API Security Weekly: Issue #20

This week we look into vulnerabilities at Uber and Drupal, ICANN DNS security checklist, upcoming European IoT security standards, and more vulnerability stats from 2018.

Vulnerabilities

This is the worst API vulnerability of the year so far. Drupal's RESTful Web Services (rest), JSON:API and other web services modules allow arbitrary remote code execution. The vulnerability caused by lack of input data sanitization. Attackers are already exploiting the vulnerability. If your site is on Drupal, upgrade and patch it ASAP.

Uber has fixed an API vulnerability as well. One of their API endpoints didn't have response sanitization. As a result, it was leaking client secrets and server tokens of all Uber apps. Attackers could get those and impersonate as a particular partner application.

Best Practices

DNS is vital because this system determines to which IP addresses requests go. A successful DNS attack enables traffic redirection and man-in-the-middle attacks. 

We have covered the US Department of Homeland Security (DHS) DNS security directive before. 

Now, ICANN(top level internet domain body) has spoken as well. They issued a press release urging the world to switch to DNSSEC. ICANN also published a checklist for DNS security:

• Ensure all system security patches have been reviewed and have been applied.
• Review log files for unauthorized access to systems, especially administrator access.
• Review internal controls over administrator (“root”) access.
• Verify integrity of every DNS record, and the change history of those records.
• Enforce sufficient password complexity, especially length of password.
• Ensure that passwords are not shared with other users.
• Ensure that passwords are never stored or transmitted in clear text.
• Enforce regular and periodic password changes.
• Enforce a password lockout policy.
• Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation.
• Ideally, ensure multi-factor authentication is enabled to all systems, especially for administrator access.
• Ideally, ensure your email domain has a DMARC policy with SPF and/or DKIM and that you enforce such policies provided by other domains on your email system.  

Standards/IoT

European Telecommunications Standards Institute (ETSI) has released an ETSI TS 103 645 standard for consumer IoT security:

• No universal default passwords
• Implement a means to manage reports of vulnerabilities
• Keep software updated
• Securely store credentials and security-sensitive data
• Communicate securely
• Minimize exposed attack surfaces
• Ensure software integrity
• Ensure that personal data is protected
• Make systems resilient to outages
• Examine system telemetry data
• Make it easy for consumers to delete personal data
• Make installation and maintenance of devices easy
• Validate input data

Trends

EdgeScanreleased its 4th annual Vulnerability Stats Report. Here are some stats that they are seeing: 

• About 20 percent of vulnerabilities are web and API-related.
• For web applications, 14.69 percent of vulnerabilities are XSS, and 6 percent are SQL injections.
• 44.7 percent of infra vulnerabilities are caused by outdated or misconfigured TLS/SSL.

You can subscribe to this weekly newsletter at https://APIsecurity.io