PortSwigger has published an interview with him on API security. Opinion: The current state of API securityĬorey Ball is a cybersecurity consultant and the author of the upcoming “Hacking APIs” book (the title might still change). See Stupin’s explanation and demo in this recording of his recent talk in OWASP AppSec Israel. The server error messages try to be helpful and, as a result, leak resource names when a call contains wrong values. The tool makes use of a flaw in the GraphQL Apollo Server. This can be helpful for reconnaissance of GraphQL APIs that have retrospection disabled. Nikita Stupin has developed an open-source tool called clairvoyance that effectively does brute-force discovery of GraphQL APIs. Monitoring, logging, and incident handling processes can help take quick mitigation steps should a breach occur.The less data you keep, the smaller the risk. Do not store any data that you do not need or should not be storing.Implement rate-limiting to prevent bulk downloads by attackers.Using sequential identifiers is an open invitation to get your records enumerated and scraped.Authentication is key to security (see OWASP API:2 Broken Authentication).These are serious security flaws, so here are a few lessons that one could take heed of, regardless of your political views: ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |