This week, look at the recent vulnerability in Cisco Data Center Network Manager, the API aspect of the data breach at MGM Grand Resort, and more.
This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and how to penetration test them.
Cisco has released a set of patches for their Data Center Network Manager (DCNM), a platform for managing Cisco data centers.
One of the critical vulnerabilities that Cisco fixed was, quoting from the Cisco Security Advisory:
“A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.”
Embarrassingly enough, in the beginning of this year Cisco already patched one issue that involved static API key in DCNM. Now the same kind of problem reappears in the very same product. Let’s hope this does not become a recurring issue.
Do not use static or hard-coded API keys. This is a poor security practice, susceptible to key interception and re-use.
Look at a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and more!
Pen Test Partners take a dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also look at a vulnerability in TP-LINK’s Kasa Cameras.
This week, check out the API vulnerabilities in the Mercedes-Benz connected cars, the Russian inter-bank money transfer system, and more!
Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them
This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!