Due to the widespread usage of APIs, and the fact that attackers realize APIs are a new attack frontier, the OWASP API Security Top 10 Project was launched. This project was designed to help organizations, developers, and application security teams become aware of the risks associated with APIs. The OWASP API Security Top 10 project focuses on the top ten vulnerabilities related to API security.

In our previous article, we provided a high-level view of the top five vulnerabilities related to APIs. These included vulnerabilities ranging from Broken Object Level Authorization, Broken User Authentication up to Broken Function Level Authorization.We…


Bug bounty

A bug bounty program offers rewards for participants who find bugs in software, website, or product of an organization or an individual. These participants are usually referred to as bug bounty hunters.

Bug bounty programs are posted online for ethical hackers to find vulnerabilities in their system and report back to them. This helps companies improve their security posture.

Let’s have a look at some of the interesting aspects that bug hunters have provided based on their experience and surveys:

  • Not all bug bounty websites are good enough i.e., …


Traditionally speaking ‘CTF’ is a term used for an outdoor game where the goal is to capture the other team’s flag. Similarly, this term is used for conducting competitions all around the world for ethical hackers to brush up their skills. Often it is used by companies and other organizations to find talents in the cyber security domain in general. It is also widely played for fun at the university level if a student is part of a club or chapter. …


What is an API

API is an acronym for Application Programming Interface. An API acts as middleman who delivers your request to the provider and then delivers the response to the requester. You can think of it as a code that allows two software programs to communicate with each other. It is like an interface that allows your application to interact with an external service using a simple set of commands. For instance when you click “Add to cart”, the API tells the site that you added a product to your cart. The website then puts the product in your…


Analysis of the Cerberus source code leak

Intro

A few weeks ago, VX-Underground which hosts the largest collection of malware source code, samples, and papers on the web received the Cerberus Android Banking Trojan by some user which was later released on their website (https://vxug.fakedoma.in/code/leaks/CerberusLeak.zip). According to them in late July it was being auctioned for $50,000 — $100,000.

Cerberus is a banking trojan designed to target Google’s Android operating system, it has many abilities including communication interception, tampering the device settings, keystroke logging or keylogging, and steal banking credentials which is the primary motive of this trojan. The trojan was…


A deep-dive analysis

Introduction

On July 21, 2020, Malwarebytes announced the return of the emotet trojan after almost 5 months. The malware was spotted in a spam campaign targeting hundreds of thousands of Microsoft Office users. The trojan which was first spotted in 2014 is still targeting users worldwide primarily through spam emails. These emails usually include certain designs with familiar branding which makes these spam emails look legit, and has either a malicious link or documents infected with malicious scripts. These files/links are represented in such a way to tempt the user in opening them, like for example billing invoices.

Emotet has a…

Andy InfoSec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store