2023 OWASP Top-10 Series: API1:2023 Broken Object Level Authorization

Welcome to the 2nd post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API1:2023 Broken Object Level Authorization. In this series we are taking an in-depth look at each category – the details, the...

API Security in 2023: Major Insights from Postman’s State of the API Report

📣 Good news for all tech enthusiasts! The highly anticipated 2023 State of the API Report, conducted by Postman - one of the leading dev tools for building APIs, is now available. This comprehensive report, produced annually, is backed by an extensive survey and offers a deep dive into the...

2023 OWASP Top-10 Series: Introduction

In early June 2023, OWASP released the final version of the OWASP API Security Top-10 list update. At that time we published a “hot take” on this final version and followed that up with an in-depth look at the new risk ratings for 2023. Today we’re kicking off a multi-post series in which we take...

api.trackyserver.com Cross Site Scripting vulnerability OBB-3535202

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Wallarm at Black Hat USA 2023 Booth #3131

Wallarm is excited to be back at Black Hat USA this year and meet with our friends in the community wanting or perhaps needing to learn more about integrated web app and API protection. We look forward to seeing you there! Expo Hours If you’re attending in person, the Business Hall is open for tw...

PT-2023-26038 · Unknown · Office Suite Premium

Name of the Vulnerable Software and Affected Versions: Office Suite Premium Version v10.9.1.42602 Description: A reflected cross-site scripting XSS issue was found, which can be exploited via the id parameter at the "/api?path=profile" API endpoint. Recommendations: For Office Suite Premium Versi...

Adopting Comprehensive API Security Falls Behind Need

...

CVE-2021-42081

Summary: CVE-2021-42081 affects OSNEXUS QuantaStor prior to 6.0.0.355, where an authenticated administrator can remotely execute arbitrary shell commands via the API. The issue arises from a command-injection style vulnerability exposed in the storage system API, enabling control of the host when...

JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident

JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients. As part of its damage control efforts, JumpCloud has reset the application programming interface API keys of all customers...

PT-2023-23292 · WordPress · Tutor Lms

Name of the Vulnerable Software and Affected Versions: Tutor LMS WordPress plugin versions prior to 2.2.1 Description: The issue concerns inadequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly availabl...

CVE-2023-37300

Connected document EUVD-2023-41205 (BIT-MEDIAWIKI-2023-37300) confirms CVE-2023-37300 relates to the CheckUserLog API in the MediaWiki CheckUser extension, with an incorrect access control that leaks visibility of hidden users. Affected scope: MediaWiki with the CheckUser extension up to at least...

Business Logic Attacks: Why Should You Care?

Imagine this: Youve just launched an amazing new application with top-of-the-line API security, reinforced it with client-side protection, and even set up defenses against bot attacks. Youre feeling safe and secure, congratulating yourself on a job well done. But, despite all your efforts, your...

OWASP Top 10 API Security Risks: The 2023 Edition Is Finally Here

We review the final changes in the 2023 update to the OWASP Top 10 API Security Risks to help you on your journey to secure your APIs...

CVE-2023-26436

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processin...

CVE-2023-26436

The CVE-2023-26436 issue affects Open-Xchange AppSuite (OX App Suite) via the documentconverterws API. Attackers able to access this endpoint can inject serialized Java objects that aren’t properly validated during deserialization, potentially allowing arbitrary code execution. The root cause is ...

Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency

Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal. "Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquir...

OWASP APIsec Top-10 2023 Is Here | API Security Newsletter

Welcome to our May API newsletter, recapping some of the events of last month. As the old proverb goes, April showers bring May flowers – and this means the bees at the Wallarm hive have been in full foraging mode and the honey is flowing: lots of updates & improvements to the platform, and much...

Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. "Vidar threat actors continue to rotate their backend IP infrastructure, favorin...

Webinar - Mastering API Security: Understanding Your True Attack Surface

Believe it or not, your attack surface is expanding faster than you realize. How? APIs, of course! More formally known as application programming interfaces, API calls are growing twice as fast as HTML traffic, making APIs an ideal candidate for new security solutions aimed at protecting customer...

Webinar - Mastering API Security: Understanding Your True Attack Surface

Believe it or not, your attack surface is expanding faster than you realize. How? APIs, of course! More formally known as application programming interfaces, API calls are growing twice as fast as HTML traffic, making APIs an ideal candidate for new security solutions aimed at protecting customer...