Intro
Hi!
In this edition of my newsletter, I delve into the critical topic of API security with a special focus on Broken Object Level Authorization (BOLA), ranked as the number one threat in the OWASP TOP 10 API Security Risks. The article is presenting Damn Vulnerable RESTaurant as an example of such vulnerability. Furthermore, you can find a Damn Vulnerable RESTaurant API walktrough. Hall of Fame waits on submissions, so don’t wait and submit your solution and become one of these legendary hackers!
You will find also articles related with DevSecOps, AI tools for automating security related activities released by OpenAI and interesting high-severity vulnerabilities in Kubernetes and in one of GitHub Google’s repository which utilised a vulnerable workflow. Last but not least, Forbes published an alert about a iOS zero-day vulnerability being exploited in the wild which is targeting mainly crypto wallet’s users.
Materials
📄 Web API Security Champion: Broken Object Level Authorization (OWASP TOP 10)
This article is focused on Broken Object Level Authorization (BOLA), a common API vulnerability ranked first in OWASP’s TOP 10 API Security Risks. The article illustrates the vulnerability with a case study on the “Damn Vulnerable RESTaurant API”, my educational project on GitHub designed to help developers and security professionals understand and mitigate such risks. It presents vulnerability a case study with proof of concepts, remedial actions and recommendations. I shared also an idea for Semgrep rule to detect similar vulnerabilities.
📄 Damn Vulnerable RESTaurant — A Root walkthrough
The article presents a DVR walktrough from an ethical hacker perspective. Diogo shares each step with proof of concept how he was able to achieve the highest permissions in the app! Recommend to read it for anyone learning API security from the offensive perspective.
📄 State of DevSecOps
This insightful article highlights the importance of DevSecOps in modern software development, emphasizing that secure code delivery at scale remains a significant challenge. It reveals findings from an extensive analysis of applications, container images, and cloud environments, demonstrating that integrating security measures with DevOps practices enhances operational excellence. The article stresses the need for infrastructure as code, automated deployments, secure development practices, and short-lived credentials in CI/CD pipelines, underscoring that effective security begins with visibility and context for prioritization.
📄 OpenAI Security Bots
It’s a repository of security bots utilised by OpenAI. They are integrated with OpenAI APIs to streamline security team’s workflows. Incident Response Slackbot automatically chats with users who have been part of an incident alert. SDLC Slackbot decides if a project merits a security review. Triage Slackbot triages inbound requests in a Slack channel to different sub-teams within your organization.
📄 Security Monitoring in AWS: CloudTrail, CloudWatch and EventBridge
This post demonstrates how to setup a Security monitoring infrastructure in AWS. The main goal is to leverage AWS Cloudwatch, AWS Lambda and AWS Eventbridge for creating alerts based on specific event types from AWS Cloudtrail. It uses Terraform to deploy all required resources and then I’ll implement a simple Golang based Lambda function to handle certain events.
📄 What a Cluster: Local Volumes Vulnerability in Kubernetes
An interesting high-severity vulnerability identified in Kubernetes as CVE-2023-5528, which allows remote code execution with SYSTEM privileges across all Windows endpoints in a cluster. Discovered by Akamai’s Tomer Peled, the vulnerability is exploitable through malicious YAML files on clusters with default settings prior to Kubernetes version 1.28.4. This issue, affecting both on-premises deployments and Azure Kubernetes Service, poses risks of full takeover of Windows nodes.
📄 An Obscure Actions Workflow Vulnerability in Google’s Flank
This articles outlines a significant security vulnerability discovered in Google’s Flank repository, an open-source project used for running massively parallel Android and iOS tests in Firebase Test Lab. The vulnerability allowed anyone with a GitHub account to steal Google service account credentials and access a GitHub token with write capabilities, posing a serious software supply chain risk. Despite Google’s robust bug bounty program, this vulnerability remained undetected for over three years since its introduction on December 17, 2020. The discovery was rewarded with a $7,500 bug bounty under the “Standard OSS Project” tier of Google’s Vulnerability Reward Program (VRP). This case highlights the persistent risks and challenges in software security, even with active bug bounty initiatives.
📄 ‘Credible’ iPhone Dark Web Exploit Sparks Crypto Wallet iMessage Warning
This is non technical article highlights a serious security alert issued by Trust Wallet, a cryptocurrency wallet owned by Binance, concerning a potential zero-day exploit targeting iMessage on iPhones. According to Trust Wallet’s announcement on their X account, this exploit could allow attackers to access users’ information, messages, and cryptocurrency without any interaction from the user, such as clicking a link. The warning emphasizes that this vulnerability, found on the dark web, poses a significant risk particularly to high-value targets, and each instance of its use increases the likelihood of detection. However, Trust Wallet also cautions that the exploit could potentially be a scam.
