and then, Philippe De Ryck releases great cheat sheets on cybersecurity. His two latest are highly relevant to API security:
- OAuth 2.0 best practices for developers
- JSON Web Tokens (JWT)
Grab them at his site here, and keep him on your radar for further handy resources.
Tools: REST API Pentesting With Insomnia and Burp
Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing. He covers, for example:
- Getting and installing Insomnia
- Using Insomnia to post REST requests
- Proxying Insomnia through Burp
- Chaining requests
This is a sequel to his series on Postman and Burp that we covered in our issue 34.
Analysts: Alexei Balanagski (KuppingerCole)
The latest KuppingerCole podcast episode features Alexei Balaganski explaining the cyber security consequences of API proliferation, and what needs to be done about it.
His topics include things like:
- Proliferation of APIs
- Examples of breaches
- Why API security is different from web security and API management, and thus needs specialized solutions
- How API security needs to span everything from design, development, testing, runtime protection, and monitoring
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.