API Security Weekly: Issue #115
This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach and more!
Join the DZone community and get the full member experience.Join For Free
Happy New Year 2021!
This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs.
The now-infamous SolarWinds breach that hit multiple US government agencies last month was a supply chain attack. However, it has turned out that, as a cherry on top, SolarWinds Orion API also had an authentication bypass vulnerability.
Some extra parameters in the URI of the request caused Orion to set the
SkipAuthorization flag, allowing attacking requests to proceed without authentication. Quoting from the vulnerability note:
The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the
Request.PathInfoportion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a
Skipi18nto a request to a SolarWinds Orion server, SolarWinds may set the
SkipAuthorizationflag, which may allow the API request to be processed without requiring authentication.
In your own APIs, make sure to:
- Fully document all parameters and their acceptable values.
- Test APIs from the security perspective.
- Make sure that anything outside of the expected values gets rejected.
Ledger, a digital wallet service, was breached in July, and now the attacker has dumped a database with 270,000 personal account details of Ledger users.
The sensitive information got breached in the first place because an API key was hard-coded in the source code of the client application. This allowed the attacker to access Ledger’s e-commerce database.
- Let’s repeat together: Never hard-code API keys!
- Do not trust client applications; they might get breached.
- Do not provide direct database service access; use multi-tier system design.
- Ensure that APIs invoked on behalf of a user only have access to the data of that particular user.
Vulnerability: Office 365 Outlook
Ron Chan has posted a quick video on how he found an API vulnerability in Microsoft’s Office 365 Outlook.
This was an issue with unsigned JWT tokens. Although the algorithm in use was supposed to be
RS256, in reality, JWTs were missing the signature section altogether, allowing attackers to change tokens.
Check out Chan’s video for more details:
Tools: OpenAPI (Swagger) Plugin for JetBrains IntelliJ/PyCharm/PhpStorm
API security needs to start with API design, development, and testing.
We have already covered the OpenAPI plugin for Microsoft Visual Studio Code that provides security testing for your API definitions right from the design phase. Now there is a similar plugin for the family of IDEs (Integrated Developer Environments) by JetBrains, including IntelliJ, PyCharm, and PhpStorm.
The plugin makes OpenAPI development easier by providing:
- OpenAPI HTML preview
- Go to Definition
- Code snippets
And there’s a built-in static security testing of API contracts, API Contract Security Audit from 42Crunch that runs 200+ different security checks shows found security issues and their possible exploit scenarios, and provides advice on remediation:
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.