Issue 200: Injection vulnerability in BitBucket, OAuth2 exploitation, and 200th issue prize giveaways


Happy 200 OK issue of the APIsecurity.io newsletter!

Celebrating the 200th issue

This week is a special one: it’s the 200th edition of this newsletter, and also my first anniversary as the curator. To celebrate, I have pulled out our three most popular articles and our three most popular guides, in case you missed them the first time around. We’ve also got views from several industry leaders on the state of API security in late 2022, and — most importantly — news of our giveaways running weekly through September.

Before diving in, I would like to thank a few people that make this newsletter what it is today:

  • My predecessor as the curator, Dmitry Sotnikov.
  • The founders at 42Crunch for their vision and support in sponsoring this newsletter.
  • My long-suffering co-editor and marketing team at 42Crunch.
  • The numerous experts and visionaries in the field of API security who contribute their thoughts and expertise to our benefit.
  • The pentesters and researchers who detail their disclosures in painstaking detail so that we all can learn from their unique skills.
  • And most importantly, to the subscribers and followers of this newsletter who regularly give me such positive feedback. This newsletter is for you; this feedback means the world to me.

Without further ado, here are the details of the prize giveaway for the first week: all you have to do to enter is to create a social media post on Twitter or LinkedIn mentioning this newsletter and tag me (@colindomoney) in your post. We’ll choose the winner based on originality, creativity, and impact, and will announce the winner and the prize next week. Get those thinking hats on and get posting! If you’re running an API security project, feel free to tag that in as well.


Our top three articles

We’ve had some fantastic articles in the last year, and it was hard to pick the top three. However, based on the reader engagement and value to the community, I’ve picked the following:

  • In third place is the vulnerability disclosure from Pen Test Partners (featured in issue 171) of a DPD parcel tracking website flaw that may have exposed customer data. I loved this article because of the relative simplicity of the attack method, coupled with the vulnerability’s potential impact. Don’t rely on security by obscurity, and always rate-limit endpoints that can be fuzzed.
  • In second place is the beautifully written write-up (featured in issue 149) of the various geolocation vulnerabilities in the Bumble dating app. I loved this article because of the ingenuity of the various attack techniques and the way they were chained to totally “own” the app. It’s also absolutely hilarious — kudos to Robert Heaton (@RobJHeaton) for this contribution.
  • In the first place, by some margin, is the stellar vulnerability write-up from our friends at Fortbridge (featured in issue 187 and on their blog) describing a mass account takeover in the Yunmai smart scale API. Not only is the write-up impeccably written and illustrated, but it highlights perfectly how several benign flaws can allow skilled attackers to compromise a system. Kudos to the team at Fortbridge (@FORTBRIDGE1) for this fine work.

Our top three guides

Aside from news on API vulnerabilities, guides on API security are also a recurring topic in this newsletter. Again, based on the reader engagement, the following stand out:

  • In third place, I’m pleased to have my own guide to REST API security (featured in issue 179 and on the DZone website). Thanks to DZone for their help and for the many kind words I’ve received. If I’ve missed anything important, give me a shout, and I’ll get it into the next revision.
  • In second place is the very popular API testing checklist (featured in issue 194) from Latish Danawale. This is a really comprehensive list of things to check when testing an API, and the author’s vast experience makes this a favorite with our readers.
  • In the first place is the evergreen (and ever popular) “Awesome API security” guide from André Rainho (featured in issue 162 and on GitHub). This is the first place any aspiring API security aficionado should go to find API security resources, from guides and how-tos right through to tools and hacking skills. Kudos to André (@arainho_it) for this invaluable community resource.

Views from the industry experts

Here are some quotes from some of the well-known names in API security on where they see API security to be at and where it seems to be headed (and perhaps a bit about this newsletter, too):

“Over the last 2 years, microservices have continued to dominate as the primary paradigm for API development. The importance of managing JWT tokens, as well as OAuth2 and OIDC endpoints has only increased. The risk of API-centric attacks like Server Side Request Forgery (SSRF) has only increased. The need to secure cloud infrastructure has only increased. The issues are similar from 2 years ago, but the trends call for us to do better in keeping these API risks at bay.”

