Tag: API | Page 3

‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

February 21, 2023/in Internet Security

API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

Most web API flaws are missed by standard security tests - Corey J Ball on securing a neglected attack vector

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.

This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.

After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.

He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.

Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.

Attractive attack vector

The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.

“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”

API stands for application programming interface, a set of definitions and protocols for building and integrating application software.

Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the…

Source…

Spring Boot 3 + Spring Security 6 – JWT Authentication and Authorisation [NEW] [2023]

February 20, 2023/in Video

Over 40 lakh mobile users at hacking risk from compromised Shopify API keys, Telecom News, ET Telecom

February 10, 2023/in Internet Security

New Delhi: Over 40 lakh mobile phone users’ sensitive data is at hacking risk after cyber security researchers on Friday uncovered a critical security flaw in Shopify application programming interface (API) keys/tokens.

Cyber-security company CloudSEK‘s BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers’ sensitive data at risk.

From the millions of Android apps, 21 e-commerce apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing personally identifiable information (PII) to potential threats.

By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users.

If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said security researchers.

“The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers,” said Vishal Singh, senior security engineer at CloudSEK.

Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.

Over 4.4 million websites from more than 175 countries globally use Shopify.

With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.

“While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys,” said the company.

The researchers found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing/modifying gift cards and 6 API keys allow obtaining payment…

Source…

ISM updated to mandate web API protection – Security

December 4, 2022/in Internet Security

Recent data breaches have put a spotlight on web API vulnerabilities, and in what may not be a coincidence, the Australian Cyber Security Centre has added them to its influential Information Security Manual.

The latest edition of the ISM, published by the ACSC, adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain.”

In addition, “A new control was added to ensure clients are authenticated when calling web application programming interfaces that facilitate modification of data.”

These controls were not present in the September edition of the ISM.

The ACSC also takes aim at what could be termed “compliance culture”, in particular a set-and-forget attitude to security controls.

Three controls have been revised to make it clear that they should be actively maintained.

Overseeing cyber security awareness raising: “The existing control relating to overseeing the development and operation of a cyber security awareness raising program was amended to ensure it is also maintained.”
Trusted insider program: “The existing control relating to the development and implementation of a trusted insider program was amended to ensure it is also maintained.”
33 different controls relating to documentation were updated: “Existing controls relating to the development and implementation of cyber security documentation were amended to ensure documentation is maintained throughout its lifetime”.

Another aspect of compliance culture, strategies that exist only as documents, is also highlighted: “The existing control relating to the development and maintenance of a cyber security communications strategy was amended to ensure it is implemented (emphasis added)”.

For the first time, the ISM explicitly draws the burgeoning – and often insecure – world of the Internet of Things into its remit.

“The definition of ICT equipment was amended to explicitly state that ‘smart devices’ are considered ICT equipment and therefore all controls relating to ICT equipment equally apply to smart devices, such as smart televisions and…

Source…

Tag Archive for: API

Attractive attack vector