{{announcement.body}}
{{announcement.title}}

API Security Weekly: Issue #71

DZone 's Guide to

API Security Weekly: Issue #71

This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime.

· Integration Zone ·
Free Resource

This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security.

Vulnerability: SoundCloud

Paulo Silva has published a very systematic and thorough report on API vulnerabilities that the Checkmarx Security Research team found in SoundCloud. (SoundCloud has promptly acknowledged and fixed the issues.)

The team discovered multiple API vulnerabilities, such as:

  • Broken authentication

    The /sign-in/password endpoint of api-v2.soundcloud.com did not implement proper account lockout based on failed authentication attempts. It solely relied on rate limiting, which can be evaded using several combinations of use_agent, device_id, and signature.

    Combined with the ability to enumerate account, this allowed attackers to locate valid user records and then brute force access using credential stuffing.

  • User enumeration

    The /sign-in/identifier and /users/password_reset endpoints returned different results when the login existed in the system compared to when no such user existed.

    You might also be interested in: API Security Weekly: Issue #70
  • Lack of resources and rate limiting

    The /tracks endpoint did not implement proper resources limiting. It had no validation on the number of tracks IDs in the ids list, thus it was possible to manipulate the list to retrieve an arbitrary number of tracks in a single request. Researchers could use these parameters to get back up to 689 tracks in a single request.

    The endpoint did not require authentication or authorization making it an easy target for Denial of Service and resource deprivation attacks.

    Also, the /me/play-history/tracks endpoint did not enforce rate limiting, allowing a large number of POST requests.

  • Security misconfiguration

    Issuing a PUT request to /users/{user_id} with an already used permalink returned an unhandled Java exception (java.lang.IllegalStateException), which exposed information about the components and versions in use.

  • Insufficient validation for input on the API level could allow attackers to exploit the service

    The /tracks/{track_urn} endpoint did not properly validate and enforce the length of description, title, and genre properties

As an active member of the OWASP API Security Top 10 project, Silva is an excellent source of information on such issues.

Not only does the report provide full details of the vulnerabilities, but it also shows how serious they were in terms of the CVSS score and, more importantly, provides recommendations on how to avoid these issues to begin with.

Vulnerability: Lime Electric Scooters

Amir Shladovsky and his team have done some excellent research on API vulnerabilities in the Lime scooter service in Tel Aviv.

Lime mobile app had functionality on locating available scooters. The API for that functionality had a few major issues:

  • It returned permanent IDs for each device
  • It allowed calling the same API with different geolocation parameters over and over again
  • It had poor rate limiting implementation

A combination of these issues allowed researchers to script API calls with a grid of geolocation parameters in the city. Therefore, when someone rented a scooter, they could see that the scooter ID would disappear from the API response. Later, they would see the ID reappear for another location.

Thus, the researchers could track the routes of all devices and see where a particular user would ride a particular scooter.

They could even ring the bells of the scooters as a bonus (see video.)

We have previously covered vulnerabilities in electric scooters in issues 19 and 53.

Tips and Tricks: API Pentesting

Inon Shkedy has put together a set of 31 tips for API penetration testing.

This is a brilliant resource for anyone working with API security. The tips include:

  • Authorization
  • Authentication
  • Attacks, such as Cross Site Request Forgery (CSRF) or DoS
  • Data exposure
  • Mass assignment
  • Injections
  • Tools
  • What to do if you get stuck

Guidelines: Microservice Security

We first covered the National Institute of Standards and Technology (NIST) whitepaper “Security Strategies for Microservices-based Application Systems” by Ramaswamy Chandramouli in our issue 25 when it opened for commenting.

The final version of the whitepaper can be found here. It covers guidelines, for example:

  • Architectural frameworks
  • Threats
  • Security strategies for identity and access management (IAM)
  • Discovery
  • Communications
  • Monitoring
  • Resiliency
  • Integrity
  • Countering internet attacks

You can subscribe to this newsletter at APIsecurity.io.

Further Reading

API Security Weekly: Issue #69

How to Secure APIs

Topics:
api ,apis ,api security ,cybersecurity ,newsletter ,integration ,api news ,api vulnerabilities

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}