1. Home
  2. Discover
  3. Technology
  4. APIsecurity.io

Issue 94: Two-day API security training at Black Hat USA 🎩
The Latest API Security News, Vulnerabilities and Best Practices
Issue: #94
Two-day API security training at Black Hat USA
This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security.
Vulnerability: WordPress
 

If you use WordPress, check if the REST API endpoint of WordPress is openly sharing usernames at your_domain/wp-json/wp/v2/users.

Exposing a list of usernames of your site is a very bad idea. If attackers get their hands on that list, it will give them one half of the authentication. They can then launch brute-force attacks on these accounts, trying to use various passwords to find the missing half. As we have said earlier, do not make attackers’ lives easier.

For more details on this vulnerability as well as practical tips what you can do about it, see details in this write-up in Security Boulevard.

As a general note, allowing username enumeration through APIs in any system is not a good idea.
Training: “Attacking and Securing APIs” at Black Hat USA 2020
 

For obvious reasons, Black Hat USA 2020 conference is virtual this year. This is great, because it means you can access high-quality security content from the comfort (and safety) of your own home.

One of the best opportunities this provides is attending the 2-day training “Attacking and Securing APIs” by Mohammed Aldoub, on August 3—4.

The training is extremely detailed and includes 50+ hands-on labs on web and cloud APIs, microservices, and serverless security. The space is limited, so sign up quickly if you want to participate.

For more details, see the full agenda of the course at the conference website.
Technology wars: WAFs
 

In the world of APIs and modern cloud apps, WAFs continue to get bad rap. In the latest study by Neustar International Security Council:

  • Four in 10 security professionals reported that at least half of the application-layer attacks lobbied against them ended up bypassing the WAF.
  • One in 10 said it’s more like 90% of attacks cruising through the WAF defenses.
  • One in three said some 50% of network requests made in the past 12 months have been flagged as false positives.

The stats do not exactly raise confidence in WAFs’ performance. We have covered earlier surveys among WAF users in our issue 32.
Industry stats: API security
 

Jaikumar Vijayan has compiled a list of 30 recent application security stats, and one of them is on API security:

“37%: Percentage of respondents who said API security is their top priority for cloud-native apps”

Feel free to use it in your presentations as another data point for API security.
 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 93: Google Sign In flaw in Chingari 📱, a guide to OAuth Authorization Code grant

Thursday, July 23, 2020

Hi, this week we have an OAuth vulnerability, OAuth pentesting guide, Swagger-EZ Burp.. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #93 Google Sign In flaw in

Issue 92: APIs putting dementia patients at risk ⚕️, OAuth simulators

Friday, July 17, 2020

Hi, today we look at a couple API vulnerabilities, two OAuth2 emulators and a webinar APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #92 APIs putting dementia

Issue 91: Homograph OAuth bypass 🌏, common JWT mistakes, ReDos attacks

Thursday, July 9, 2020

Hi, this week we look at the dangers of international domain names, JWT & regex mistakes APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #91 Homograph OAuth

Issue 90: Twitter API data security incident, skimmers and Google Analytics API 💳

Thursday, July 2, 2020

Hi, this week we have a live video on API hacking, a new API security book, and two API APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #90 Twitter API data

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts ☕

Thursday, June 25, 2020

Hi, today we look at the recent API flaws at Starbucks & Drupal, BBVI APICheck tools, APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #89 Starbucks API flaw

You Might Also Like

📈 Why Is My Ping So High While Gaming? — How to Keep Your Android From Overheating

Saturday, May 4, 2024

Also: Using ChatGPT to Craft a Resume, and More! How-To Geek Logo May 4, 2024 📩 Get expert reviews, the hottest deals, how-to's, breaking news, and more delivered directly to your inbox by

JSK Daily for May 4, 2024

Saturday, May 4, 2024

JSK Daily for May 4, 2024 View this email in your browser A community curated daily e-mail of JavaScript news The Power of React's Virtual DOM: A Comprehensive Explanation Modern JavaScript

Daily Coding Problem: Problem #1431 [Medium]

Saturday, May 4, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by MongoDB. Given a list of elements, find the majority element, which appears more than

Ranked | The World's Top Media Franchises by All-Time Revenue 📊

Saturday, May 4, 2024

From Pokémon to Star Wars, some media franchises are globally recognizable. How do media franchises compare in terms of all-time revenue? View Online | Subscribe Presented by Voronoi: The App Where

Noonification: Read Code Like a Hacker With the SAST

Saturday, May 4, 2024

Top Tech Content sent at Noon! Get Algolia: AI Search that understands How are you, @newsletterest1? 🪐 What's happening in tech today, May 4, 2024? The HackerNoon Newsletter brings the HackerNoon

Weekend Reading — May the fourth

Saturday, May 4, 2024

This week we setup our new Minecraft server, play Spacewar, avoid burnout, wonder about Facebook AI spam, lose our passkeys, and claim stairs on the way back home. 😎 Labnotes (by Assaf Arkin) Weekend

Google lays off workers

Saturday, May 4, 2024

Plus: Tesla cans its Supercharger team and UnitedHealthcare reveals security lapses View this email online in your browser By Kyle Wiggers Saturday, May 4, 2024 Image Credits: Tomohiro Ohsumi / Getty

When It Rains, It Pours ☔

Saturday, May 4, 2024

Why the umbrella's design can't be beat. Here's a version for your browser. Hunting for the end of the long tail • May 04, 2024 Hey there, Ernie here with a refreshed piece about umbrellas

🐍 New Python tutorials on Real Python

Saturday, May 4, 2024

Hey there, There's always something going on over at realpython.com as far as Python tutorials go. Here's what you may have missed this past week: Python's unittest: Writing Unit Tests for

Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Saturday, May 4, 2024

THN Daily Updates Newsletter cover Webinar -- Data Security is Different at the Petabyte Scale Discover the secrets to securing fast-moving, massive data sets with insights from industry titans