Scribd
Upload
65 views

API Vulnerabilities and Exploits Q2-2022

The document is an infographic summarizing API vulnerabilities and exploits disclosed in Q2 2022. Some key findings include: - API vulnerabilities increased 268% and affected vendors increased 270% compared to Q1 2022. - 57% of vulnerabilities in Q2 were rated as Critical or High risk, similar to the 60% rated that way in Q1. - Injection vulnerabilities, like SQL injection, surpassed broken object level authorization as the top threat vector. - Common software weaknesses referenced in over 50% of vulnerabilities mapped to the 2022 CWE Top 25 list.

Uploaded by

veth
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
65 views

API Vulnerabilities and Exploits Q2-2022

The document is an infographic summarizing API vulnerabilities and exploits disclosed in Q2 2022. Some key findings include: - API vulnerabilities increased 268% and affected vendors increased 270% compared to Q1 2022. - 57% of vulnerabilities in Q2 were rated as Critical or High risk, similar to the 60% rated that way in Q1. - Injection vulnerabilities, like SQL injection, surpassed broken object level authorization as the top threat vector. - Common software weaknesses referenced in over 50% of vulnerabilities mapped to the 2022 CWE Top 25 list.

Uploaded by

veth
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

infographic

API Vulnerabilities
and Exploits Q2-2022

2
64
High risk 72
Medium risk
41
Critical risk
5
Low risk

Version 2.0, updated 08.22.2022


API Vulnerabilities Up 3.7x!
Read on to Learn Why – and How to Evaluate Your Risk.

Earlier this year, Gartner wrote that “by 2022, API abuses will move from an infrequent to the most
frequent attack vector, resulting in data breaches for enterprise web applications." 1 Midway through the
year, is this being proved true by the facts on the ground? Is the threat real?

To address this, Wallarm examined API vulnerabilities and exploits that were publicly disclosed in
Q2-2022, and what types of software from which vendors are involved.

We also analyzed publicly disclosed exploit POCs to determine where the risk lies.

In addition, we map these issues across industry standards, including both OWASP Top-10 (2021) for
web apps and OWASP API Security Top-10 (2019), CVSS scores, and CWEs.

Use this data both to assess your exposure and to reduce the risk in your API portfolio.

u mp

HugeepJorted
in r bilities!
era

+268% +270% >57%


Vuln

Vulnerabilities
Vendors
Critical & High rated
vulnerabilities

Q2: 184 Q2: 111 Q2: 57%

Q1: 50 Q1: 30 Q1: 60%

1 Gartner, Magic Quadrant for Application Security Testing (ID G00733839)


Which OWASP Top-10 Matters?
And which Risk Category?

Injections (OWASP A03 / API8) are now the largest API threat vector, ahead of BOLA by all metrics
(number of issues discovered, exploitability and severity), and represent the highest risk to your API
portfolio.

OWASP Top-10 (2021) for Web Apps OWASP API Security Top-10 (2019)

32 API1: Broken Object


A01: Broken Level Authorization
51
Access Control

27 API2: Broken User


A02: Cryptographic Authentication
6
Failures

API3: Excessive Data


11
Exposure

A03: Injection 62
API4: Lack of Resources
14 & Rate Limiting

API5: Broken Function


10 Level Authorization
A04: Insecure Design 34

5 API6: Mass Assignment


A05: Security
3
Misconfiguration API7: Security
12
Misconfiguration
A06: Vulnerable and
0
Outdated Components

A07: Identification and


15
Authentication Failures
7 1 API8: Injection
A08: Software and
3
Data Integrity Failures

A09: Security Logging API9: Improper


6 0
and Monitoring Failures Assets Management
A10: Server-Side API10: Insufficient
3 2
Request Forgery Logging & Monitoring

n/c 1 0 n/c
Are CWEs Better Indicators of Risk?
Software Weaknesses Result in More Risk

2022 CWE Top 25 Most Dangerous Software Weaknesses


Rank ID Q2 count* Name 50% of the Q2 vulnerabilities
1 CWE-787 n/a Out-of-bounds Write analyzed referenced CWEs which
are included in the 2022 CWE Top
2 CWE-79 24 Cross-site Scripting 25 Most Dangerous Software
Weaknesses list from MITRE / CISA2.
3 CWE-89 6 SQL Injection
67 unique CWEs found in Q2 reports
4 CWE-20 11 Improper Input Validation

