Issue 94: Two-day API security training at Black Hat USA 🎩

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #94
Two-day API security training at Black Hat USA
This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security.
Vulnerability: WordPress
 

If you use WordPress, check if the REST API endpoint of WordPress is openly sharing usernames at your_domain/wp-json/wp/v2/users.

Exposing a list of usernames of your site is a very bad idea. If attackers get their hands on that list, it will give them one half of the authentication. They can then launch brute-force attacks on these accounts, trying to use various passwords to find the missing half. As we have said earlier, do not make attackers’ lives easier.

For more details on this vulnerability as well as practical tips what you can do about it, see details in this write-up in Security Boulevard.

As a general note, allowing username enumeration through APIs in any system is not a good idea.

Training: “Attacking and Securing APIs” at Black Hat USA 2020
 

For obvious reasons, Black Hat USA 2020 conference is virtual this year. This is great, because it means you can access high-quality security content from the comfort (and safety) of your own home.

One of the best opportunities this provides is attending the 2-day training “Attacking and Securing APIs” by Mohammed Aldoub, on August 3—4.

The training is extremely detailed and includes 50+ hands-on labs on web and cloud APIs, microservices, and serverless security. The space is limited, so sign up quickly if you want to participate.

For more details, see the full agenda of the course at the conference website.

Technology wars: WAFs
 

In the world of APIs and modern cloud apps, WAFs continue to get bad rap. In the latest study by Neustar International Security Council:

  • Four in 10 security professionals reported that at least half of the application-layer attacks lobbied against them ended up bypassing the WAF.
  • One in 10 said it’s more like 90% of attacks cruising through the WAF defenses.
  • One in three said some 50% of network requests made in the past 12 months have been flagged as false positives.

The stats do not exactly raise confidence in WAFs’ performance. We have covered earlier surveys among WAF users in our issue 32.

Industry stats: API security
 

Jaikumar Vijayan has compiled a list of 30 recent application security stats, and one of them is on API security:

“37%: Percentage of respondents who said API security is their top priority for cloud-native apps”

Feel free to use it in your presentations as another data point for API security.

 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 93: Google Sign In flaw in Chingari 📱, a guide to OAuth Authorization Code grant

Thursday, July 23, 2020

Hi, this week we have an OAuth vulnerability, OAuth pentesting guide, Swagger-EZ Burp.. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #93 Google Sign In flaw in

Issue 92: APIs putting dementia patients at risk ⚕️, OAuth simulators

Friday, July 17, 2020

Hi, today we look at a couple API vulnerabilities, two OAuth2 emulators and a webinar APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #92 APIs putting dementia

Issue 91: Homograph OAuth bypass 🌏, common JWT mistakes, ReDos attacks

Thursday, July 9, 2020

Hi, this week we look at the dangers of international domain names, JWT & regex mistakes APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #91 Homograph OAuth

Issue 90: Twitter API data security incident, skimmers and Google Analytics API 💳

Thursday, July 2, 2020

Hi, this week we have a live video on API hacking, a new API security book, and two API APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #90 Twitter API data

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts ☕

Thursday, June 25, 2020

Hi, today we look at the recent API flaws at Starbucks & Drupal, BBVI APICheck tools, APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #89 Starbucks API flaw

You Might Also Like

JSter #234 - Libraries and more

Monday, January 6, 2025

Happy new year JavaScripters! New year, new challenges. I have a small favor to ask you. I have a MSc student researching how AI is used for web development. To help out, fill his query (5-15 mins).

WP Weekly 225 - Wins - New Launches, 2025 Predictions, Year 2024 Recap

Monday, January 6, 2025

Read on Website WP Weekly 225 / Wins All the 2024 stuff is behind us; hoping everyone is a winner going forward in this amazing WordPress community. Let's start 2025 with WordPress goodness upfront

SRE Weekly Issue #458

Monday, January 6, 2025

View on sreweekly.com A message from our sponsor, incident.io: Ever wonder how Netflix handles incidents at their scale? With incident.io, they've built a process that's smooth, scalable, and

OpenAI proposes a new corporate structure - Sync #500

Sunday, January 5, 2025

Plus: Nvidia's next move; the state of AI hardware startups; "AI factories" for war; BYD enters humanoid robot race; ChatGPT Search vs. Google Search; and more! ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

🔋 You Need a Super-Fast USB Car Charger — First-Party vs. Third-Party Cookies

Sunday, January 5, 2025

Also: How I Use Shortcuts and Apple Numbers to Track My Time How-To Geek Logo January 5, 2025 Did You Know Theodore Roosevelt was the first US President to ride in an automobile while in office.

RD#487 Instance Hook Pattern

Sunday, January 5, 2025

co-located logic and controlled API ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

PD#607 Systems Ideas that Sound Good But Almost Never Work

Sunday, January 5, 2025

"let's just..." scenarios ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏

Android Weekly #656 🤖

Sunday, January 5, 2025

View in web browser 656 January 5th, 2025 Articles & Tutorials Sponsored Sick of your mobile apps crashing? Simon Grimm will show you how to fix them with less guesswork. Join Sentry's workshop

Daily Coding Problem: Problem #1659 [Easy]

Sunday, January 5, 2025

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by WhatsApp. Given an array of integers out of order, determine the bounds of the smallest

C#538 Unit Testing Clean Architecture Use Cases

Sunday, January 5, 2025

Battle-tested approach to unit testing ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