The quarterly report details the surge in threats centered around APIs and uncovers critical vulnerabilities, like injections and API data leaks, that have recently impacted leading firms, including Netflix, VMware, and SAP.
The new report introduces a revamped "Top 10 API Security Threats" compilation, a real-time data-driven list covering the 239 vulnerabilities discovered during the quarter. Injections, which involve malicious data or code being inserted into an API that leads to unauthorized access and data breaches, ranked first on the list, attacking vectors like SQL and XML. Also making the list were cross-site attacks, broken access control, and poor session and password management.
Of the 239 vulnerabilities, 33% (79 out of 239) were associated with authentication, authorization, and access control (AAA) - foundational pillars of API security. Open authentication (OAuth), single-sign-on (SSO), and JSON Web Token (JWT), safeguards for API security, were compromised in reputable tech organizations such as Sentry and WordPress. Sentry experienced incorrect credential validation on OAuth token requests, potentially exposing developers' projects to unauthorized access, while WordPress' SSO was subject to plugin-broken authentication, leaving its millions of users' data vulnerable to theft.
[
add
]
[
|
|
...
]