Post Content
Read More
The post 2021-07-12 – Trickbot gtag rob106 appeared first on Malware Devil.
https://malwaredevil.com/2021/07/14/2021-07-12-trickbot-gtag-rob106-2/?utm_source=rss&utm_medium=rss&utm_campaign=2021-07-12-trickbot-gtag-rob106-2
Wednesday, July 14, 2021
2021-07-12 – Trickbot gtag rob106
https://malwaredevil.com/2021/07/14/2021-07-12-trickbot-gtag-rob106-2/?utm_source=rss&utm_medium=rss&utm_campaign=2021-07-12-trickbot-gtag-rob106-2
Network Security News Summary for Wednesday July 14th, 2021
Post Content
The post Network Security News Summary for Wednesday July 14th, 2021 appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/network-security-news-summary-for-wednesday-july-14th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-wednesday-july-14th-2021
Tuesday, July 13, 2021
XKCD ‘Board Game Party Schedule’
via the comic artistry and dry wit of Randall Munroe, resident at XKCD!
The post XKCD ‘Board Game Party Schedule’ appeared first on Security Boulevard.
The post XKCD ‘Board Game Party Schedule’ appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/xkcd-board-game-party-schedule-3/?utm_source=rss&utm_medium=rss&utm_campaign=xkcd-board-game-party-schedule-3
XKCD ‘Board Game Party Schedule’
via the comic artistry and dry wit of Randall Munroe, resident at XKCD!
The post XKCD ‘Board Game Party Schedule’ appeared first on Security Boulevard.
The post XKCD ‘Board Game Party Schedule’ appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/xkcd-board-game-party-schedule-2/?utm_source=rss&utm_medium=rss&utm_campaign=xkcd-board-game-party-schedule-2
XKCD ‘Board Game Party Schedule’
via the comic artistry and dry wit of Randall Munroe, resident at XKCD!
The post XKCD ‘Board Game Party Schedule’ appeared first on Security Boulevard.
The post XKCD ‘Board Game Party Schedule’ appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/xkcd-board-game-party-schedule/?utm_source=rss&utm_medium=rss&utm_campaign=xkcd-board-game-party-schedule
‘Charming Kitten’ APT Siphons Intel From Mid-East Scholars
Professors, journalists and think-tank personnel, beware strangers bearing webinars: It’s the focus of a particularly sophisticated, and chatty, phishing campaign.
Read More
The post ‘Charming Kitten’ APT Siphons Intel From Mid-East Scholars appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/charming-kitten-apt-siphons-intel-from-mid-east-scholars/?utm_source=rss&utm_medium=rss&utm_campaign=charming-kitten-apt-siphons-intel-from-mid-east-scholars
Multi-Domain SSL – Comprehensive SSL Security for Business Websites
SSL Certificates are landmarks for data security. From securing data in transit to enhancing customer trust and improving search rankings, SSL certificates are indispensable for all kinds of organizations, regardless.
The post Multi-Domain SSL – Comprehensive SSL Security for Business Websites appeared first on Indusface.
The post Multi-Domain SSL – Comprehensive SSL Security for Business Websites appeared first on Security Boulevard.
The post Multi-Domain SSL – Comprehensive SSL Security for Business Websites appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/multi-domain-ssl-comprehensive-ssl-security-for-business-websites/?utm_source=rss&utm_medium=rss&utm_campaign=multi-domain-ssl-comprehensive-ssl-security-for-business-websites
The Kaseya VSA REvil Ransomware Supply Chain Attack: How It Happened, How It Could Have Been Avoided
On July 2, 2021, the REvil ransomware group successfully exploited a zero-day vulnerability in the on-premise Kaseya VSA server, enabling a wide-scale supply chain cyber attack. Let’s dig in and see how the attack happened, how attack emulation could have helped, and what you can do to implement a threat-informed defense strategy to prepare yourself for similar threat actor behavior.
The post The Kaseya VSA REvil Ransomware Supply Chain Attack: How It Happened, How It Could Have Been Avoided appeared first on AttackIQ.
The post The Kaseya VSA REvil Ransomware Supply Chain Attack: How It Happened, How It Could Have Been Avoided appeared first on Security Boulevard.
The post The Kaseya VSA REvil Ransomware Supply Chain Attack: How It Happened, How It Could Have Been Avoided appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/the-kaseya-vsa-revil-ransomware-supply-chain-attack-how-it-happened-how-it-could-have-been-avoided/?utm_source=rss&utm_medium=rss&utm_campaign=the-kaseya-vsa-revil-ransomware-supply-chain-attack-how-it-happened-how-it-could-have-been-avoided
Intelligent Orchestration and Code Dx: Security superheroes
Building security into DevOps has its challenges. Address them with a modern approach to AppSec using Intelligent Orchestration and Code Dx.
The post Intelligent Orchestration and Code Dx: Security superheroes appeared first on Software Integrity Blog.
The post Intelligent Orchestration and Code Dx: Security superheroes appeared first on Security Boulevard.
The post Intelligent Orchestration and Code Dx: Security superheroes appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/intelligent-orchestration-and-code-dx-security-superheroes/?utm_source=rss&utm_medium=rss&utm_campaign=intelligent-orchestration-and-code-dx-security-superheroes
BSidesNoVA 2021 – John Stoner’s ‘Na-Na-Na-Na Na-Na I’m Gonna Start A (CTI) Fight’
Our thanks to BSidesNoVA for publishing their outstanding videos on the organization’s YouTube channel.
The post BSidesNoVA 2021 – John Stoner’s ‘Na-Na-Na-Na Na-Na I’m Gonna Start A (CTI) Fight’ appeared first on Security Boulevard.
The post BSidesNoVA 2021 – John Stoner’s ‘Na-Na-Na-Na Na-Na I’m Gonna Start A (CTI) Fight’ appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/bsidesnova-2021-john-stoners-na-na-na-na-na-na-im-gonna-start-a-cti-fight/?utm_source=rss&utm_medium=rss&utm_campaign=bsidesnova-2021-john-stoners-na-na-na-na-na-na-im-gonna-start-a-cti-fight
API Security 101: Excessive Data Exposure
Hey, I found your access tokens on your profile page.
Photo by Rachel LaBuda on Unsplash
You’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten. The current API top ten are Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, and Insufficient Logging & Monitoring.
Many of these vulnerabilities affect application components besides APIs as well, but they tend to manifest themselves in APIs. Last time, we talked about broken user authentication and how they affect API systems. This time, let’s dive into my favorite vulnerability to find in APIs: OWASP API #3, Excessive Data Exposure.
Why is excessive data exposure my favorite API vulnerability to find? Because I realized that I’ve been looking for it throughout my bug hunting and pentesting career, without even realizing that it’s one of the top vulnerabilities that affect APIs! Today, let’s talk about what these vulnerabilities are, how I usually look for them, and how you can prevent them.
OWASP API #3
What is OWASP API #3, Excessive Data Exposure, exactly? It’s when applications reveal more information than necessary to the user via an API response.
Let’s consider a simple use case of APIs. A web application retrieves information using an API service, then uses that information to populate a web page to display to the user’s browser.
displays data requests data
user <—————– application ——————-> API service
(browser) (API client)
For many API services, the API client applications do not have the ability to pick and choose which data fields are returned in an API call. Let’s say that an application retrieves user information from the API to populate user profiles. The API call to retrieve user information looks like this:
https://api.example.com/v1.1/users/show?user_id=12
The API server will respond with the entire corresponding user object:
{
“id”: 6253282,
“username”: “vickieli7”,
“screen_name”: “Vickie”,
“location”: “San Francisco, CA”,
“bio”: “Infosec nerd. Hacks and secures. Creates god awful infographics.”,
“api_token”: “8a48c14b04d94d81ca484e8f32daf6dc”,
“phone_number”: “123-456-7890”,
“address”: “1 Main St, San Francisco, CA, USA”
}
You notice that besides basic information about the user, this API call also returns the API token, phone number, and address of that user. Since this call is used to retrieve data to populate the user’s profile page, the application only needs to send the username, screen name, location, and bio to the browser.
Some application developers assume that if they do not display the sensitive information on the webpage, users cannot see it. So they in turn send this entire API response to the user’s browser without filtering out the sensitive info first and rely on client-side code to filter out the private information. When this happens, anyone who visits a profile page will be able to intercept this API response and read sensitive info about that user!
Attackers might also be able to read sensitive data by visiting certain endpoints that leak information or perform a MITM attack to steal API responses sent to the victim.
Preventing excessive data exposure
Excessive data exposures happen when the API client application does not filter the results it gets before returning the data to the user of the application.
When APIs send data that is sensitive, the client application should filter the data before forwarding it to the user. Carefully determine what the application’s user should know and make sure to filter out anything the user should not be allowed to access. Ideally, return the minimum amount of data needed to render the webpage.
If the API allows it, you could also request the minimum amount of data needed from the API server. For instance, GraphQL APIs allow you to specify the exact object fields you need in an API request.
Finally, avoid transporting sensitive information with unencrypted traffic.
Hunting for excessive data exposure
I mentioned that I’ve always looked out for these vulnerabilities when I hunt for bugs. As a bug hunter and penetration tester, I got into the habit of grepping every server response for keywords like “key”, “token”, and “secret”. And more often than not, I’d find sensitive info leaks this way.
A lot of the time, these sensitive info leaks are caused by precisely the problem I described here: the server being too permissive and returning the entire API response from the API server instead of filtering it before forwarding it to the user.
Excessive Data Exposure is, unfortunately, extremely common. And when combined with OWASP API #4, Lack of Resources & Rate Limiting, they could become an even bigger issue. Next time, let’s look at the OWASP API top ten #4, Lack of Resources & Rate Limiting, and why and when they become issues. Next time, why you should not overlook those bug reports about the lack of rate-limiting.
What other security concepts do you want to learn about? I’d love to know. Feel free to connect on Twitter @vickieli7.
Want to learn more about application security? Take our free OWASP top ten courses here: https://www.shiftleft.io/learn/.
API Security 101: Excessive Data Exposure was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post API Security 101: Excessive Data Exposure appeared first on Security Boulevard.
The post API Security 101: Excessive Data Exposure appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/api-security-101-excessive-data-exposure/?utm_source=rss&utm_medium=rss&utm_campaign=api-security-101-excessive-data-exposure
A Guide To Automated Continuous Security Testing
The acceleration of application development has shown no sign of stopping. As a result, we’re seeing increasingly complex, interconnected software. These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, …
The post A Guide To Automated Continuous Security Testing appeared first on Security Boulevard.
The post A Guide To Automated Continuous Security Testing appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/a-guide-to-automated-continuous-security-testing-4/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-automated-continuous-security-testing-4
A Guide To Automated Continuous Security Testing
The acceleration of application development has shown no sign of stopping. As a result, we’re seeing increasingly complex, interconnected software. These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, …
The post A Guide To Automated Continuous Security Testing appeared first on Security Boulevard.
The post A Guide To Automated Continuous Security Testing appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/a-guide-to-automated-continuous-security-testing-3/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-automated-continuous-security-testing-3
A Guide To Automated Continuous Security Testing
The acceleration of application development has shown no sign of stopping. As a result, we’re seeing increasingly complex, interconnected software. These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, …
The post A Guide To Automated Continuous Security Testing appeared first on Security Boulevard.
The post A Guide To Automated Continuous Security Testing appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/a-guide-to-automated-continuous-security-testing-2/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-automated-continuous-security-testing-2
A Guide To Automated Continuous Security Testing
The acceleration of application development has shown no sign of stopping. As a result, we’re seeing increasingly complex, interconnected software. These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, …
The post A Guide To Automated Continuous Security Testing appeared first on Security Boulevard.
The post A Guide To Automated Continuous Security Testing appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/a-guide-to-automated-continuous-security-testing/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-automated-continuous-security-testing
Gaps in the Next-Generation SOC
As SIEM evolved, vendors began bolting on NDR (network detection and response) and NTA (network traffic analysis) to their base SIEM offerings. The hope (and promise) was that these tools would add the real-time security solution that was lacking with SIEM technology.
The post Gaps in the Next-Generation SOC appeared first on Security Boulevard.
The post Gaps in the Next-Generation SOC appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/gaps-in-the-next-generation-soc-3/?utm_source=rss&utm_medium=rss&utm_campaign=gaps-in-the-next-generation-soc-3
🔴 LIVE: Security & Compliance Weekly #79
Post Content
The post 🔴 LIVE: Security & Compliance Weekly #79 appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/%f0%9f%94%b4-live-security-compliance-weekly-79/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-security-compliance-weekly-79
Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Digital Defense, Inc..
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Security Boulevard.
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/digital-defense-expands-reach-into-the-united-kingdom-and-south-africa-with-private-protocol-partnership/?utm_source=rss&utm_medium=rss&utm_campaign=digital-defense-expands-reach-into-the-united-kingdom-and-south-africa-with-private-protocol-partnership
Is Remote Desktop Protocol Secure? It Can Be
Matt Dunn, associate managing director in Kroll’s Cyber Risk practice, discusses options for securing RDP, which differ significantly in terms of effectiveness.
Read More
The post Is Remote Desktop Protocol Secure? It Can Be appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/is-remote-desktop-protocol-secure-it-can-be/?utm_source=rss&utm_medium=rss&utm_campaign=is-remote-desktop-protocol-secure-it-can-be
Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021
Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans must find food, shelter, and water according to Maslow’s Hierarchy of Needs before they can begin thinking about fulfillment and exploring what makes them happy. For something so universal, for a sector that makes up one-fifth of the whole US economy, you would think that food processing plants, farms, and restaurants would have a purpose-built system for keeping their propriety data, operation systems, software systems, and client information safe.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Security Boulevard.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Malware Devil.
https://malwaredevil.com/2021/07/13/why-food-and-agriculture-need-to-accelerate-security-measures-in-the-second-half-of-2021-3/?utm_source=rss&utm_medium=rss&utm_campaign=why-food-and-agriculture-need-to-accelerate-security-measures-in-the-second-half-of-2021-3
Subscribe to:
Posts (Atom)
Barbary Pirates and Russian Cybercrime
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
-
Cybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise softwar...
-
A new technique uses a simplified process of DLL hijacking and mock directories to bypass Windows 10’s UAC security feature and run elevate...
-
To provide effective data protection and application defense and remain in compliance, organizations today need to protect their most crit...
