APIsecurity.io - APISecurity.io Newsletter: Issue 160

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #160
Vulnerability in AWS API gateway, Kubernetes API access hardening guide

This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what’s possibly on the next OWASP API security Top 10.

Vulnerability: AWS API gateway vulnerable to HTTP header-smuggling attack
 

At the recent BlackHat Europe security conference, web security researcher Daniel Thatcher disclosed vulnerabilities relating to the AWS API gateway that allowed HTTP header smuggling. Currently, AWS has not responded to this research nor offered a comment regarding the potential vulnerabilities in their API gateway.

PortSwigger sums up HTTP header smuggling as am attack vector well:

“HTTP request smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.”

The actual attack that uncovered the vulnerability in AWS API gateway was very simple: Thatcher added X-Forwarded-For abcd: z to the header for HTTP requests, which bypassed the AWS IP address restriction policies in AWS API Gateway.

At its most serious, the vulnerability could allow an attacker to use HTTP header smuggling to sneak phony headers to the backend and launch a cache poisoning attack on the server. This in turn could allow the attacker to create their own API and return malicious content. Not the easiest one to exploit.

AWS has since fixed the vulnerability.

Guide: Kubernetes API Access Security Hardening
 

In any given Kubernetes deployment, the “control plane” is a component of critical importance in a Kubernetes instance, with the Kubernetes API being the gatekeeper to any and all operations that get executed within the instance. As such, the access to this API must be carefully controlled using strong authentication and authorization techniques.

Teleport has put together a concise guide in which they provide recipes and best practice guides for hardening and securing Kubernetes deployments. The article provides detailed guidance on the following core topics:

  • Kubernetes API network access best practices
  • Kubernetes API user account management best practices
  • Kubernetes API access authentication best practices
  • Kubernetes API access authorization best practices
  • Securing access to Kubernetes Kubelet
  • Additional security considerations for API access control

With any complex software system, administrators are encouraged to be fully aware of the default configuration and its security implications, and are well-advised to follow such a guide to implementing the quick wins to harden their installations. If you work with Kubernetes, or are interested in it, do take a look.

Report: Time to take API security more seriously
 

The importance of API security to our modern economy was highlighted this week in a feature by Forbes on why it’s time to take API security seriously. Perhaps for regular readers of this newsletter, the conclusions do not come as a surprise, but it is heartening to see this topic given prime-time coverage in the mainstream media.

Forbes concludes that IT leaders would do well to focus energies on the following key areas:

  • Consider all APIs a threat.
  • Keep an accurate, up-to-date inventory of APIs.
  • Look inside the luggage.
  • Get serious about DevSecOps.

Forbes’ conclusion is precise and to-the-point:

“the best defense is to raise awareness as broadly as possible in your organization so that everyone whose job relates to designing, building and deploying software understands this enemy.”

Opinion: Predicting the next OWASP API Security Top 10
 

Finally, a regular contributor to this newsletter, Jason Kent, provides some predictions on what a new OWASP API Security Top 10 might look like.  The previous listing is from 2019, and two years can be a long time in tech, so it will be exciting to see how it eventually gets updated.

The key takeaway from Kent is the focus on shifting left in relation to API security. He predicts that both insecure design and data integrity failures will be added as new entries to the API Security Top 10. Unsurprisingly, identity and authentication failures and broken access control are likely to remain the two highest priority issues affecting API security.

If you are the betting kind, you could start considering your own opening antes.

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 159

Thursday, November 11, 2021

Hi, this week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #159

APISecurity.io Newsletter: Issue 158

Thursday, November 4, 2021

Hi, this week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 157

Thursday, October 28, 2021

Hi, this week, we have details of a potential vulnerability in existing Prometheus installations, a tool to map their API attack surface APIsecurity.io The Latest API Security News, Vulnerabilities and

APISecurity.io Newsletter: Issue 156

Thursday, October 21, 2021

Hi, this week we have a report from Alissa Knight on Fast Healthcare Interoperability and Resources APIs being vulnerable to abuse APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 155

Thursday, October 14, 2021

Hi, this week, we have a vulnerability in the BrewDog mobile app exposing users' PII, Cisco has announced the arrival of their APIClarity APIsecurity.io The Latest API Security News,

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power