This week, we have details of an API vulnerability in the Drupal platform, allowing an attacker to bypass access controls. We also feature views from Google Cloud on challenges to API security, a comprehensive guide to OAuth2, and finally a write up on how GitHub deviates from the implementation guidelines for OAuth2.
Vulnerability: Drupal patches an API vulnerability allowing access bypass
This week, Drupal has announced a security update to patch a vulnerability in the API of version 9.3 of their platform, a popular open-source content management system.
Drupal exposes an API to facilitate integration and plugin framework. Unfortunately, Drupal has disclosed that an API did not adequately authorize access to the backend. Potentially, this could have allowed attackers to access content outside of the core Drupal access controls. As Drupal explains: “This API was not completely integrated with existing permissions”.
Fortunately, only version 9.3 of the platform was affected, and Drupal has already released a security update.
This is an example of API2:2019 — Broken authentication — be sure to adequately authenticate all APIs.
Article: Google Cloud views on API security challenges
The Register has provided coverage of a recent thought piece from Google Cloud on the challenges of API security particularly in cloud environments.
The authors offer opinions (some of them strong) and thoughts on a wide variety of API topics, namely:
- API security needs will push zero trust adoption: Although zero-trust promises great benefits for distributed API architectures, the authors’ view is that adoption rates are still low, typically only one in five.
- Microservice APIs on the rise: While APIs facilitate the development of microservice architectures, developers should be sure they are not creating new complexity unnecessarily — “the worst of the monoliths, the distributed monolith”.
- APIs keep EDA alive: APIs enable event-driven architectures (EDAs), allowing serverless, asynchronous, and stream use cases. Beware of security considerations, though!
- REST will step aside for GraphQL: The authors predict that GraphQL will overtake REST APIs by 2025, which has a big impact on security teams.
- Multi-APIM will rise to support hybrid deployments: Hybrid cloud environments will lead to the multiple API management deployments to manage same APIs.
- Vendors will unlock conversational APIs: APIs will increasingly deliver voice experiences to customers, which brings privacy and protection challenges with it.
- APIs will stop being shadow IT: APIs will become the standard conduit through which data will be exposed in organizations. Savvy security teams should embrace this and ensure that a standard process exists for developing, deploying, and governing APIs.
API security is going to be increasingly challenging, and it’s pleasing to see the cloud providers giving the topic due focus.
Guide: Part 1 of a comprehensive guide to OAuth2
The correct design and implementation of the OAuth2 specification are vital to API security. Unfortunately, they also are one of the more confusing topics facing developers tasked with implementing API authentication and authorization. This week, we feature one of the best guides on the topic from Dan Moore, courtesy of the StackOverflow blog.
The guide assumes minimal knowledge of OAuth2, and instead provides an orientation and outlines the many advantages of using OAuth2. The core OAuth2 standards are covered briefly, as are some of the more common one of the specialized OAuth2 standards.
The most common challenge for developers is which grant type to use. Here, the guide covers the pros and cons of each in some detail and concludes with alternatives to OAuth2.
A good read for beginners to OAuth2, and I look forward to featuring the second part.
Article: How GitHub deviates from OAuth2 implementation guidelines
This week, our second article is another one on OAuth2, and it is definitely one for the more technically-minded reader: a researcher describes various deviations in the GitHub implementation of OAuth2.
The article covers three main areas: specification violations, GitHub-specific extensions, and security considerations. Of these, it is the security considerations that are of most interest:
- The Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC7636) should be supported to prevent attackers from exchanging stolen authorization codes.
- The OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC8705) should be supported to further reduce an attacker’s ability to use stolen access tokens.
- More secure client authentication methods should be used — the recommendation is to follow Financial-grade API (FAPI) specifications.
The article serves to illustrate that the devil really is in the details when authentication and authorization are concerned. Wherever possible, be sure to adopt industry best-practices, such as FAPI.
Webinar: Actively Monitor and Defend Your APIs with 42Crunch and the Azure Sentinel Platform
APIs are increasingly the number one attack vector for adversaries, due to their growing abundance and ease of attack when using automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots. Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential to also actively monitor and defend your APIs — the frontline of your perimeter — through direct integration into SIEM and SOCs.
In this webinar, 42Crunch and CyberProof show how to proactively integrate API access logs into the Azure Sentinel platform, demonstrating the following:
- Ingestion of API logs directly into Log Analytics workspaces
- Creating basic alerts on common API error conditions
- Enrichment of API logs with threat intelligence data, such as known bad IPs
- Detecting attack patterns for common adversarial tools like Kiterunner
- Understanding of common bot behaviors and detection techniques
- Automated protection of APIs through standard Azure protections, such as firewall.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy