About

Latest API security news


Password managers part II

A rough guide to enterprise secret platforms27 February 2023Password managers part IIA rough guide to enterprise secret platforms

CVSS vulnerability scoring system ‘too simplistic’

Weaknesses in existing metrics highlighted through new research21 February 2023CVSS vulnerability scoring system ‘too simplistic’Weaknesses in existing metrics highlighted through new research

Securing a neglected attack vector

Corey J Ball on how most web API flaws are missed by standard security tests20 February 2023Securing a neglected attack vectorCorey J Ball on how most web API flaws are missed by standard security tests

HTTP request smuggling bug patched in HAProxy

17 February 2023HTTP request smuggling bug patched in HAProxyExploitation could enable attackers to access backend servers

RCE bug patched in Apache Kafka

15 February 2023RCE bug patched in Apache KafkaPossible RCE and denial-of-service issue discovered in Kafka Connect

Toyota seals backdoor

Calamity averted as carmaker secures supplier platform07 February 2023Toyota seals backdoor Calamity averted as carmaker secures supplier platform

Yellowfin tackles auth bypass trio that opened door to RCE

25 January 2023Yellowfin tackles auth bypass trio that opened door to RCEPre- and post-auth path to pwnage

AWS patches bypass bug in CloudTrail API monitoring tool

23 January 2023AWS patches bypass bug in CloudTrail API monitoring toolThreat actors poking around AWS environments and API calls could stay under the radar

Bug bounty bonanza

Google pays hacker duo $22k for flaws in multiple cloud projects19 January 2023Bug bounty bonanza Google pays hacker duo $22k for flaws in multiple cloud projects

Squaring the CircleCI

DevOps platform publishes post-mortem on recent breach16 January 2023Squaring the CircleCIDevOps platform publishes post-mortem on recent breach

Devs urged to rotate secrets after CircleCI suffers breach

05 January 2023Devs urged to rotate secrets after CircleCI suffers breachDevOps platform advises customers to revoke API tokens

Car companies massively exposed to web vulnerabilities

04 January 2023Car companies massively exposed to web vulnerabilitiesGrand hack auto

Password mismanagement

Credential theft bug chain patched in Passwordstate21 December 2022Password mismanagementCredential theft bug chain patched in Passwordstate

Bug Bounty Radar

The latest bug bounty programs for December 202201 December 2022Bug Bounty RadarThe latest bug bounty programs for December 2022

Zendesk Explore flaws opened door to account pillage

15 November 2022Zendesk Explore flaws opened door to account pillagePatched SQLi and logical access vulnerabilities posed serious risk

Prototype pollution

Pioneering project yields another RCE in Parse Server11 November 2022Prototype pollutionPioneering project yields another RCE in Parse Server

CSRF in Plesk API enabled server takeover

11 November 2022CSRF in Plesk API enabled server takeoverBugs in programming interfaces of web hosting admin tool patched

Prototype pollution

Vulnerability exposed Ember.js applications to XSS08 November 2022Prototype pollution Vulnerability exposed Ember.js applications to XSS

Urlscan.io API unwittingly leaks sensitive URLs, data

02 November 2022Urlscan.io API unwittingly leaks sensitive URLs, dataPublic listings have made sensitive data searchable due to misconfigured third-party services

Bug Bounty Radar

The latest bug bounty programs for November 202201 November 2022Bug Bounty RadarThe latest bug bounty programs for November 2022

Disc space 2000

SQLite patches 22-year-old code execution vulnerability31 October 2022Disc space 2000SQLite patches 22-year-old code execution vulnerability

Jira (Mis)Align(ed)

Jira Align flaws enabled malicious users to gain super admin privileges26 October 2022Jira (Mis)Align(ed)Jira Align flaws enabled malicious users to gain super admin privileges

GitLab patches RCE bug in GitHub data import function

13 October 2022GitLab patches RCE bug in GitHub data import functionData importation mechanism failed to sanitize imports

Kubernetes cluster threat

Rancher remediates risk created by secrets stored in plaintext28 September 2022Kubernetes cluster threatRancher remediates risk created by secrets stored in plaintext

Parse Server fixes brute-forcing bug that put sensitive user data at risk

20 September 2022Parse Server fixes brute-forcing bug that put sensitive user data at riskOpen source project provides push notification functionality for iOS, macOS, Android, and tvOS

WordPress plugin security

WPHash harvests 75 million hashes for detecting vulnerable plugins12 September 2022WordPress plugin securityWPHash harvests 75 million hashes for detecting vulnerable plugins

Bug Bounty Radar

The latest bug bounty programs for September 202202 September 2022Bug Bounty RadarThe latest bug bounty programs for September 2022

Critical command injection vulnerability in Bitbucket Server and Data Center

26 August 2022Critical command injection vulnerability in Bitbucket Server and Data CenterUpdate now to protect against flaw

GitLab patches critical remote code execution bug

23 August 2022GitLab patches critical remote code execution bugUpdate now to protect against security vulnerability

API security

Broken access controls, injection attacks plague the enterprise security landscape in 202219 August 2022API securityBroken access controls, injection attacks plague the enterprise security landscape in 2022

GoTestWAF adds API attack testing via OpenAPI support

12 August 2022GoTestWAF adds API attack testing via OpenAPI supportCI/CD support is next for WAF security tool

Black Hat Arsenal

Deliberately vulnerable cloud infrastructure is a pen tester’s playground11 August 2022Black Hat ArsenalDeliberately vulnerable cloud infrastructure is a pen tester’s playground

HTTP parameter smuggling flaw found in Go projects

04 August 2022HTTP parameter smuggling flaw found in Go projectsHarbor, Traefik, and Skipper projects tackle unsafe URL parsing methods

Bug Bounty Radar

The latest bug bounty programs for August 202229 July 2022Bug Bounty RadarThe latest bug bounty programs for August 2022