API Security Weekly: Issue #50
Let's take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling.
Join the DZone community and get the full member experience.Join For Free
This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling.
You may also like: REST API Security Vulnerabilities
Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability.
The vulnerability is a classic case of mass assignment API flaws. An API represents a data structure in the internal database. It takes a set of submitted properties and applies them to an object in the database as-is. As a result, if attackers are able to guess an internal property and include it in their request, they can overwrite the data in the database.
In this particular case, this was a
POST request to the API to self-register a new user. It turned out that including
"has_admin_role"=True in the API call set that property on the new user object. This made the new users administrators of the registry, allowing them to modify the registry as well as all the containers in the system.
Design Flaws: CRUD APIs
One of the popular ways to design a modern application is:
- Take a database, such as MongoDB
- Wrap the database into a simple CRUD REST API, meaning that the API that has Create, Read, Update, and Delete methods for all data in the database
- Create web and mobile clients around the data
In her piece, Isabelle Mauny explains why this approach is flawed and leads to highly vulnerable systems. In fact, it directly leads to the A1, A3, A5, and A6 flaws from the OWASP API Security Top 10 list.
She also explains how to mitigate the vulnerabilities by adding a controller layer that isolates, formats, and filters data, and enforces authentication and authorization.
Industry trends: PSD2, Open Banking, FAPI
PSD2 and Open Banking are forcing banks to open up APIs to their highly sensitive data. New research by Trend Micro looks into API security risks that emerge as a result of this regulation.
On the one hand, regulation replaces the dangerous scraping approach and promotes secure authentication. This standardization helps reduce the issues that stem from ad hoc flawed API designs.
On the other hand, it also significantly expands the attack surface:
- Proliferation of APIs that can be attacked
- FinTech companies with potentially low cybersecurity expertise and resources
- User attacks
API security tooling keeps on growing. Kristopher Sandoval from NordicAPIs has compiled a list of his favorite 20+ tools and resources for API security.
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.