API Security Weekly: Issue #46
From Facebook and Cisco API patches to Solr parameter injection; your one-stop-shot for all things API security.
Join the DZone community and get the full member experience.Join For Free
This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories.
You may also like: RESTful API Security.
Cisco has released patches for several critical API security flaws in its Cisco Unified Computing System (UCS) software and Small Business 220 Series Smart Switch routers. The patches center around the APIs behind the web-based management interfaces.
With both UCS Director and UCS Director Express for Big Data, improper handling of authentication requests and insufficient validation of request headers could allow attackers to either bypass authentication completely or login using the SCP User account that had default credentials. Attackers could then execute arbitrary commands, or even get administrator access.
On the router side, insufficient authorization checks could allow attackers to send malicious requests to modify device configuration or inject a reverse shell. Another vulnerability could allow an unauthenticated attacker to trigger a buffer overflow and subsequently remotely execute arbitrary code.
This serves as yet another lesson on the importance of proper validation of all parameters, payloads, and headers coming in, as well as proper authorization implementation.
In a less sinister case, an authorization vulnerability (aka IDOR) in Facebook API allowed Philippe Harewood to disassociate the profile picture of any user from their profile.
Profile_picture_remove API call had a
profile_id parameter that an attacker could substitute with an ID of any other Facebook user.
Although the disassociated picture was not deleted from the account and the profile picture was replaced with Facebook’s default one, this is still an authorization vulnerability, so Facebook fixed the vulnerability with a bounty award sent to the researcher.
Vulnerabilities: Apache Solr Injection
Apache Solr is an open source enterprise search platform. The Solr API uses only HTTP protocol and is available without any authentication by default.
In his research, Michael Stepankin from Veracode has explored how this could turn into an exploitable vulnerability. He discusses:
- Solr Parameters Injection (HTTP smuggling).
- Solr Local Parameters Injection.
- Remote code execution (RCE) through Apache Solar Injection.
All examples have details and sample API calls.
Tools: GitHub Token Scanning service
Leaked API keys remain one of the major sources of API breaches. Just like with a username and password, anyone having an API key can invoke an external API on your behalf. For example, this is how Samsung SmartThings service got hacked recently.
About a year ago, GitHub started their Token Scanning service that identifies tokens shared in public repositories. The service only works with tokens from specific vendors in formats known to it. Not only does the developer get notified, but GitHub also tells the corresponding partner about the leak so the token can get revoked.
The service initially launched with support for tokens from Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio.
GitHub has just reported crossing the threshold of 1 bln potential tokens identified, and added more partners: Atlassian, Dropbox, Discord, Proctorio, and Pulumi.
The one billion mark is staggering by itself. It shows how wide-spread the issue is.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.