5 CWE-125 n/a Out-of-bounds Read 17 of these are considered “most


dangerous”
6 CWE-78 15 OS Comand Injection
Most seen: CWE-79, CWE-78 and
7 CWE-416 n/a Use After Free CWE-20
8 CWE-22 6 Path Traversal 2 https://cwe.mitre.org/top25/
archive/2022/2022_cwe_top25.html

9 CWE-352 4 Cross-Site Request Forgery (CSRF)

10 CWE-434 4 Unrestricted Upload of a File with Dangerous Type

11 CWE-476 n/a NULL Pointer Dereference

12 CWE-502 1 Deserialization of Untrusted Data

13 CWE-190 n/a Integer Overflow or Wraparound

14 CWE-287 4 Improper Authentication

15 CWE-798 1 Use of Hard-coded Credentials

16 CWE-862 1 Missing Authorization

17 CWE-77 1 Command Injection

18 CWE-306 2 Missing Authentication for Critical Function

19 CWE-119 n/a Memory Buffer Overflow

20 CWE-276 2 Incorrect Default Permissions

21 CWE-918 3 Server-Side Request Forgery (SSRF)

22 CWE-362 0 Race Condition

23 CWE-400 7 Incontrolled Resource Consumption

24 CWE-611 2 Improper Restriction of XML External Entity Reference

25 CWE-94 0 Code Injection


*n/a means this CWE is not related to API Security, only for binary software / memory corruption bugs
API Risks Remain High
CVSS Scores Basically Unchanged
Low risk:
Not categorized (2)
The average CVSS score in Q2-2022 is 3.9 - 0.1
Critical risk:

7.3 – compared to 7.6 in Q1. And the 10.0 - 9.0


number of Critical and High rated
vulnerabilities is 57% in Q2 vs. 60% in 5 41
Q1. Essentially unchanged, but vigilance
should continue.

72
184
Q2: 7.3 Total
Medium risk:
64
6.9 - 4.0
Q1: 7.6 High risk:

8.9 - 7.0

Average CVSS Score

39.0% 78.1% 70.8% 80.0% 100.0%

Published Exploit
Unexploited POCs
Vulnerabilities But It’s Not Just the Risky Ones
In Q2, we find ⅓ of API vulnerabilities are
almost immediately exploited, with POCs
published within a median of 16~17 days
(2-½ weeks).
Exploited
Vulnerabilities Unsurprisingly, exploited vulnerabilities
had higher median CVSS scores (8.8 vs.
7.3), with many more rated as Critical.

61.0% 21.9% 29.2% 20.0% 0.0%


Critical risk
High risk
Medium risk
Low risk
Not categorized
10.0 - 9.0 8.9 - 7.0 6.9 - 4.0 3.9 - 0.1
Is Open Source
Really More Secure?
Maybe not.
73 111
60% of reported vulnerabilities are related 40%
to Open Source software with the Commercial

remainder related to Commercial products.


Products
60%
Overall, the Dev Tools and Enterprise HW / Open Source
Software
SW subcategories accounted for almost
80% of the total.
Enterprise HW / SW, 65.8%
SaaS / Web Services, 23.3%
Dev Tools, 6.8%
Cloud Platforms, 4.1% Enterprise HW / SW, 20.7%
SaaS / Web Services, 11.7%
Dev Tools, 63.1%
Cloud Platforms, 4.5%

Vulnerability Sources
Evenly Distributed
We see that 43 commercial vendors were impacted by 69 vulnerabilities,
while 64 OSS vendors were impacted by 103 vulnerabilities – essentially an
equal distribution. Interestingly, 12 vulnerabilities analyzed came from
vendors offering both commercial and OSS products.
69
43 Commercial
Vendors

73
Commercial
Products

184 12
Total
Vulnerabilities 4 Mixed
Vendors

111
Open Source
Software 103
64 OSS
Vendors
Impacted by 4 or
more vulnerabilities

Impacted by 3
What’s In Your
vulnerabilities
9 API Portfolio?
10 More Vulnerabilities Impacting More Vendors

13 111 We see a huge increase in the number of


vendors with reported API vulnerabilities, up
Impacted by 2 vendors 3.7x or 270% (from 30 in Q1 to 111 in Q2),
vulnerabilities 79
mirroring the overall growth.
While a vast majority of vendors (71%) are
impacted by only 1 vulnerability, we find 9
vendors (8%) which were impacted by 4 or
more vulnerabilities.
Impacted by 1 vulnerability

Top-5 Most Impactful API Vulnerabilities


We assess these to be the most impactful API vulnerabilities due to both the severity and reach of the
product. Notably, while the CVSS score for the GitLab vulnerability is low, it’s used by almost every
developer in the world so it had to be included.

