API Security Weekly: Issue #14
We take a look at the latest news in the world of API security, as well as a few code snippets you can use to better protect your APIs.
Join the DZone community and get the full member experience.Join For Free
This week there were a lot of reports of vulnerable APIs: from flight reservations systems to trading sites and even hot tubs. We also look into best practices for handling special characters in JSON and protecting APIs for mobile applications.
Noam Rotem found a dangerous combination of vulnerabilities in APIs of Amadeus flight booking system and El Al airline:
- The Amadeus API allowed for brute force enumeration of booking identifiers (also known as PNR – Passenger Name Record).
- The El Al API gave personal and booking details for any PNR.
- Once both PNR and passenger names were known, attackers could log in and change the booking.
DX:Exchange, a popular trading site with over 600,000 users, had vulnerable APIs under the hood. The issues included, for example:
- Non-expiring unsigned access tokens.
- JWT tokens leaking other users’ tokens.
Researchers were able to get other users’ tokens and invoked the APIs on their behalf.
Balboa smart hot tubs’ APIs are extremely vulnerable:
- The APIs are “protected” with a shared hardcoded password.
- The mobile app controlling the hot tub is invoking the hot tub’s API over the internet.
- Each hot tub comes with an unprotected WiFi hotspot.
- The APIs use the WiFi hotspot ID as the device identifier.
Attackers can use WiFi hotspot directories to locate all Balboa hot tubs. This gives them both the ID and the location of a hot tub. After that, they can invoke the APIs of the hot tub, know when it is in use, and take over control.
To make things worse, the manufacturer is not responding or fixing the product. IoT security as bad as it gets.
A story also surfaced on how Shopify found that their Kubernetes deployment was vulnerable. Shopify used a beta version of the Kubernetes API that was susceptible to SSRF attack. Luckily, this got reported in their bug bounty program, so it only cost them $25,000 in reward money.
Does your API’s JSON get rendered in XHTML? If so, make sure to properly escape
CDATA by using JSON stringifier. Encode
<>& characters as well as non-ASCII chars like line and paragraph separators. Or better yet, avoid inline scripts altogether. See this Stack Overflow discussion.
Skip Hovsmith gave his “Tour of API underprotection” session at OWASP AppSec California. Hovsmith used a scenario of a mobile app company protecting their API from a rogue app. His advice in a nutshell:
- Authorize applications, not just users.
- Remove secrets.
- Use shortlived tokens.
Bernard Harguindeguy from Ping Identity takes a look at various API attacks, such as:
- DoS and DDoS
- Application and data
He argues that, in these cases, AI is the solution to consider.
Subscribe to this weekly newsletter at https://APISecurity.io
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.