API Security: Unveiling Best Practices for a Secure Digital Ecosystem

By Owais Sultan API security is crucial for protecting data, maintaining privacy, and preventing unauthorized access. Lets delve into some of… This is a post from HackRead.com Read the original post: API Security: Unveiling Best Practices for a Secure Digital Ecosystem...

Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions. "A threat actor could impersonate a popular publisher and issue a...

Holistic API Security Strategy for 2023

In the digital landscape of 2023, Application Programming Interfaces APIs have taken center stage in business operations. APIs act as the backbone of many digital services, enabling software applications to communicate and exchange data with each other. As businesses increasingly rely on APIs for...

Security vulnerability in product bundling feature

Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...

OWASP TOP 10 API Security Risks: 2023!

The OWASP Top 10 API Security Risks 2023 has arrived! OWASP's API Top 10 is always a highly anticipated release and can be a key component of API security preparedness for the year. As we discussed in API Security Best Practices for a Changing Attack Surface, API usage continues to skyrocket. As ...

How to Improve Your API Security Posture

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even ta...

OWASP API Security Top-10 for 2023 Risk Ratings

As you know by now, the final version of the OWASP API Security Top-10 2023 has been released. At first blush, the final 2023 release seems to retain most of the changes in category naming, language and intent from the 2019 edition which we saw in the RC version. In this post, we are going to...

OWASP API Security Top-10 Risks for 2023 Released

Back in April we took an in-depth look at the proposed OWASP Top-10 API Security Risks list for 2023. This Release Candidate RC contained a few changes from the 4-year-old version, most notably: 1. Created a new category API3:2023RC Broken Object Property Level Authorization by essentially...

Chinese PostalFurious Gang Strikes UAE Users with Sneaky SMS Phishing Scheme

A Chinese-speaking phishing gang dubbed PostalFurious has been linked to a new SMS campaign that's targeting users in the U.A.E. by masquerading as postal services and toll operators, per Group-IB. The fraudulent scheme entails sending users bogus text messages asking them to pay a vehicle trip f...

restaurantherakles.be Cross Site Scripting vulnerability OBB-3384827

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin

Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names J...

Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics

The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a "number of updated capabilities that...

api.azumio.com Cross Site Scripting vulnerability OBB-3368952

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2022-36249

Shop Beat Media Player v2.5.95–v3.2.57 is affected by a vulnerability that allows bypassing secondary authentication (2FA) at the API level. After login, an attacker can use a bearer token or jsession ID to access APIs without entering the 2FA code, specifically impacting Controlpanel Lite. Root ...

CVE-2023-28346

CVE-2023-28346 (Faronics Insight 10.0.19045, Windows) : A vulnerability allows remote attackers with valid credentials to communicate with private API endpoints exposed by the web server (examples: /login, /consoleSettings, /console) despite Virtual Host Routing intended to block access. The flaw...

CVE-2023-23301

The news MonkeyC operation code in CIQ API version 1.0.0 through 4.1.7 fails to check that string resources are not extending past the end of the expected sections. A malicious CIQ application could craft a string that starts near the end of a section, and whose length extends past its end. Upon...

Are Your APIs Leaking Sensitive Data?

It's no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization's reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica...

ChatGPT: Friend or Foe? | API Security Newsletter

Welcome to our April API newsletter, recapping some of the events of last month. This month’s topic is Generative AI tools e.g., ChatGPT in cybersecurity. It – along with API Security – dominated the 2023 RSA Conference, and there’s plenty of digital ink being spilled on the topic. Be sure to wat...

CVE-2023-32082 etcd key name can be accessed via LeaseTimeToLive API

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...

CVE-2023-31478

GL.iNet devices prior to firmware version 3.216 are affected by CVE-2023-31478. An API endpoint (mesh status) reveals Wi‑Fi configuration data, including SSID and password, potentially enabling unauthenticated access to the wireless network. The Nuclei template and related sources corroborate thi...