APIsecurity.io - APISecurity.io Newsletter: Issue 151

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #151
WordPress 5.8.1 security patch, API botnet attacks report, articles on API tokens and API discovery
This week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attacks on APIs, an article on everything you need to know about API tokens, and thoughts on API discovery.
Vulnerability: Security patch to REST API in WordPress 5.8.1
 

Last Friday saw a security and maintenance release for WordPress, with the details of version 5.8.1 available here. This release features 60 bug fixes and — most importantly — three security fixes, namely:

  • A data exposure vulnerability within the WordPress REST API
  • An XSS vulnerability in the block editor
  • Lodash library updated to version 4.17.21 to incorporate upstream security fixes

Of interest to us is the vulnerability related to the WordPress REST API, detailed more fully in CVE-2021-39200.

WordPress provides an internal helper method wp_die that is called when an error occurs in the WordPress core. Unfortunately, the existing implementation of the handler emitted excessive internal data including nonces. This would allow an attacker to gain access to nonces which in turn could allow unauthorized access to core WordPress API methods. The fix shown below is available on GitHub here.

Article1-1

Because of the fixed security issues, WordPress recommends users to update their installations to the new version as soon as possible.

The main lessons learned here are:

  • Complex systems, such as WordPress, can relatively easily be compromised by their APIs. In security-sensitive applications, it may be advisable to disable such APIs if they are not required.
  • Information leaks are a constant threat to software systems — this one is an example of API3:2019 — Excessive data exposure, whereby sensitive data is inadvertently leaked allowing system compromise.
Opinion: Botnet attacks on APIs
 

This week featured an article in SecurityIntelligence, covering the rise of the APIs and — specifically — how APIs may increasingly be under threat from botnets weaponized against APIs and Denial of Service (DoS) attacks.

The article quotes various references driving the rise of API adoption suggesting that in 2021, over 70% of organizations will be using APIs in their business solutions. Of particular concern is the rise in the number of organizations that will expose those APIs to the internet or to third-party APIs. According to a survey from Radware and Osterman Research, nearly 40% of respondents stated that over half of their applications were exposed in this manner.

Article2-1

Even more concerning was the fact that nearly half of the participants had experienced an injection attack, and that monthly DoS attacks were even more prevalent.

Key takeaways here are:

  • Implement some form of rate-limiting on key APIs to mitigate against bot attacks.
  • Consider the use of multi-factor authentication (for example via OAuth2 protocol) to reduce the impact of bot attacks.
  • Use identity and access management, such as Role-Based Access Control (RBAC) to restrict which resources are accessible through user accounts.
Article: API tokens
 

A key pillar in a holistic approach to API security is the judicious use and management of API tokens. Unfortunately, this is a domain that is frequently poorly understood and often poorly implemented.

This week we are fortunate enough to feature a fantastic (and exhaustive) overview by Thomas H. Ptacek on the use of API tokens. The article is written in a wonderfully humorous way with tongue always firmly in cheek — “Canonically, OAuth lets a 3rd party post a tweet with your account.”

More importantly, the article is well-referenced, opinionated, and almost certain to be valuable to anyone involved in the implementation of API solutions.

The state of play for API tokens is summarized succinctly here:

Article3

 

Article: API discovery
 

Finally this week, we have musings from API Evangelist on the joys of all things relating to API discovery, of interest to anyone involved in the development or use of APIs. In a nutshell, the suggested sources for discovery are (in no particular order):

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 150

Thursday, September 9, 2021

Hi, this week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system APIsecurity.io The Latest API Security News, Vulnerabilities

APISecurity.io Newsletter: Issue 149

Thursday, September 2, 2021

Hi, this week we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user's location APIsecurity.io The Latest API Security News,

Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

Thursday, August 26, 2021

Hi this week, we have Microsoft Power Apps demonstrating the dangers of lax default settings e, yet another (BOLA/IDOR) vulnerability. APIsecurity.io The Latest API Security News, Vulnerabilities and

Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey

Thursday, August 19, 2021

Hi, this week, we have the recent API vulnerabilities in SEOPress plugin and Steam portal, and results from an application security survey. APIsecurity.io The Latest API Security News, Vulnerabilities

Issue 146: Facebook API leaking private group membership, JWT Attacker plugin for Burp

Friday, August 13, 2021

Hi, this week we have as usual recent API vulnerabilities, tools, opinions, and a note about the upcoming transition of this newsletter. APIsecurity.io The Latest API Security News, Vulnerabilities and

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power