API Security Weekly: Issue #14

This week there were a lot of reports of vulnerable APIs: from flight reservations systems to trading sites and even hot tubs. We also look into best practices for handling special characters in JSON and protecting APIs for mobile applications.

Vulnerabilities

Noam Rotem found a dangerous combination of vulnerabilities in APIs of Amadeus flight booking system and El Al airline:

• The Amadeus API allowed for brute force enumeration of booking identifiers (also known as PNR – Passenger Name Record).
• The El Al API gave personal and booking details for any PNR.
• Once both PNR and passenger names were known, attackers could log in and change the booking.

DX:Exchange, a popular trading site with over 600,000 users, had vulnerable APIs under the hood. The issues included, for example:

• Non-expiring unsigned access tokens.
• JWT tokens leaking other users’ tokens.

Researchers were able to get other users’ tokens and invoked the APIs on their behalf.

Balboa smart hot tubs’ APIs are extremely vulnerable:

• The APIs are “protected” with a shared hardcoded password.
• The mobile app controlling the hot tub is invoking the hot tub’s API over the internet.
• Each hot tub comes with an unprotected WiFi hotspot.
• The APIs use the WiFi hotspot ID as the device identifier.

Attackers can use WiFi hotspot directories to locate all Balboa hot tubs. This gives them both the ID and the location of a hot tub. After that, they can invoke the APIs of the hot tub, know when it is in use, and take over control.

To make things worse, the manufacturer is not responding or fixing the product. IoT security as bad as it gets.

A story also surfaced on how Shopify found that their Kubernetes deployment was vulnerable. Shopify used a beta version of the Kubernetes API that was susceptible to SSRF attack. Luckily, this got reported in their bug bounty program, so it only cost them $25,000 in reward money.

Best Practices

Does your API’s JSON get rendered in XHTML? If so, make sure to properly escape CDATA by using JSON stringifier. Encode <>& characters as well as non-ASCII chars like line and paragraph separators. Or better yet, avoid inline scripts altogether. See this Stack Overflow discussion.

Conferences

Skip Hovsmith gave his “Tour of API underprotection” session at OWASP AppSec California. Hovsmith used a scenario of a mobile app company protecting their API from a rogue app. His advice in a nutshell:

• Authorize applications, not just users.
• Remove secrets.
• Use shortlived tokens.

Opinions

Bernard Harguindeguy from Ping Identity takes a look at various API attacks, such as:

• Login
• DoS and DDoS
• Application and data

He argues that, in these cases, AI is the solution to consider.

Subscribe to this weekly newsletter at https://APISecurity.io