Articles

API Security Weekly: Issue #105

,

This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and more. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10.

Vulnerability: HashiCorp Vault

Felix Wilhelm from Google’s Project Zero has written a very detailed write-up on an authentication bypass he found in the Amazon Web Services (AWS) and Google Cloud Platform (GCP) integration of HashiCorp Vault. As a central storage of credentials, Vault makes an attractive target for attackers, and therefore a vulnerability in it is also very bad news. Looking for the silver linings, this attack was definitely quite advanced, and thus not easily exploitable.

Source de l’article sur DZONE

/par

API Security Weekly: Issue #81

,

This week, we check out how Microsoft Teams could be breached with a single GIF image sent in a chat, and Auth0 by changing the case of a single character.

In other news, a report on security issues in smart home hubs has been published, and a new online training on OAuth2.0 and OpenID Connect is available.

Source de l’article sur DZONE

/par

API Security Weekly: Issue #41

,

This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news, FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted.

Vulnerability: Tinder

Sanskar Jethi has found that Tinder enforces its premium features (such as unblurred images of those who like you) to be available for premium membership only in the app, not in the API. Their API actually delivers regular, unblurred images to everyone.

Source de l’article sur DZONE

/par