1. Home
  2. Discover
  3. Technology
  4. APIsecurity.io

Issue 82: Most common GraphQL vulnerabilities, pentesting with Insomnia
The Latest API Security News, Vulnerabilities and Best Practices
Issue: #82
Most common GraphQL vulnerabilities, pentesting with Insomnia
This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security.
Opinion: The 5 most common vulnerabilities in GraphQL
 

Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.

Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:

  1. Inconsistent authorization checks
  2. REST proxies allow attacks on underlying APIs
  3. Missing validation of custom scalars
  4. No appropriate rate limiting
  5. Introspection reveals non-public information

They have also provided a link to the sample API they used for the blog post for a more hands-on experience. If you work with or are interested in GraphiQL, definitely worth  checking out.
Cheat sheets: OAuth 2.0 and JWT security
 

Every now and then, Philippe De Ryck releases great cheat sheets on cybersecurity. His two latest are highly relevant to API security:

  • OAuth 2.0 best practices for developers
  • JSON Web Tokens (JWT)

Grab them at his site here, and keep him on your radar for further handy resources.
Tools: REST API pentesting with Insomnia and Burp
 

Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing. He covers, for example:

  • Getting and installing Insomnia
  • Using Insomnia to post REST requests
  • Proxying Insomnia through Burp
  • Chaining requests

This  is a sequel to his series on Postman and Burp that we covered in our issue 34.
Analysts: Alexei Balanagski (KuppingerCole)
 

The latest KuppingerCole podcast episode features Alexei Balaganski explaining the cyber security consequences of API proliferation, and what needs to be done about it.

His topics include things like:

  • Proliferation of APIs
  • Examples of breaches
  • Why API security is different from web security and API management, and thus needs specialized solutions
  • How API security needs to span everything from design, development, testing, runtime protection, and monitoring
The Dark Side of API economy podcast

 
 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your to choose the types of emails you receive or   
 
 

Older messages

Issue 81: Vulnerabilities in Microsoft Teams 👥, Auth0, smart home hubs

Thursday, April 30, 2020

Hi, this week, we check out how Microsoft Teams could be breached with a single GIF APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #81 Vulnerabilities in

Issue 80: API vulnerabilities IBM DRM and Cisco USC ☎️

Thursday, April 23, 2020

Hi, this week, we look at API vulnerabilities in IBM and Cisco products, and upcoming APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #80 API vulnerabilities IBM

Issue 79: 1.4 million doctor records scraped using API 👩‍⚕️

Thursday, April 16, 2020

Hi, this week we look at recent vulns at GitLab and findadoctor.com, conference talk APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #79 1.4 million doctor

Issue 78: Vulnerabilities in WordPress Rank Math, Tapplock, and TicTocTrack ⌚

Thursday, April 9, 2020

Hi, this week we look into details of 3 API vulnerabilities and SAST for composite OAS APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #78 Vulnerabilities in

You Might Also Like

Spyglass Dispatch: Meta Miscues

Wednesday, January 8, 2025

Meta's Social AI Content • Anthropic at $60B • Bluesky at $700M • Dick Wolf's 30 Minute Show • NVIDIA's CPU Aspirations The Spyglass Dispatch is a newsletter sent on weekdays featuring

Top Tech Deals 💰 Anker Power Station, GoPro, 8BitDo Controller, and More!

Wednesday, January 8, 2025

Upgrade your life with a new power station, Wi-Fi 7 router, or AirTags at a big discount. How-To Geek Logo January 8, 2025 Top Tech Deals: Anker Power Station, GoPro Hero, 8BitDo Controller, and More!

Is Claude.ai worth $60 billion? 🎩

Wednesday, January 8, 2025

+ AI will mow my lawn ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Post from Syncfusion Blogs on 01/08/2025

Wednesday, January 8, 2025

New blogs from Syncfusion Effortlessly Manage Large File Uploads with Blazor File Manager By Keerthana Rajendran This blog explains the new chunk upload feature added in the Blazor File Manger

⚙️ Waymo's big moment

Wednesday, January 8, 2025

The road to AGI ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

The best AI tech of CES 2025

Wednesday, January 8, 2025

✨ A Linux desktop for AI devs; OTC CGMs; Big Delta upgrades -- ZDNET ZDNET Tech Today - US January 8, 2025 Robotics and AI tech at CES 2025 shown on a universe colorful background. The best robotics

[Guide] AWS Security Essentials in Two Steps

Wednesday, January 8, 2025

Download the quick guide and take control of your AWS security now! The Hacker News The best AWS environments benefit from layered security and smart automation. Securing AWS environments is crucial

FCC Launches 'Cyber Trust Mark' for IoT Devices to Certify Security Compliance

Wednesday, January 8, 2025

THN Daily Updates Newsletter cover Generative AI, Cybersecurity, and Ethics ($88.00 Value) FREE for a Limited Time Equips readers with the skills and insights necessary to succeed in the rapidly

The Sequence Engineering #464: OpenAI’s Relatively Unknown Agent Framework

Wednesday, January 8, 2025

OpenAI Swarm provides the key building blocks for implementing agents. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

About-Face(book)

Wednesday, January 8, 2025

Mark Zuckerberg's new stance on speech can be both real and really political About-Face(book) Mark Zuckerberg's new stance on speech can be both real and really political By MG Siegler • 8 Jan