Hunting the OWASP API Security Top 10

Early 2019 we, at Char49, were challenged to research the most common API security issues. At that time API security was not exactly on the news, but APIs were becoming a fast-paced critical piece of modern applications architecture. We followed this technological change since its early days either due to our penetration testing services or responsible disclosure programs. That had given us a great understanding and experience on the API security scene, but we’ve dug deeper into API-related publicly available security incidents data. Our contribution was released later that year as part of the OWASP API Security Top 10 2019.

RSA Conference 2021 with the presence of Char49 specialists

For almost 30 years, the RSA Conference has been an important meeting point in the cybersecurity community to share, learn and growth. A space for innovation and partnerships where, from the 17th to the 20th of May 2021, another edition takes place with the presence of specialists in cybersecurity from all over the world.

In this year's edition, the conference will be attended by two Char49 specialists, David Sopas (COO) and Pedro Umbelino (Senior Security Researcher), this in partnership with Erez Yalon (Director of Security Research, Checkmarx), Luis Gomes (Global Head of Information Security, OLX Group) and Tanya Janca (Founder & CEO, We Hack Purple Academy, Community and Podcast).

Segway Subdomain Takeover

During our research on the Segways’ domain space, we found a subdomain pointing to a third-party domain “pending for deletion” by its owner. Using a domain monitoring and backorder service, as soon as the third-party domain became available we got control over Segway’s subdomain.

According to responsible disclosure best practices, we provided Segway a detailed security advisory. This article is published after the security issue has been (silently) fixed by Segway.