ToxSec | A Guide to API Testing

SonicWall confirms a state-sponsored breach of its cloud backups, exposing under 5% of users’ firewall data.

As LLMs, agents and Model Context Protocols (MCPs) reshape software architecture, API sprawl is creating major security blind spots. The 2025 GenAI Application Security Report reveals why continuous…

Frida is a tool used for dynamically analysing and manipulating the behavior of mobile apps at runtime. Although created to help security researchers, malicious actors often use Frida for a wide varie...

Spotify video

: Redmond uncovers SesameOp, a backdoor hiding its tracks by using OpenAI’s Assistants API as a command channel

Security and DevOps teams choose Wallarm to discover all cloud-native APIs and legacy web applications running in their environment, and to detect & respond to threats against them.

Security and DevOps teams choose Wallarm to discover all cloud-native APIs and legacy web applications running in their environment, and to detect & respond to threats against them.

Two months ago, attackers compromised one vendor and accessed 700+ Salesforce instances. By October 28, 2025, the crisis response is complete.

Discover how attackers exploit API business logic to commit fraud and data abuse, and how Wallarm’s AI-driven security stops Business Logic Abuse in real time.

The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection. - App Attestation: https://approov.io/ uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image. - Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API. - Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation. - Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets. Links & Resources Source Material Reference: - Excerpts from "https://undercodetesting.com/the-unseen-storm-how-a-simple-weather-app-exposes-critical-api-security-flaws/" - Excerpts from "https://approov.io/addressing-the-security-trust-gap-in-a-mobile-world" Sponsor: - Learn how Approov protects your revenue and business data by deploying Mobile Security: https://www.approov.io/ Keywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 

We found vulnerabilities in the FIA's Driver Categorisation platform, allowing us to access PII and password hashes of any racing driver with a categorisation rating.

The GitHub API Key Gold Rush: How Exposed Credentials Are Fueling the Next Wave of Cyber Attacks - "Undercode Testing": Monitor hackers like a pro. Get