Tag: vector | SpinSafe

‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

February 21, 2023/in Internet Security

API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

Most web API flaws are missed by standard security tests - Corey J Ball on securing a neglected attack vector

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.

This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.

After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.

He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.

Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.

Attractive attack vector

The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.

“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”

API stands for application programming interface, a set of definitions and protocols for building and integrating application software.

Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the…

Source…

Attack Vector vs Attack Surface: The Subtle Difference

February 1, 2023/in Mobile Security

Cybersecurity discussions about “attack vectors” and “attack surfaces” sometimes use these two terms interchangeably. However, their underlying concepts are actually different, and understanding these differences can provide a better understanding of security nuances, allowing you to improve your organization’s security by differentiating between these terms.

This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two concepts and establish a more mature security posture.

Attack vector vs. attack surface

Most simply, an attack vector is any means by which an attacker can infiltrate your environment, whereas attack surface refers to the collective vulnerability that these vectors create. Any point that allows data to pass into your application or network represents a potential attack vector. Identities, networks, email, supply chains, and external data sources such as removable media and cloud systems, are all exploitable channels that a malicious actor may use to compromise your sensitive data or personal information. This also means that any system update or release could create new attack vectors.

Common attack vectors

Rapid technological change means that some of these attack vectors will fall out of favor with hackers and become less common. Nonetheless, some choices have been consistently common and will likely remain so.

Social engineering via email
Email attachments remain one of the most common vectors of the last 30 years.

Consider a situation in which you receive an email with the subject: “Please correct your tax form to receive your next paycheck.” This sender’s address seems to be from your boss or HR department, and the email contains an attachment called W2.pdf.

This type of email originates from an attacker using a spoofed return address to appear legitimate and trustworthy. However, what appears to be a PDF file may in fact be an executable file (W2.pdf.exe) containing a Trojan horse virus. If you open the file using an insecure PDF reader, you might execute the Trojan, infecting your system.

An attack like this is an example of a social engineering attack, which…

Source…

Hackers Use Excel Add-Ins as Initial Penetration Vector

January 3, 2023/in Computer Security

Cisco Talos analysts say that hackers are now using Excel add-ins to infiltrate victims’ systems and networks.

After Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked as Mark Of The Web), attackers had to rethink their attack chains: for example, now hackers are increasingly using Excel add-in files (.XLL) as an initial compromise vector.

According to experts, Office documents distributed using phishing emails and other social engineering remain one of the most popular attack vectors for attackers. Such documents traditionally suggest that victims enable macros to view supposedly harmless content, but in fact activate hidden malware execution in the background.

To address these abuses, earlier this year, Microsoft began blocking VBA macros in Office documents downloaded from the Internet. Although the company admitted that they received negative feedback from users because of this and were even forced to temporarily reverse this decision, as a result, the blocking of VBA macros was still continued.

We also wrote that Hackers use the .NET library for creating malicious Excel files, and also that Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure.

Despite the fact that the blocking only applies to the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have begun experimenting with alternative ways to infect and deploy malware. One such “innovation” is the use of XLL files, which Microsoft describes as “a kind of DLL file that can only be opened in Excel,” the researchers report.

XLL files can be sent via email, and even with normal malware scanning mechanisms in place, users can open them without knowing that such files may contain malicious code.writes Cisco Talos.

Hackers use Excel add-ins

Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.

According to experts, hackers combine add-ons written in C++ with add-ons developed using the free tool Excel-DNA. And if the first such experiments of hackers were noticed a few years ago, then in 2021-2022 such attacks began to develop much more actively.

Hackers use Excel add-ins