CVSSv3: 9.8 A07


OWASP API Top-10

CVE-2022-1388 BIG-IP iControl REST authentication bypass API2


CWE-306 Missing Authentication for Critical Function OWASP API Security Top-10

CVSSv3: 9.8 A04


OWASP API Top-10
CVE-2022-29464 WSO2 products unrestricted file upload with resultant remote code API4
execution OWASP API Security Top-10
CWE-434 Unrestricted Upload of File with Dangerous Type

CVSSv3: 9.8 A03


OWASP API Top-10
CVE-2022-22980 Spring Data MongoDB SpEL Injection
CWE-917 Improper Neutralization of Special Elements used in an Expression Language API8
OWASP API Security Top-10
Statement

CVSSv3: 2.7 A04


OWASP API Top-10
CVE-2022-1783 GitLab CE/EE Improper Privilege Management API5
CWE-269: Improper Privilege Management OWASP API Security Top-10

CVSSv3: 10.0 A07


OWASP API Top-10

CVE-2022-29165 Argo CD will trust invalid JWT claims if anonymous access is enabled API2
OWASP API Security Top-10
CWE-287 Improper Authentication, CWE-290 Authentication Bypass by Spoofing, CWE-200
Be On The Lookout for These Too
What to address first? Triaging vulnerabilities for mitigation can be based on a variety of criteria,
including:

Ranking Frequency Severity


based on frequency and how many vulnerabilities how bad are the
severity, much like how are found in the vendor’s vulnerabilities in a particular
MITRE assesses CWEs3 products? vendor’s products?

Top vulnerabilities based on severity


Top-5 based on ranking (frequency x CVSS) (CVSS average)
Vendor count CVSS avg Vendor count CVSS avg

Robustel 9 9.1 ApolloGraphQL 1 9.8

Ruijie Networks 6 9.0 Bonita Software 1 9.8

Argo Project 6 8.2 Couchbase 1 9.8

Wordpress 7 6.8 Databasir 1 9.8

Strapi 4 7.2 ElectronJs 1 9.8

Form.io 1 9.8
Top-5 based on frequency (count)
Gatsby 1 9.8
Vendor count CVSS avg
git-pull-or-clone 1 9.8
Robustel 9 9.1
Halo 1 9.8
Wordpress 7 6.8
Illumina 1 9.8
Ruijie Networks 6 9.0
IObit 1 9.8
Argo Project 6 8.2
MediaWiki 1 9.8
Gitlab 5 4.4
Open Automation 1 9.8

Of course, ultimately it comes down to what is in Powertek 1 9.8


your environment, how exposed it is, and how
Pypi 2 9.8
easy it is to exploit.
Roncoo 1 9.8

Zyxel 1 9.8

3 See https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#methodDetails
Assessing Your API Security

API-specific vulnerabilities reported in The number of Critical and High risk


Q2 grew by 268% to 184 (or about 2 API vulnerabilities remain
per day) – which suggests an ever- dramatically high – which also
increasing risk in your API portfolio. indicates that extra vigilance is
needed.

Injections (OWASP A03 / API8) are 33% of the reported API vulnerabilities
now the highest risk for APIs, ahead of are almost immediately exploited, with
BOLA by all metrics (number of POCs published within a median of 2-
discovered issues, exploitability and ½ weeks – since these are probably
severity) – which points to the need underreported, this illustrates the
for more pre-release testing. need for run-time protection.

Expanding your vulnerability management program to cover APIs will require visibility across your entire
API portfolio, assessing and triaging vulnerabilities as they arise, and ensuring mitigations are
implemented – both in the code and at run-time. Refer to the API Security Tutorial for more information.

Want to learn more about API vulnerabilities

and exploits?

Join the LinkedIn API security community Subscribe to our newsletter

group at lab.wallarm.com

Download the Q1-2022 API Vulnerability Contact us via the web at https://
Report www.wallarm.com/request-demo or via email
at [email protected] to set up a personal
demo with one of our security experts.
(415) 940-7077
Book a Wallarm demo
188 King St. Unit 508, San Francisco, CA 94107
or start your free trial now www.wallarm.com

You might also like