APIsecurity.io - APISecurity.io Newsletter: Issue 157

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #157
Unsafe defaults in Prometheus, mapping API attack surfaces, OpenAPI file trend analysis

This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training from We Hack Purple.

Vulnerability: Unsafe defaults in Prometheus expose secrets
 

JFrog recently published a report on a potential vulnerability in Prometheus, a popular open-source event monitoring and alerting solution. Attackers could parse unsecured endpoints to retrieve sensitive data.

Previously, the metrics had not been considered sensitive at all, but in version 2.24.0 support for TLS and basic authentication were added. Unfortunately, because this is a relatively new feature (v2.24.0 was released in January 2021) and many installations in the public domain still use an older version, JFrog concludes that large-scale data exfiltration is still currently possible.

The authors describe some elementary intelligence gathering techniques using Shodan and ZoomEye to ingest data from over 27 000 hosts. Their findings included:

  • Sensitive operational information like usernames and passwords were exposed.
  • 15.6% of endpoints had exposed and unsecured administration interfaces.

Article1-2

 

The key takeaways here are:

  • If you are concerned with unintended information exposure, enable both basic authentication and TLS in your Prometheus setup.
  • Be wary of default settings in any system, their security level might not be what you want and might have unintended consequences.
Tools: Free tool for mapping API attack surface
 

The old adage of “you can’t improve what you can’t measure” applies equally well to security: you can’t secure what you don’t know about. API security is no different beast here.

API discovery is increasingly under the spotlight because it enables organizations to understand the extent of their risk exposure stemming from their API estate. In complex organizations, the vast variety of internal and external APIs, programming language and framework choices, and hosting or cloud environments can make this — or even estimating your attack surface — a challenging undertaking. The most likely result is a wild “finger in the air” estimate.

Luckily, there is a free API attack surface calculator to get you started. It allows you to get an (albeit very basic) estimate of your API attack surface based on a few basic, easily identified parameters. While not being a discovery tool proper, undertaking such an estimate should be illuminating in its own right: what are the knowns, what are the unknowns, where more information is required, where should an organization start with their API security initiative.

Report: Analyzing trends in OpenAPI files
 

The increased adoption of the OpenAPI Specification (OAS) standard over the last decade has resulted in a vast number of OpenAPI definition files in public repositories.

In a fascinating report, courtesy of Nordic APIs, the Australian security company Assetnote scanned over 200 000 publicly available OpenAPI files, with the goal of discovering underlying trends and patterns in them.

In summary, some of the key findings here include:

  • 79% of API definitions are valid OpenAPI definitions — so conforming to the standard — which bodes well for the continued adoption of the OAS in large.
  • APIs are increasingly complex: on average, each API had 37 paths and 51 endpoints.
  • Understandably, GET is the most frequently used method, followed by POST.
  • Most APIs tend to favor basic authenticationfollowed by API key methods. Somewhat worryingly, the third most popular option is having no security at all!
Training: We Hack Purple offers API security awareness and training
 

The continued interest in API security is being reflected in the availability of new, quality training offerings.

This week, we have news of an API security awareness event, featuring Isabelle Mauny (field CTO of 42Crunch) in a conversation with Tanya Janca (aka. @shehackspurple) as part of Tanya’s new We Hack Purple academy and community.

Also of interest to API security practitioners will be the upcoming mini-course from the We Hack Purple community. I look forward to featuring the course in this newsletter once it is available.

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 156

Thursday, October 21, 2021

Hi, this week we have a report from Alissa Knight on Fast Healthcare Interoperability and Resources APIs being vulnerable to abuse APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 155

Thursday, October 14, 2021

Hi, this week, we have a vulnerability in the BrewDog mobile app exposing users' PII, Cisco has announced the arrival of their APIClarity APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 154

Thursday, October 7, 2021

Hi, this week, we have a viewpoint on what security officers can do to address API security. There's also a report from IBM. APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 153

Thursday, September 30, 2021

Hi, this week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the

APISecurity.io Newsletter: Issue 152

Thursday, September 23, 2021

Hi, this week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power