The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.
Fifteen APIs have been added to the ProgrammableWeb directory in categories including DevOps, Video, Reputation, and Security. Highlights today include the Apility API for confirming legitimate vs. fake users, and the Slipstream multi-cloud management API. Here's a rundown of the latest additions.
A new company, Secful, aims to help companies identify attacks against their APIs and respond in an automated fashion with a "custom-tailored" security-layer. According to the company, existing security solutions don't sufficiently protect APIs and often fail to detect attacks before it's too late.