Insufficient Logging Monitoring☝️ — What you need to know

Insufficient Logging Monitoring☝️ — What you need to know Introduction API10:2019 Insufficient Logging & Monitoring What is Insufficient Logging & Monitoring? The title already says a lot but this vulnerability is a bit more complex than it was at first sight, of course the API is vulnerable if it...

Improper Assets Management☝️ — What you need to know

Improper Assets Management☝️ — What you need to know Introduction API9:2019 Improper Assets Management What is Improper Assets Management? We should always wonder for every API if all the current endpoint should even be available and if we maybe can’t do with only allowing the API to communicate...

API8: Injection☝️ — What you need to know

API8: Injection☝️ — What you need to know Introduction API8:2019 Injection What is Injection? API’s with the following properties are open to injection flaws: When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input...

Security Misconfiguration☝️ — What you need to know

Security Misconfiguration☝️ — What you need to know Introduction API7:2019 Security Misconfiguration ‍What is Security Misconfiguration? There are several factors that might indicate a Security Misconfiguration. We should be very careful with handling configurations because if the correct security...

Mass Assignment❗️ — What you need to know

Mass Assignment❗️ — What you need to know Introduction API6:2019 Mass Assignment What is Mass Assignment? Applications these days often rely an objects For example user, product, … and these objects have properties for example product.stock. As a user, we have the authorization to edit and view...

Excessive Data Exposure☝️ — What you need to know

Excessive Data Exposure☝️ — What you need to know Introduction API3:Excessive Data Exposure What is Excessive Data Exposure? An API is only supposed to return the required data to the front-end clients but sometimes teams will make a mistake or take the easy route and implement APIs that return al...

Code injection

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted...

The top 3 OWASP risks to the financial services sector in 2021 and how to mitigate them

The Open Web Application Security Project OWASP is a non-profit organization that helps security experts protect web applications from cyber attacks. OWASP counts 32,000 volunteers worldwide who perform security assessments and conduct research on cybersecurity threats about which the larger...

in aquilacms/aquilacms

✍️ Description Unauthenticated API function allows any user to change OR view another user first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed. 🕵️‍♂️ Proof of Concept The attacker can guess the correct MongoDBobject ID and...

CVE-2020-10590

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port 8800 on the Replicated Classic server could retrieve the TLS Keypair Cert and Key used to configure...

Design/Logic Flaw

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port 8800 on the Replicated Classic server could retrieve the TLS Keypair Cert and Key used to configure...

Smart car chargers. Plug-n-play for hackers?

Over the last 18 months, we’ve been investigating the security of smart electric vehicle chargers. These allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, among many functions. We bought 6 different brands of chargers and also reviewed securit...

CVE-2020-10590

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port 8800 on the Replicated Classic server could retrieve the TLS Keypair Cert and Key used to configure...

Cross site scripting

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will...

GraphQL Field Suggestions Detected

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received...

CVE-2021-32743

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for extern...

CVE-2021-32743

CVE-2021-32743 affects Icinga 2 where credentials for external services can be exposed via the API to authenticated users for certain objects. Specifically, in versions prior to 2.11.10 and 2.12.0–2.12.4, the API could disclose passwords for databases (IdoMysqlConnection, IdoPgsqlConnection), Red...

Design/Logic Flaw

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed external entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type:...

CVE-2021-30201

CVE-2021-30201 affects Kaseya VSA (on‑premises/server side) where the API /vsaWS/KaseyaWS.asmx processes XML with external entities. The vulnerability arises from insecure handling of XML external entities, allowing an attacker to cause the server to read local files (e.g., c:\kaseya\kserver\kser...

Coursera Flunks API Test in Researchers’ Security Exam

Researchers have discovered multiple application programming interface API issues in Coursera, the online learning platform used by 82 million learners and hundreds of Fortune 500 companies. On Thursday, the Checkmarx Security Research Team published a report on its findings, which included user...