Apache Apisix Licensing Issue Vulnerability

Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation in the United States. The software is based on OpenResty and etcd for dynamic routing and plug-in hot-loading, and is suitable for API management in microservice systems. an authorization issue...

Symantec Security Advisory for Log4j Vulnerability

Summary Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system. Affected Products The following products and product versions are...

Exploit for Improper Authentication in Apache Shenyu

Apache ShenYu Admin has a vulnerability that allows for authenti...

Apache ShenYu licensing issue vulnerability

Apache ShenYu is an asynchronous, high-performance, cross-language, responsive API gateway from the Apache Foundation.An authorization issue vulnerability exists in Apache ShenYu Admin, which stems from a misuse of JWT in ShenuAdminBootstrap allowing an attacker to bypass authentication. No...

Best practices in WAF gateways to meet the demands of digital transformation

Every day, digital transformation is changing every organization’s threat landscape. As a result, they are facing a dilemma about where and how to deploy their application security solution. One of the most common approaches that organizations take is to deploy a reverse proxy security solution i...

What is API Gateway ❓ How it works ❓

In general, a gateway is a passage that acts as a connector for 2 components to make them achieve certain functionality. API Gateway is not very different. However, it is a crucial topic to understand for many of us. Well, in this article, we have got you covered. Introduction to API Gateway: A...

Exploit for Incorrect Authorization in Konga_Project Konga

Konga Privilege Escalation - CVE-2021-42192 Authenticated Privil...

Design/Logic Flaw

Emissary-Ingress formerly Ambassador API Gateway through 1.13.9 allows attackers to bypass client certificate requirements i.e., mTLS certrequired on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate...

CVE-2021-36371

CVE-2021-36371 is reported for Emissary-Ingress (formerly Ambassador API Gateway). The vulnerability allows bypassing client certificate requirements (mTLS cert_required) on backend upstreams when more than one TLSContext exists and any configuration does not require client cert authentication. T...

CVE-2021-32753

EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is...

CVE-2021-32753 Weak password in API gateway in EdgeX Foundry Edinburgh, Fuji, Geneva, and Hanoi releases allows remote attackers to obtain authentication token via dictionary-based password attack when OAuth2 authentication method is enabled.

EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is...

Apache APISIX Access Control Error Vulnerability

Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plugin hot-loading, suitable for API management under the microservices architecture. APISIX Dashboard has a security...

Apache Apisix 安全漏洞

Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plugin hot-loading, suitable for API management under the microservices architecture. APISIX Dashboard has a security...

Courier: 2 Bypass of #1067533 rate limit via X-Forwarded-For<space>: Source IP on ( www.trycourier.app )

A vulnerability with AWS API Gateway was uncovered that allowed rate limiting to be bypassed when the X-Forwarded-For headed was manipulated a string added to the header key I was able to bypass the rate limit by adding extra space before the colon X-Forwarded-For: 127.0.0.1. The actual bug was i...

Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server

gofor 一款集漏洞探测、攻击，Session会话，蜜罐识别等功能于一身的软件，基于go-micro微服务框架并对外提供统一HTTP API网关接口服务 HTTP API Gateway shell ./api-srv Service InstallOptional Exploit ./srv-exploit Webshell webshell ./srv-webshell Example ThinkPHP5.0.20 RCE 攻击例子 shell curl -H "Content-Type:application/json;charset=utf-8" -X POST -d...

Semrush: Critically Sensitive Spring Boot Endpoints Exposed

Spring Boot includes a number of additional features to help you monitor and manage your application when you push it to production. Hacker found that actuator endpoints containing potentially sensitive data such as internal tokens and service data were left public. Semrush has a microservices...

What's New in Web Security

With Akamai's web security portfolio, the top focus this October is on the web application firewall WAF, with exciting new capabilities: API Discovery and Adaptive Security Profiles. Along with the rest of the industry, Akamai has observed a long-term shift in the applications that we're...

DAGOBAH - Open Source Tool To Generate Internal Threat Intelligence, Inventory & Compliance Data From AWS Resources

Dagobah is an open source tool written in python to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources. Dagobah collects information and save the state into an elasticsearch index. Dagobah runs into the a LAMBDA and looks a...

Browsing serverInfo anonymously gives version number information

h3. Issue Summary Browsing serverInfo anonymously gives version number information h3. Steps to Reproduce curl https:///rest/api/2/serverInfo navigate to https:///rest/api/2/serverInfo in a browser h3. Expected Results Fail to connect h3. Actual Results The below exception is thrown in the...

Automating API Security in the Cloud

These days, the most common way for services to communicate and transfer data is by using APIs. However, broken, exposed, or hacked APIs are the cause of some of the latest major data breaches, as they have the potential to expose sensitive data for public consumption. Securing your APIs is...