Over the past several months, we've taken a journey through the new 2023 OWASP API Security Top-10 list. In the previous 12 weekly posts, we've delved into each category, discussed what it is, how it's exploited, why it matters, and suggested effective protections for each. Now, as we conclude this series, it's time to summarize and offer some practical guidance for security practitioners looking to bolster API security in their organizations.
Scaling a risk-based AppSec program involves adapting your security practices to accommodate the growth and evolving needs of your business, while effectively managing and mitigating security risks.
A recent vulnerability tracked as Rapid Reset (CVE-2023-44487) in the HTTP/2 protocol was recently disclosed by researchers and vendors. It was exploited in the wild from August 2023 to October 2023. The issue arises from the HTTP/2 protocol's ability to cancel streams using an RST_STREAM frame, which can be misused to overload servers by initiating and quickly canceling numerous streams, circumventing the server's concurrent stream limit.
On October 11 a new version of curl (8.4.0) was released, where a couple of new vulnerabilities were fixed (CVE-2023-38545 with severity HIGH and CVE-2023-38546 with severity LOW). These issues were previously announced in the project’s discussion. At the time of this blog, there have been several proof of concepts released for CVE-2023-38545 which result in crashes, but not exploitation.
TL;DR This vulnerability appears to be less severe than initially anticipated. Cato customers and infrastructure are secure. Last week the original author and long-time lead developer of cURL Daniel Stenberg published a “teaser” for a HIGH severity vulnerability in the ubiquitous libcurl development library and the curl command-line utility. A week of anticipation, multiple heinous crimes against humanity and a declaration of war later, the vulnerability was disclosed publicly.
Docker has revolutionized how developers work by offering a powerful platform for creating, shipping, and running container applications. It helps developers conquer the complexity of application development and significantly increases software shipping frequency. Despite setbacks in recent years, Docker brings home $50 million in revenue every year, driven by the ongoing demand for new applications.
On October 3, 2023, the curl team preannounced a pending fix for a high-severity vulnerability, which impacts both libcurl and curl. Snyk products help you identify and fix vulnerable packages and containers, but this vulnerability impacts curl, a command-line tool that many developers use on a daily basis. It's also distributed with many operating systems, so we thought it would be beneficial to provide some tips on how you can get it upgraded on your system.
Researchers and vendors have conducted an investigation into volumetric DDoS attacks in the wild between August – October 2023 that has resulted in the discovery of a novel “rapid reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol. Disclosed today, the HTTP/2 rapid reset vulnerability is being tracked as CVE-2023-44487 and has been designated a High severity vulnerability with a CVSS score of 7.5 (out of 10).
