API Vulnerabilities

Review of the Major API Breaches from H2 2022

December 6, 2022

Colin Domoney reviews some of the major API breaches that occurred in the second half of 2022. In the webinar, he outlines the API vulnerabilities that were compromised during the attacks and shows how to protect against them.

Review of the Major API Breaches from H1 2022 – Episode 2

August 10, 2022

This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The first session described the breaches at a high level (recording below) and the second describes how to defend against them.

Review of the Major API Breaches from H1 2022 – Episode 1

June 21, 2022

This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The second part of this webinar series explores how to defend against common API security breaches covered in the first part of the series. Join Colin Domoney (42Crunch security researcher and curator of the APISecurity.io newsletter) to understand how to use defensive techniques to protect APIs. This practical and interactive webinar will illuminate how APIs can be protected against common attack types and real-world exploits.

Lessons learned from the Spring4Shell vulnerability

April 1, 2022

Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it’s time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can […]

OWASP API Security TOP 10 Challenges – Episode 3

March 24, 2022

In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix and secure their APIs in the face of these identified threats.

OWASP API Security Top 10: Comprendre les menaces qui ciblent les APIs

March 22, 2022

Ce webinaire, dédié à la sécurité des APIs, traite des menaces listées par l’OWASP API Security top 10. Vous assisterez à l’explication détaillée de chaque menace, son exploitation possible, des exemples d’attaques réussies et comment, grâce à la technologie 42crunch il est possible de s’en prémunir.

OWASP API Security TOP 10 Challenges – Episode 2

February 17, 2022

THREE-PART WEBINAR SERIES May 4th, 2022 | 8am PST | 4pm BST In this first episode in the webinar series, Dr Philippe de Ryck and Colin Domoney discuss API security today and the challenges presented by the OWASP API security top 10. Questions from attendees were addressed throughout the webinar. Episode 2: Address the OWASP […]

Protecting your APIs against Log4Shell with 42Crunch

January 26, 2022

On December 9th, 2021, the log4shell vulnerability hit the news and it has since been every security team’s worst nightmare: trivially exploitable, huge impact with RCE (Remote Code Execution), on a component widely used across traditional enterprise technological stacks, both in in-house and third-party software. All this combined explains its CVSS rating of 10 – […]

OWASP API Security TOP 10 Challenges – Episode 1

January 25, 2022

In this first episode in the webinar series, Dr Philippe de Ryck and Colin Domoney discuss API security today and the challenges presented by the OWASP API security top 10. Questions from attendees were addressed throughout the webinar.

7 Ways to Avoid JWT Security Pitfalls

December 22, 2021

Dec 22nd 2021.  Author: Dr. Philippe de Ryck, Pragmatic Web Security, Like them or hate them, JSON Web Tokens (JWT) are everywhere. OAuth 2.0 and OpenID Connect rely heavily on JWTs. Many applications use JWTs to implement custom security mechanisms. And every language or framework offers plenty of support for JWTs. Unfortunately, JWTs also lie […]

Dissecting the Biggest API Breaches from Q1 2021

April 16, 2021

API Security can be hard and confusing, but learning from someone else’s mistakes is the best way to learn!

Questions Answered: How to Best Leverage JWTs or API Security

December 11, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “How to Best Leverage JWTs or API Security” We were unable to get to your questions, so below are all the answers to the questions that were asked! If you’d like more information please feel free to contact […]

Fixing API Security Issues identified in the Audit Report

May 31, 2020

Tutorials In our previous tutorial, we took a look at the audit report from API Contract Security Audit. This one proceeds onto fixing the issues found in the audit and see how we can iteratively work on our OpenAPI / Swagger definition. Navigating Issues The best place to start are the high priority issues, they […]

Questions Answered: Top API Security Issues Found During POCs

May 26, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Top API Security Issues Found During POCs” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”POCs-Webinar”]     Is […]

Top API Security Issues Found During POCs

May 26, 2020

Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. “This is an eye opener” is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar.

Questions Answered: The Anatomy of Four API Breaches

May 4, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “The Anatomy of Four API Breaches” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”Anatomy-API-Breach”]   Does the implementation […]

The Anatomy of API Breaches

April 30, 2020

Securing APIs implies securing the infrastructure but also the APIs themselves. Unfortunately, having all possible infrastructure protections in place is only one aspect of the recent OWASP Top10 for API Security. Other issues such as data leakage, mass assignment or broken authentication/authorization must be handled at the application level.

Questions Answered: Are you properly using JWTs?

February 3, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Are you properly using JWTs?” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”Jwt-webinar”]     Is it considered safe if the […]

Addressing Harbor Registry Vulnerability with 42Crunch

September 24, 2019

Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering […]

We Need the Controller Layer Back!

September 16, 2019

A couple days ago, I gave an API security workshop to highlight the OWASP Top 10 issues for APIs and some of the mistakes we keep doing at development time and pay for at runtime. Many of the issues related to data, such as improper data filtering, mass assignment or excessive data exposure, could be […]

Hot off the press: the OWASP API Security Top 10 list!

June 18, 2019

Last week, a new OWASP project was launched at the Global AppSec conference in Tel Aviv: the API Security Top 10 list. The project information and initial Top 10 list were presented by Erez Yalon (Checkmarx) and Inon Shkedy and you can download the presentation PDF. We have also created an OWASP API Security Top […]