Issue 199: Vulnerability in Zulip server, broken access controls threat to APIs, introduction to BOLA

This week, we have news of a API vulnerability allowing privilege escalation in the team chat tool Zulip. We also have articles from PortSwigger on the threat of broken access controls and injection attacks to APIs, as well as a quick read on Broken Object Level Authorization vulnerabilities. Finally, we feature a guide from the Cloud Security Alliance on API security best practices.

Vulnerability: Privilege escalation vulnerability in Zulip Server

Security researchers have revealed details of a critical privilege escalation vulnerability in the API of Zulip Server. The vulnerability is tracked as CVE-2022-31168 and affects all versions of Zulip Server up to 5.4. Users are recommended to upgrade to version 5.5 immediately.

The researchers discovered that it was possible to craft an API call that grants organization administrator privileges to one of their bots. The root cause of the vulnerability was an incorrect authorization check in Zulip Server.

This is an example of API2:2019 โ€” Broken authentication, one of the most prevalent and severe API vulnerabilities.

Article: Broken access controls threat to APIs

This week, PortSwigger has released an article covering the risk that broken access controls (exactly like in the vulnerability above) pose to APIs.

According to the report, in the first quarter of 2022 as many as 48 API-related vulnerabilities occurred. Of these, 18 were rated as high-risk and 19 as medium severity. The report also highlighted the risk of injection-based attacks on APIs.

The article highlights two high-profile API vulnerabilities from 2022:

  • The first vulnerability is the infamous Log4Shell vulnerability (covered here) enabling attackers to inject a code payload to allow remote code execution (RCE) in the Spring Framework Core module.
  • The second vulnerability relates to broken authentication in the Veeam backup solution (covered here) which also allowed attackers to execute code remotely.

Based on my own research (and featured in a recent webinar), I would suggest that API2:2019 โ€” Broken authentication has now risen to be the most prevalent and certainly the most serious API vulnerability.

Article: Introduction to Broken Object Level Authorization

Beating broken authentication to the top of the OWASP API Security Top 10 is the equally infamous API1:2019 โ€” Broken object level authorization (BOLA/IDOR) vulnerability. We have frequently featured guides on this troublesome topic, and this week we have a great guide for new beginners on the topic of API security.

With BOLA, an endpoint allows a given user access to an object (namely data) that does not actually belong to that user. The root cause of this vulnerability is a failure in the API backend to validate that the requesting client is indeed authorized to access the specified object.

Typically, attackers gain authentication to an API and then attempt to manipulate object identifiers to probe for poor API implementation. As readers of this newsletter know only too well, BOLA is frequently exploited in real-world attacks โ€” a great example is the recent high-profile disclosure on the Coinbase trading platform.

The article concludes with their recommendations for defense measures:

  • Always fully implement authorization on all endpoints.
  • Never trust user input because this is how attackers attempt to manipulate the target object.
  • Using high entropy (random and unpredictable) user IDs can thwart attackers’ attempts to guess user IDs.
  • Use a central authorization framework or enforcement point to validate user access to requested resources.
  • Ensure you test your APIs for BOLA weaknesses.

BOLA is easy to defend in theory, but the devil is in the details when it comes to defending in practice.

Guide: Cloud Security Alliance’s API security best practices

The Cloud Security Alliance (CSA) produces many excellent publications on the topic of improving Cloud security. Similarly, they have produced their guide to API security best practices. Whilst their guide overlaps with the OWASP API Security Top 10 recommendations, it too is a useful resource to be bookmarked.

Their first recommendation is to produce a risk evaluation for all APIs to measure the risk they present to your business. This is an excellent recommendation โ€” applying effort to low-risk APIs is a drain on resources and frustrates development and IT teams. Focus on the highest-risk APIs first.

The guide then provides a comprehensive checklist for all stages of the API life cycle:

  • Design
  • Development
  • Testing
  • Implementation
  • Logging and monitoring

The guide lists 39 different checks across these five stages โ€” it’s definitely worth integrating some of the checks into your API life cycle.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy