API Security Weekly: Issue

API Security Weekly: Issue

This week, look at the recent vulnerability in Cisco Data Center Network Manager, the API aspect of the data breach at MGM Grand Resort, and more.

This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and how to penetration test them.

Vulnerability: Cisco Data Center Network Manager

Cisco has released a set of patches for their Data Center Network Manager (DCNM), a platform for managing Cisco data centers.

One of the critical vulnerabilities that Cisco fixed was, quoting from the Cisco Security Advisory:

“A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.”

Embarrassingly enough, in the beginning of this year Cisco already patched one issue that involved static API key in DCNM. Now the same kind of problem reappears in the very same product. Let’s hope this does not become a recurring issue.

Do not use static or hard-coded API keys. This is a poor security practice, susceptible to key interception and re-use.

security integration api cybersecurity apis api security graphql newsletter api vulnerabilities

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

API Security Weekly: Issue #94

Look at a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and more!

API Security Weekly: Issue #92

Pen Test Partners take a dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also look at a vulnerability in TP-LINK’s Kasa Cameras.

API Security Weekly: Issue #99

This week, check out the API vulnerabilities in the Mercedes-Benz connected cars, the Russian inter-bank money transfer system, and more!

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

API Security Weekly: Issue

This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!