What Is API Management ❓ All That Novices To Experts Should Learn

The world of mobile and web app development revolves around API or Application Programming Interface. It’s a magic wand using which an application developer lets the applications correspond with each other. While you’re dealing with API, gaining acquaintances with API management operations, tools...

api.ifokus.se Open Redirect vulnerability OBB-2198727

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Code injection

The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions...

What is OpenAPI ❓ Concept, Examples and Advantages

What is OpenAPI? If there is anything that is growing anything like leaps and bounds then it’s API development and awareness towards API’s security. Whether it’s web API or mobile API, growth is significant in each domain. While we discuss API development, OpenAPI deserves a mention for sure. Thi...

How to help your DevOps teams become integral to your cybersecurity strategy

What happens when an unstoppable force meets an immovable object? It’s a classic paradox, but anyone who has witnessed the relationship between SecOps and DevOps teams in any enterprise may have an inkling of how that might unfold. There is nothing new about the contentious relationship between...

CVE-2021-39875

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...

Design/Logic Flaw

In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates...

CVE-2021-39875

GitLab CVE-2021-39875 affects GitLab CE/EE from version 13.6 onward, where an API endpoint allows viewing pending invitations for any public group or public project. The root cause is an insecure API exposure that leaks invitation visibility to unauthenticated users. Impact is disclosure of pendi...

Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials

Overview The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API. Description The...

CVE-2021-3825

CVE-2021-3825 affects the Lider module of LiderAhenk software, specifically versions 2.1.15 and earlier. The root issue is leakage of configurations via an unsecured API, which can expose valid LDAP credentials to anyone with access to the configurations API. This creates a risk of unauthorized a...

Getting to Know Cybersecurity Awareness Month Champion: Imperva

As a cybersecurity industry leader, it is both our responsibility and our pleasure to work with the National Cyber Security Alliance NCSA and ​​the Cybersecurity and Infrastructure Agency CISA of the U.S. Department of Homeland Security as a 2021 Cybersecurity Awareness Month Champion and to join...

api.manheim.com Cross Site Scripting vulnerability OBB-2150780

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

A7: Cross-Site Scripting (XSS)  — Top 10 OWASP 2017

A7: Cross-Site Scripting XSS 💻 — Top 10 OWASP 2017 Introduction XSS is one of my favourite vulnerability types because of the depth and complexity. It all seems so super simple but when you really get down to the core of XSS there is a world of wonder to explore. Besides the different types of XS...

Millions impacted as payment API vulnerabilities exposing transaction keys

By Deeba Ahmed Millions of users could have exposed their private, payment data due to API security vulnerabilities discovered in several applications. This is a post from HackRead.com Read the original post: Millions impacted as payment API vulnerabilities exposing transaction keys...

Imperva An Eight-Time Magic Quadrant Leader for Web Application and API Protection

2021 has seen a lot of change. Billionaires now go where only governments and Red Bull gimmicks could go before. The 2020 Olympics didn’t take place in 2020. Tom Brady won his 7th Super Bowl for a completely new franchise those of you in the US get this reference. Similar change in application...

Bring Your APIs Out of the Shadows to Protect Your Business

Pankaj Gupta, Senior Director, Citrix APIs are immensely more complex to secure. What was previously one request to one server has become dozens or hundreds of requests to dozens or hundreds of entities. In the past, you defended one large application with a single front door. Now you must defend...

A5: Broken Access Control ❗️ — Top 10 OWASP 2017

A5: Broken Access Control ❗️ — Top 10 OWASP 2017 Introduction A5:Broken Access Control What is access control Access control as the name implies is there to grant or restrict rights to certain users on the application. If the access control is implemented the right way a regular user should not be...

Wallarm API Firewall outperforms Nginx in a production environment

Wallarm API Firewall is a free light-weighted API Firewall that protects your API endpoints in cloud-native environments with API schema validation. Wallarm API Firewall relies on a positive security model allowing calls that match a predefined API specification, while rejecting everything else...

A2: Broken Authentication ❗️ — Top 10 OWASP 2017

A2: Broken Authentication ❗️ — Top 10 OWASP 2017 Introduction When issues arise within the authentication of a program, there are most likely a wide range of dire implications. An example we can discuss is when there is a weak password policy which allows for easily guessable or brute forceable...

UPchieve: No Rate Limiting on /reset-password-request/ endpoint

Summary: Description Hi there ! I noticed when we hit the /reset-password-request/ endpoint too many times via some proxy for e.g:- Burp there is no rate limit on that endpoint and you can spam the email with 100’s of requests and resend even more password reset emails to the users as there is no...