44 matches found
Predictions for 2023 from Latest API Threat Research | API Security Newsletter
March has arrived and is roaring like a very confused lion, at least in the northern hemisphere. And much like in the wild, brood production is increasing. Weve already seen some fruits of that labor, such as the Q4-2022 and 2022 Year-End ThreatStats™ Report, and some very tasty product upgrades...
Cross-site Scripting (XSS)
github.com/eolinker/apinto-dashboard is vulnerable to cross-site scriptingXSS attacks. A remote authenticated attacker is able to inject and execute malicious JavaScript on the victim's machine due to insufficient checks in /api/discoveries/ file...
Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty shipped with IBM WebSphere Application Server Patterns are vulnerable to Clickjacking (CVE-2021-39038)
Summary IBM WebSphere Application Server is vulnerable to clickjacking when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0,...
Security Bulletin: WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to Clickjacking (CVE-2021-39038)
Summary IBM WebSphere Application Server is vulnerable to clickjacking when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0,...
Discovering shadow APIs with a API firewall
Shadow APIs can be defined as active endpoints that you are not aware of. Some APIs are deployed but never documented. Others are services that don’t have an owner anymore. Some are even old v2 versions that have been deprecated for years, yet still exposed. Long story short: these APIs are not...
Design/Logic Flaw
An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API...
Wallarm API Discovery: Discover API endpoints automatically and secure them
What do you know about your APIs? Why are the vulnerable v2 and v3 still exposed if they are deprecated for almost a year? What else is exposed and you don’t even know? Are Swagger specs up to date? Teaser: Surely not. A lot of questions, right? Meet Wallarm’s latest feature for API Discovery and...
Akamai Named Gartner Magic Quadrant Leader for Fourth Consecutive Year
Gartner published its 2020 Magic Quadrant for Web Application Firewalls WAFi and named Akamai a Leader for the fourth consecutive year. Gartner's high distinction is market recognition of our completeness of vision and ability to execute. This graphic was published by Gartner, Inc. as part of a...
What's New in Web Security
With Akamai's web security portfolio, the top focus this October is on the web application firewall WAF, with exciting new capabilities: API Discovery and Adaptive Security Profiles. Along with the rest of the industry, Akamai has observed a long-term shift in the applications that we're...
API Discovery and Profiling -- Visibility to Protection
APIs have become a dominant mechanism in the modern web, allowing organizations to create powerful web and mobile experiences, while exposing back-end data and logic to create new and innovative offerings. Protecting internet-facing APIs -- an emerging practice over the past few years -- is the...
What's New in Web Security
With Akamai's web security portfolio, the top focus this October is on the web application firewall WAF, with exciting new capabilities: API Discovery and Adaptive Security Profiles...
CVE-2020-14458
Mattermost Server before 5.19.0 is affected. The issue allows attackers to discover private channels through the get channel by name API (MMSA-2020-0004), an information-disclosure vulnerability. Affected product is Mattermost Server; vulnerable component is the get channel by name API endpoint. ...
QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches
Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable...
Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Applciation Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud
Summary There is a potential information disclosure vulnerability in Admin Center for IBM WebSphere Application Server Liberty. There is a potential for weaker than expected security when using the WebSphere Application Server Liberty profile API Discovery feature and Swagger documents. There is ...
Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix
Summary There is an XML External Entity Injection XXE vulnerability in the Apache Standard Taglibs that affects IBM WebSphere Application Server. There is an information disclosure vulnerability in IBM WebSphere Application Server Liberty for any users of the JAX-RS API. There is a potential for...
Security Bulletin: WebSphere Application Server Liberty API Discovery feature has potential vulnerability (CVE-2016-2945)
Summary There is a potential for weaker than expected security when using the WebSphere Application Server Liberty profile API Discovery feature and Swagger documents. Vulnerability Details CVEID: CVE-2016-2945 DESCRIPTION: IBM WebSphere Application Server Liberty Profile using the API Discovery...
RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier
Description: The RubyGems client supports a gem server API discovery functionality, which is used when pushing or pulling gems to a gem distribution/hosting server, like RubyGems.org. This functionality is provided via a SRV DNS request to the users gem source hostname prepended with...
CVE-2016-2945
The API Discovery implementation in IBM WebSphere Application Server WAS 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document...
CVE-2016-2945
The API Discovery implementation in IBM WebSphere Application Server WAS 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document...
CVE-2016-2945
The API Discovery implementation in IBM WebSphere Application Server WAS 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document...