APIsecurity.io - APISecurity.io Newsletter: Issue 153

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #153
Rapid proliferation of APIs, WordPress API vulnerability, false-negative API scanning

This week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the importance of false-negative API vulnerability scanning, and API protection as a key element of a cloud security strategy.

Article: Rapid proliferation of APIs opens up security holes
 

This week, we have a keynote speech from author and cyber entrepreneur Alissa Knight at the HackerOne Security@  virtual conference, in which she discusses how the rapid proliferation of APIs is opening up security holes.

Knight is an active API security researcher who believes that only now are we gaining a full insight into the risk that APIs expose as the industry collects more and more statistics around API security. The most well-known API-related vulnerability is broken object-level authorization (BOLA) which Knight likens to “the scenario to a coat check where the employee behind the counter looks at a person’s claim number but doesn’t notice that the number had been changed with a marker”.

Knight’s prominent research in recent times relates to API vulnerabilities in connected police vehicles, which allowed her to remotely lock and unlock the car doors, or start and stop the engines. The key takeaway in this research was the lack of certificate pinning, allowing a researcher (or an attacker) to use a proxy like Burp Suite or Mitmproxy to perform man-in-the-middle attacks on the remote systems. Where certificate pinning was implemented at all, there were shortcomings in the implementations.

Knight’s research has also included hacking 30 financial services and fintech companies using their APIs and uncovering  significant vulnerabilities, such as being able to change arbitrary PINs or transfer funds. Her opinion is that as banks tend to outsource much of their development, which results in issues being systemic across all banks.

The full content of the HackerOne Security@ conference is available here. Knight’s keynote “The Best Kept Secret in Cybersecurity is the first on the list.

Vulnerability: WordPress plugin Ninja Forms exposes REST API vulnerability
 

This week also saw another vulnerability in a popular WordPress plugin, Ninja Forms, exposing key WordPress data through the WordPress REST API.

WordPress exposes its core functionalities through a REST API. Whilst the WordPress API requires authentication, vulnerabilities often arise from plugins that implement authorization inadequately. As recently as in our issue 147 we covered a similar vulnerability in the SEOPress plugin, which failed to fully validate API requests.

In this instance, the Ninja Forms plugin provided a permissions callback (invoked by the WordPress core to validate a client’s permission levels based on a particular API call). This callback checked if a user was registered. However, it failed to check if the user had a permission to execute bulk export of all forms submitted using the plugin. This is a significant case of sensitive information disclosure because such information could include sensitive information, like emails or other PII.

The plugin provider has since patched the vulnerability, and uses are advised to upgrade to the most recent version of the plugin.

The key takeaways:

  • The failure to fully validate API requests is a leading factor in vulnerable APIs. In this particular case, we saw an example of OWASP API:5 Broken Function-Level Authorization.
  • Authentication is not enough on its own. Authorization needs to be in place, too.
Article: The importance of false-negative API vulnerability scanning
 

An interesting article for me this week was the further coverage on API vulnerability scanning and the dangers of false-negatives lulling the security team into a false sense of security. Last week, I had discussed a similar topic relating to shortcomings in traditional SAST/DAST tools.

The author Troy Hawes describes the importance of performing security testing of APIs and summarizes the management of API risk concisely as follows:

  • APIs aren’t a part of vulnerability management programs and are overlooked
  • Information security teams lack the knowledge to thoroughly test APIs
  • APIs are tested generically and false negatives provide organizations with a false sense of security
  • APIs are only tested by the development team
  • APIs aren’t considered with an adversarial mindset

In particular, it is the third point that is paramount. My article concluded that reliance on SAST/DAST testing could result in false-negatives, in other words missing the detection of vulnerabilities within an API implementation. The author claims that “if you’re scanning your APIs with generic vulnerability scans or even web application scans, then you’re likely missing eight out of 10 of the top API vulnerabilities”.

The other key takeaway here is that automated testing — whilst valuable — is unable to detect more complex business logic flaws, such as a sequence of interactions using API. For such cases, a dedicated API penetration test conducted by a skilled human penetration tester mimicking the actions of an attacker is recommended. Particularly important is the adversarial mindset when conducting such testing — don’t think like a developer, think like an attacker. Hawes concludes that the role of API monitoring is vital to detect deviation from APIs’ normal operation that attackers cause.

Opinion: API protection as a key element of a cloud security strategy
 

Finally this week, we have some brief thoughts from Brian Schwarz on approaches to API security as part of a broader cloud security strategy.

Schwarz calls out the inadequacies of reliance on traditional web application firewalls (WAFs) in protecting APIs and suggests using more modern Web Application and API Protection (WAAP) solutions. Perhaps the most interesting insight from Schwarz is the suggestion of enforcing API protection and defense at the platform level, rather than relying on individual development teams to provide adequate protection during their development lifecycles.

Certainly, such a reliance on bespoke or custom protections can lead to deficiencies in the overall organization estate, because it is all too easy for developers to overlook elements of API security in their haste to release new features and functionality. A decentralized approach can result in inconsistencies in protection.

Related to siloed API protections within API development teams is the topic of central API detection and compliance. A benefit of centrally enforcing API policies against emergent threats ensures that protection is applied in a uniform manner and is consistent with the organization’s compliance and regulatory requirements.

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 152

Thursday, September 23, 2021

Hi, this week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue

APISecurity.io Newsletter: Issue 151

Thursday, September 16, 2021

Hi, this week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attack APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 150

Thursday, September 9, 2021

Hi, this week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system APIsecurity.io The Latest API Security News, Vulnerabilities

APISecurity.io Newsletter: Issue 149

Thursday, September 2, 2021

Hi, this week we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user's location APIsecurity.io The Latest API Security News,

Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

Thursday, August 26, 2021

Hi this week, we have Microsoft Power Apps demonstrating the dangers of lax default settings e, yet another (BOLA/IDOR) vulnerability. APIsecurity.io The Latest API Security News, Vulnerabilities and

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power