Issue 88: JWT pentesting, API discovery, the present and future of OpenAPI 🔭

With modern APIs, JWTs are the most commonly used security tokens. This means that JWT security serves as the cornerstone of REST API security in general (check out the JWT security videos that we posted in issue 72).

Now there are two more open-source resources available:

• The JSON Web Token Toolkit: a Python script jwt-tool for validating, forging and cracking JWTs.
• JWT Attack Playbook: A wiki on what JWTs are, how they work, how to test them for vulnerabilities, and common weaknesses and unintended coding errors with them. The wiki is closely related to the jwt_tool.

This is a recording of a presentation that Jeremy Brooks and Stuart Lane from Aaron’s Inc. held in the BSides Atlanta 2020.

Brooks and Lane talk about their experiences in locating shadow APIs in their network:

• Using DNS enumeration
• Web host discovery
• API discovery
• Risk factor identification

Manning has published a free eBook “Understanding API Security” by Justin Richer and Antonio Sanso.

Quoting the book abstract:

“Gone are the days when it was acceptable for a piece of software to live in its own little silo, disconnected from the outside world. Today, services are expected to be available for programming, mixing, and building into new applications.

Understanding API Security is a selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.”

The New Stack has posted a conversation on API security between Jesse Casman (The Linux Foundation) and Dmitry Sotnikov (that’s me :)) on the OpenAPI Specification (OAS) and API security. We discuss a bunch of topics including:

• What makes API security different from web app security
• The role of standards and OpenAPI Initiative (OAI)
• Gaps in standards
• Top 3 API vulnerabilities
• The future of API security