API Security Weekly: Issue

API Security Weekly: Issue

This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!

This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!

This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020.

Vulnerability: Aura COVID-19 Tracing App

Another mandatory COVID-19 tracing app, was found to leak personal information and health status of users. This time it was Aura, an app that Albion College in Michigan has made mandatory for all students.

Among other issues, such as hard-coded secret keys to the backend server, the app also had an API that allowed to enumerate account numbers. For a given account, one could get the COVID status of a student, the date of testing, and the student’s full name.

Lessons to be learned from this case are familiar:

  • Never allow any sort of account enumeration in your APIs.
  • Prevent IDOR/BOLA attacks by enforcing authorization and letting each account to access their own data only.

We have previously covered API vulnerabilities in various coronavirus tracing apps in our issues 83 and 86.

Vulnerability: Kubernetes

Do not think that localhost calls are automatically safe. Attacks are often stacked and hackers can expand their attacks once they have passed the initial defense. If there is a vulnerable local proxy on a system that automatically trusts it, attackers can use it for their malicious activity.

security integration api apis api security newsletter cybersecuity api vulnerabilities

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

API Security Weekly: Issue #101

After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.

API Security Weekly: Issue #95

This week, look at recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs.

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

API Security Weekly: Issue #102 - DZone Security

This week, see recent API vulnerabilities at Facebook and the campaing apps for US presidential election, a new book on the OpenAPI Specification (OAS), and more.

API Security Weekly: Issue

This week, look at the recent vulnerability in Cisco Data Center Network Manager, the API aspect of the data breach at MGM Grand Resort, and more.