— Jim Manico, Founder at Manicode (@manicode)

 

“From my work training and advising developers, I get to meet a lot of different people, and see a lot of different approaches. One key observation is that lots of teams struggle with insanely complex systems and solutions. In such an environment, security becomes difficult and unmanageable. The teams that do well focus hard on keeping things simple, which often requires extra effort to get there. Looking forward, I’m optimistic about where we’re going. Increased security awareness and better tool support will hopefully make it possible to build more secure applications. Congrats with the 200th edition!”

— Dr. Philippe De Ryck, Founder at Pragmatic Web Security (@PhilippeDeRyck)

 

“The state of API security leaves many of us in the industry with a lot of anxiety each day, but with more discussion and sharing about why API security matters we will be able to collectively realize a more stable and secure future — making the APISecurity.io newsletter THE most important newsletter out there when it comes to the reliability, stability, and trust of our enterprise operations.”

— Kin Lane, Chief Evangelist at Postman (@kinlane)

 

“One of the final recommendations in the Hacking APIs Workshop was to subscribe to said [APISecurity.io] newsletter for the latest and greatest API security news!”

— Corey Ball, author of “Hacking APIs” (@hAPI_hacker)

 

“We think that API security is a very hot topic right now. FORTBRIDGE has had a lot of success in engagements where APIs were involved, as evidence you can check out our research on hacking the Yunmai smartscale which was one of our most popular research articles. And there’s more API stuff waiting to be published with big vendor names.

We’ve also noticed that APIs are a great target and tend to be vulnerable in general to more obscure classes of vulnerabilities such as HPP(had great success with this one;)), mass assignment, info leaks etc. As a pentester you have to think a bit outside of OWASP TOP 10 if you really want to be successful at hacking APIs. We think that APIs will continue to be a great target, companies are catching up when it comes to this topic. One thing remains constant though, a combination of proper security tooling & highly skilled pentesters is required to secure APIs.”

— Adrian Tiron, Managing Partner at FORTBRIDGE (@FORTBRIDGE1)


API security news

In brief this week, we have news of a command injection vulnerability in the Atlassian Bitbucket server, a guide on understanding and exploiting OAuth2, an article on the occurrence of API security incidents, and finally, an article on the top five API security best practices.

Vulnerability: Command injection vulnerability in Bitbucket server

The most significant news this week is the critical command injection vulnerability in Bitbucket that could allow attackers to execute arbitrary code. The flaw (tracked as CVE-2022-36804) is a command injection vulnerability discovered in multiple API endpoints.

According to the advisory, the affected product is the Bitbucket Server and Data Center (versions released after 6.10.17, and up to 8.3.0). The usual guidance applies — update to the latest version of the software as soon as possible.

Guide: Understanding and exploiting OAuth2

OAuth2 is an ever-popular topic with readers, and this week we have a great article from Hashar Mujahid covering a gentle introduction to OAuth2, followed by a tutorial on how to exploit poorly implemented instances of it.

If you are interested to learn more, it’s possible to get hands on and do the lab exercises yourself, thanks to the good folk at PortSwigger.

Article: API security incidents occurring monthly

HelpNet Security has covered the recent PostMan “2022 State of the API” report and included their warning that API security incidents are now occurring at least once a month.

The key findings from the report are:

  • Organizations are now spending the majority of their development efforts on APIs.
  • API investments to remain strong, despite economic headwinds.
  • API-first leaders outperform.
  • Remote work is “very important.”
  • API security incidents occur monthly at many companies.

The report’s key recommendation was to shift-left with API security – I couldn’t agree more.

Article: Top five API security best practices

Finally, Traefiklabs has published their recommendations for the top five best practices  for protection, resilience, reliability, and scalability of APIs.

Their top recommendations are:

  • Maintain load balancing
  • Control access to your APIs with authentication and authorization
  • Protect your data with encryption and TLS/SSL certificates
  • Don’t forget rate limiting
  • Maintain solid access logs

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy