This week, we have new research from FORTBRIDGE that reveals a client-side request forgery (CSRF) vulnerability in API-enabled instances of Plesk, the popular server administration portal. We also have an article on the top five API security myths according to Hacker News, a quick look at the Ory Hydra OAuth2/OIDC server, and a guide to some awesome BurpSuite extensions.
Vulnerability: CSRF in Plesk API-enabled server
First up this week is breaking research from our friends at FORTBRIDGE which uncovered a CSRF vulnerability in the REST API of the popular server administration tool, Plesk. Plesk is widely used as an administrative front-end for web hosting and data center providers, and has generally been hardened and patched against security vulnerabilities.
During a recent project for a client, Adrian Tiron (managing partner at FORTBRIDGE) noticed that when the backend REST API is called from the web interface client, there are no defenses against CSRF. Basically, a CSRF attack allows an attacker to hijack an existing client’s session on a server to execute other operations. Typically, the defense for this would be to include a CSRF token that is unique to the request.
In this case, Tiron discovered that if an attacker could lure a Plesk administrator to a malicious website (such as through clickjacking type attacks), the attacker could then launch an attack against the Plesk server. One particular endpoint in the REST API supported miscellaneous commands, including an option to reset the administrator’s password. Given that Plesk is typically operating at high levels of privilege to administer servers, such a compromise could have a significant impact, such as allow various serious attacks like arbitrary file upload and complete takeover of the host server.
FORTBRIDGE responsibly disclosed this vulnerability to Plesk who responded rapidly to resolve the issue. At the time of writing, Plesk has reported that 89.4% of Plesk servers have already been automatically updated. For technically-minded readers, I would highly recommend the excellent write-up by Tiron on their website — that old dog certainly does know some tricks 😉
The key takeaway for developers here is to ensure that all
POST requests that change the server state have CSRF mitigation implemented. The two standard patterns for CSRF defense are the synchronizer token pattern or the double submit cookie pattern. If anyone wants to know more about CSRF — in particular the double submit cookie pattern — I can recommend the excellent webinar I hosted with Jim Manico just last week, where he covered the topic in great detail.
Article: Top five API security myths
API security is a vast, sprawling topic with many diverse opinions and views, and often beset with misconceptions that can result in serious risk. This week Hacker News has featured their own views on the top five myths surrounding API security, briefly summarized as:
- API gateways, existing IAM tools, and WAFs are enough to secure API: This is probably the most frequently encountered misconception I face in discussions with security teams. All of the existing security tools offer value in reducing the risk exposed through APIs. However, many legacy tools are not up to the task of securing APIs, and many API vulnerabilities could not be prevented by using a tool. Proper threat assessment, solid design, defensive coding, and proper testing are as important as the tools.
- API security is simple: This insight will come as no surprise to readers of this newsletter. API security is a challenging undertaking, and the attackers are nearly always one step ahead.
- Developers will always bake security into APIs: While developers are increasingly aware of the need to incorporate security into their code as early as possible, they face various other demands and constraints, such as performance, functionality, or delivery. Security is not always their top priority.
- Cloud providers secure APIs by default: One of the great promises of the cloud is that it is “secure by default” and that the cloud provider handles most of the security considerations. The shared security model adopted by cloud providers is quite explicit in stipulating that the responsibility for both application and data security lies with the end user.
- Zero Trust is enough to secure APIs: It is probably self-evident that there is no silver bullet for API security. While Zero Trust is a worthwhile approach, it is only one part of a much bigger picture.
The author makes some useful observations in this article — in my view, API security is a multi-faceted undertaking, and the best approach is a layered approach with defense in depth.
Tool: Ory Hydra OAuth2/OIDC server
As part of my own research into open-source authorization and identity servers, I discovered the Ory project, which provides both an OAuth2/OIDC server (called Hydra) and an identity server (called Kratos). According to the Hydra project page on GitHub, Hydra is “a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption”. Hydra does not perform identity provision but can connect to your existing provider or use the Ory Kratos project.
The Ory project boasts a very wide adoption, including names such as RaspberryPi.org, Hootsuite.com, Arduino.cc, and Sainsburys.co.uk. The project is actively supported by a community of over 1000 contributors. Both Hydra and Kratos can easily be installed on a variety of operating systems or run using Docker. The documentation appears excellent at first glance, and there is a newsletter and plenty of quickstart videos and walkthroughs.
This looks to be an ideal project for any API developer looking to learn OAuth2/OIDC hands-on.
Guide: Awesome BurpSuite extensions
Related to my research around authorization and identity providers, I rediscovered the joys of using BurpSuite to examine API transactions.
In particular, when I needed to examine JWTs and OAuth2/OIDC requests, I stumbled upon this excellent guide for awesome Burp extensions, which will be invaluable to anyone using BurpSuite in anger.
Thanks to Sam Sanoop (@snoopysecurity) for putting together this excellent list of resources. And of course to PortSwigger for BurpSuite.
Event: “Are your APIs rugged?” — OWASP BeNeLux Days Conference 2022
On Thursday next week (November 24th), I am going to be speaking at the OWASP BeNeLux Days conference in Tilburg, Netherlands.
The topic is one of my favorites, “Are your APIs rugged?”, in which I will examine various strategies, tools, and techniques that developers can use to build more secure (and more rugged APIs). The talk will include a slight tongue-in-cheek view of what happens when your APIs aren’t rugged, featuring some of the major breaches covered in this newsletter.
Attendance is free, and at the time of writing, there were still tickets available — if you’re in the area, it would be great to see you; grab a ticket now.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy