Friend or Foe? | API Security Newsletter


Welcome to our April API newsletter, recapping some of the events of last month. This month’s topic is Generative AI tools (e.g., ChatGPT) in cybersecurity. It – along with API Security – dominated the 2023 RSA Conference, and there’s plenty of digital ink being spilled on the topic. Be sure to watch the results of our grand experiment in using ChatGPT for API vulnerability management – some really great insights. Read on for this month’s bit o’ honey!

Friend or Foe? | API Security Newsletter 11

Generative AI tools (such as ChatGPT) are a huge topic these days. They can be leveraged in various ways to enhance cybersecurity, including threat detection, automated security response, enhanced incident response and advanced threat modeling. And while we’ve been using AI / ML capabilities in our backend for some time now, it’s interesting to see the renewed interest over the past six months.

We recently conducted an in-depth research project to see what ChatGPT can do; the goals included:

  • Collect the most complete set of API security bulletins, bug bounty reports, CVEs, and exploits data over the past 25 years (since the first one reported back in 1998).
  • Statistically prove or refute if ChatGPT can be used for CVSS scoring, and CWE, OWASP Top-10, and OWASP API Security Top-10 classification.
  • Leverage ChatGPT to statistically analyze this API vulnerability database.
  • Get insights into API security trends, including API protocols and legacy web APIs.
  • Compare & contrast the OWASP Top 10 2021 and OWASP API Security Top 10 2023 (RC) lists.

We discussed the results in our retrospective webinar – if you’re thinking of experimenting with these sorts of tools, you might want to take the time to watch this one!

And it’s not just us trying this. For instance, a week after our webinar, Johannes Ullrich at the SANS Institute wrote this post entitled Calculating CVSS Scores with ChatGPT – he seems as pleased with the results as we were.

Oh, and BTW, it’s also fun for image generation:

Friend or Foe? | API Security Newsletter

– Ivan, CEO & Co-Founder, Wallarm

P.S. – Keep your finger on the pulse of all things #apisecurity with the latest exploits and updates by following our new API ThreatStats LinkedIn page.

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 12

Last month we prepared to meet everyone at RSA Conference 2023. It was exciting to talk with so many folks about API Security, which really did seem to loom large this year. We talked with a lot of people about issues like getting a handle on their API portfolio (good old asset management), dealing with east-west traffic, and of course protecting their APIs against OWASP and other emerging threats.

We also undertook a huge effort to assess API vulnerabilities using ChatGPT – not just to enumerate them, but to evaluate AI-generated insights like CWEs and CVSS scores when compared to the associated CVEs. Watch our 04/16 webinar on demand to learn the results – it may surprise you!

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 13

The hive has been busy all month adding capabilities and making improvements. Here are some of the updates they’ve released:

  • New OWASP API Dashboards – Wallarm now includes two new dashboards for the OWASP API Top 10 for 2019 and 2023. With these new dashboards, customers can easily gain visibility into the security state of their APIs, identify the most critical security risks, and immediately apply protective measures.
  • Native integration with Jira – Wallarm now offers native integration with Jira, allowing customers to automatically create Jira issues for any vulnerabilities detected. Automated issue creation streamlines security operations and delivers shorter time to remediation for discovered vulnerabilities.
  • Improved API Token Management – Wallarm users can now configure more granular settings for API tokens used to access the Wallarm API. The new capabilities allow users to configure permission to access specific data objects and to set an expiration duration for specific tokens. Administrators can also create shared tokens and generate tokens based on an existing role. These changes improve users’ ability to automate node management and deployment. 
  • Expanded Vulnerability Search – The search capabilities in the Vulnerabilities user interface have been expanded to support additional filtering. The new search capabilities will streamline customers’ workflow and eliminate the need to switch back and forth between the different Wallarm sections. From finding and analyzing to remediating and managing vulnerabilities, customer tasks can now be completed within one window.
  • Improved API Endpoint Identification – Unused Endpoints now easier to identify – The term “Removed Endpoint” has been replaced with “Unused Endpoint” to identify an endpoint that has been excluded from the API inventory due to a lack of requests.The previous statistical model for identifying unused endpoints has been replaced with a simple, more accurate seven day duration. An unused endpoint will now be defined as an endpoint that has not been requested in the last 7 days.

Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 14

Upcoming:
Webinar [2023-May-16] — Securing Apps and APIs in 2023: Wallarm Demo for CISOs and Practitioners
Join Tim Ebbers, Field CTO, and Stepan Ilyin, Co-Founder, for an insightful product democast of the Wallarm platform, highlighting key components and recent enhancements, including API Discovery & Risk Assessment, API Threat Mitigation, and API Abuse Prevention.

Past:
Webinar [On-demand] — 25 Years of API Security – A Comprehensive Review and Outlook
Listen to our recorded webinar as Ivan Novikov, Co-Founder, leverages ChatGPT to review 25 years of API Security, in order to understand where API Security has been and where it’s headed – and the possibilities of this new technology.

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 15

The Wallarm Threat Research team found 15 API vulnerabilities in April which have exploit POCs published; the median time-to-exploit for these was 12 days before the CVE was published, with a range of -164 days to +393 days. Here are some of these vulnerabilities:

Deno | Regular Expression Denial of Service (ReDoS) (CVSS score: 7.5)
Certain versions of Deno are vulnerable to RegEx Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. (CVE-2023-26103)

CodeFever | Remote Command Execution Vulnerability (CVSS score: 8.8)
Certain versions of were found to contain a remote code execution (RCE) vulnerability via the component /controllers/api/user.php (CVE-2023-26817)

Strapi | Leaking Sensitive User Information by Filtering on Private Fields (CVSS score: 4.9)
Certain versions of Strapi allow attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. (CVE-2023-22894)

Strapi | Authentication Bypass for AWS Cognito Login Provider (CVSS score: 7.5)
Certain versions of Strapi do not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. (CVE-2023-22893)

Grafana | JWT url-login Flow Leaks Token Through Request Parameter in Proxy Requests (CVSS score: 7.5)
Grafana recently introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. If leaked, it could be used to authenticate to Grafana. (CVE-2023-1387)

ToolJet | Improper Handling of Null Values Inside Certain Endpoints (CVSS score: 7.5)
Certain versions of Tooljet do not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request. (CVE-2022-27978)

go-bbs | Arbitrary File Download Vulnerability (CVSS score: 8.8)
go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download. (CVE-2023-27755)

Obsidian Canvas | Embedded Web Pages Can Use Sensitive Web APIs Without the User’s Permission Grant (CVSS score: 7.5)
Certain versions allow remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the Canvas page. (CVE-2023-27035)

OpenTSDB | OS Command Injection (CVSS score: 9.8)
It is possible to inject crafted OS commands into multiple parameters via the legacy HTTP query API and execute malicious code on the OpenTSDB host system. (CVE-2023-25826)

GL.iNET Devices | SSID Key Disclosure (CVSS score: 8.3)
In certain device versions, an API endpoint reveals information about the Wi-Fi configuration, including the SSID and key. (CVE-2023-31478)

We recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents. For more on notable API vulns, make sure to subscribe to our new API ThreatStats LinkedIn page

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 16

API security playbook: What you need to do to protect your APIs
(siliconANGLE) Gartner analyst William Dupre writes that generic application security controls are not sufficient to secure API transactions. Instead, he recommends that organizations establish and mature their API security programs to provide the visibility, access control, and threat protection needed to address the growing threat landscape.

Dark Side of DevOps – the Price of Shifting Left and Ways to Make it Affordable
(InfoQ) Written by a senior software engineer at Netflix, this in-depth post looks at a “Paved Path” approach to empower developers and alleviate some of the cognitive load associated with “Shifting Left” – without creating unnecessary barriers.

Exploiting Server Side Request Forgery (SSRF) in an API
(Dana Epp’s blog) Learn the ins and outs of SSRF, how it can be exploited, and some tips for testing your APIs to help find such vulnerabilities.

HashiCorp Vault vulnerability could lead to RCE. Patch today!
(Help Net Security) Researchers discovered a vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates. Patch now if you haven’t already!

Money Ransomware Group Enters Double-Extortion Fray
(Dark Reading) An emerging threat group dubbed Money Ransomware has adopted a “double-extortion ransomware” approach which abuses the Windows API function WNetAddConnection2W to establish a connection with other network assets and spread.

CISO Survival Guide for Cyberattacks
(Dark Reading) CISOs who have survived major cyber incidents recommend letting company ethos guide incident response.

How to develop an API test automation strategy
(TechTarget Software Quality) A suite of automated API tests can set up an application for success but only if QA teams determine the right tests to automate and implement them correctly.

5 Ways to Reduce the Attack Surface for Microservices
(Security Boulevard) Managing a large number of microservices can be challenging, as it requires careful coordination and communication between teams responsible for various services. Microservices architectures also require careful consideration of issues like security, data consistency and communication between services.

Generative AI likely to disrupt security, too
(451 Research blog) The relatively recent introduction of generative AI tools, such as OpenAI LLC’s DALL-E and ChatGPT as well as other implementations, has captured the public imagination. Like most with a stake in the future of technology, cybersecurity professionals have responded with a range of views of its implications. How will those implications play out for the security technology market?

Finding API secrets in hidden layers within Docker containers
(Dana Epp’s blog) Learn how to find more than just API secrets within the layers of containers – such as credentials, database connection strings, and even API artifacts like source code and byte code that may have been deleted before publishing the Docker images.

RedditC2 – Abusing Reddit API To Host The C2 Traffic
(HackingReviews) Since most blue team members use Reddit, this might be a great way to make C2 traffic look legit – and of course traditional tools like AV won’t catch it.

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 17

Last month we asked if you are using / offering APISec-as-a-Service (e.g., from an MSSP)? It looks like a vast majority of you are not using / offering this approach, but a surprising 20% of you are:

Friend or Foe? | API Security Newsletter

And we’d love to have you weigh in on our next LinkedIn poll we’re conducting: Are you using Generative AI (e.g., ChatGPT) for cybersecurity? Please let us know where you stand on this – connect with Ivan or follow us at Wallarm to register your vote.

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 18

And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we like to finish with an uplifting image. Since it’s well & truly Spring now, it’s time to get out and get to work. Enjoy!

Friend or Foe? | API Security Newsletter
Friend or Foe? | API Security Newsletter 19

source: https://giphy.com/uf



Source link