This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery.
Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses.
When uploading a video in Video Builder, the tool showed a list of channels owned by the account and allowed the user to pick the channel they wanted. Kovatch found that he could use the API directly to send a different channel ID and one not owned by the user. YouTube did not verify permissions at this point but uploaded the video to the specified channel.
This is a typical example of OWASP API1:2019 — Broken object-level authorization (BOLA / IDOR). API enforces authentication but not authorization on specific objects that it affects. This flaw’s business impact was somewhat limited because the tool and the APIs only uploaded videos as unlisted, and only videos created in the tool could be uploaded. Nevertheless, it could still have put to nefarious uses.
While trying to work around the API limitations, Kovatch accidentally also found an OWASP API3:2019 — Excessive data exposure in another YouTube API: One of his calls brought back an error message that leaked hashes of encryption keys used by the server!
Both bugs have been fixed. Lessons learned here:
- Authentication on its own is not enough. Any time an object belonging to a user is accessed, you must also check whether the current user is authorized to access it.
- Make sure you define and enforce schemas and formats on all API responses!
- Resist the urge to include sensitive debug information in API responses, even on internal APIs. Attackers may find a way to invoke them and get a hold of sensitive information.
Ron Chan has posted a video on how he found two API vulnerabilities in 1Password.
Both flaws give guest users access that they are not supposed to have. Thus, they are examples of OWASP API5:2019 — Broken function-level authorization.
The video below explains not just the issues themselves but also Chan’s approach to finding such bugs.
Best practices: OpenID Connect security
Lauritz Holtmann has recently completed his master’s thesis on real-life OpenID Connect (OIDC) security.
He looked into security issues with some of the most widely used OIDC implementations from AWS Cognito, Bitbucket, GitLab, Keycloak, and Salesforce. Now, he has published the outcomes of the thesis as a seven-part blog series.
In the series, Holtmann discusses OIDC implementation flaws, such as:
- Login Confusion
- Injection of CRLF sequences
- Server-Side Request Forgery (SSRF) issues
He also talks about specification problems, like:
- Redirect URI schemes
- Reusable State parameter
True to the spirit of science, Holtmann naturally also proposes changes that would address the issues.
Tools: Assetnote Wordlists
Security researchers discover API endpoints, paths, and parameters during reconnaissance by trying different elements commonly used in APIs. For example, API URLs often have the word
api, the path might have the version element such as
v1 and there could be path segments like
/users, and so on.
These common practices make it possible for Burp plugins and other tools to take a wordlist and start going through it to enumerate possible API elements.
As a practical example, check out Assetnote’s collection of such wordlists at https://wordlists.assetnote.io/.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy