Issue 15: Fortnite hack, TLS MITM attacks, SQL injections for NoSQL


Vulnerabilities

A team from Check Point Research reported a serious vulnerability in Fortnite authentication API:

An old unused subdomain had a misconfigured web application firewall (WAF) that relied only on blacklisting. Attackers could perform a SQL injection in the subdomain to plant their XSS script.

Fortnite allowed log in with Facebook and Google credentials using OAuth, and the SSO API did not verify parameters. Attackers could use these glitches to construct a URL that auhtenticated a user and redirected the user to the compromized page. When the user clicked the link on the page, attackers got the user’s authentication token. This gave them full access to the user profile, including all points, goods, and stored credit cards.

Best practices

SQL injections are relevant in the NoSQL world as well. NoSQL backends, too, need sanitized inputs. Here are SQL injection examples for:

TLS can be vulnerable to man-in-the-middle (MITM) attacks. This can happen if attackers compromise DNS or SSL certificates. In this blog post, Skip Hovsmith from CriticalBlue demostrates how to overcome this. He employs certificate pinning technique and uses examples in React framework.

Technology

Need to debug your TLS communications? cURL, Chrome, and Firefox can export pre-master secrets used to encrypt the messages. You can then import these secrets into Wireshark and see the contents in the clear. For more details, see Peter Wu’sย recording and slides from a SharkFest session.

Webinars

On Wednesday February 6, DZone is hosting a webinar with Dmitry Sotnikov from 42Crunch. The topic of the webinar is “API Security: Stories from the Trenches, Common Flaws, and Ways to Mitigate“.ย  You can sign up to the webinar here.

Cost of breach

Radware ran a survey on companies that experienced cyberattacks. According to the results:

  • These days, a successful cyberattack costs enterprises $1.1 million in direct costs.
  • If you include indirect costs, on average the sum goes up to $1.67 million (52% higher than a year ago).
  • 37% enterprises reported reputation loss following an attack.

Trends

According to Imperva threat research team, 264 new API vulnerabilities were reported in 2018. This is 23% up from the 214 vulnerabilities reported in 2017. Percentage-wise, this is a smaller increase than the 56% in 2017 from 2016.

Subscribe to this weekly newsletter at https://APISecurity.io


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy