This week, we have news of API and web security flaws in the Lego marketplace, potentially allowing for a full account takeover. From NordicAPIs, we have a guide to seven examples of quality API style guides and coverage of the recent news from 42Crunch being admitted to the Microsoft Intelligent Security Association (MISA). Finally, we have details of another addition to the burgeoning collection of deliberately vulnerable API applications.
Vulnerability: API flaws in the Lego marketplace risk user data
First up this week is some excellent research from Shiran Yodev (@shrnyo) into a series of vulnerabilities on the Lego platform, which, if exploited by a skilled attacker, could have led to an account takeover. The vulnerabilities were responsibly disclosed to Lego, who took immediate steps to address the issues found; no known exploits are known to have taken place.
The first issue discovered by Yodev was an instance of good old fashion Cross-Site-Scripting (XSS) on the search dialog on the Lego marketplace website. The advanced search page did not adequately sanitize user-supplied input and rendered an unsanitized search string to the user’s browser, allowing for a basic reflected XSS attack. Yodev attempted to use this XSS vulnerability to read the document.cookie but found that this was protected by the HttpOnly attribute on the cookie as per standard best practice for cookie protection.
Next up, Yodev discovered that the website used long-lived, unprotected, and exposed session IDs. He created a proof of concept to demonstrate how users could be tricked into clicking a link (exposed by the XSS flaw) which would forward their current session to his attack server resulting in a full account takeover.
Finally, Yodev observed that one of the pages allowed uploading an XML file in a specified format. Unfortunately, the platform had not restricted the support for XML External Entities on the server, which allowed Yodev to perform a simple attack that showed he could access arbitrary files on the local filesystem. With some refinement, he could access the underlying AWS EC2 credentials for the marketplace host. XML External Entities are a dangerous feature as they allow for the inclusion of arbitrary file content under the control of an attacker within the current XML parsing and rendering process.
In conclusion, Yodev offers sound advice for preventing such attacks, namely:
- To prevent XSS, the golden rule is never to trust user input and ensure that input is properly sanitized and escaped.
- Sessions IDs are potentially sensitive, and developers should not expose them or allow them to be hijacked.
- Unless absolutely necessary, ensure that XML External Entities support is disabled.
Article: Seven examples of quality API style guides
A consistent and uniform API design is essential to ensuring APIs that behave in standard ways, handle errors in the same way, and can be tested in a standard and consistent manner. This week, NordicAPIs lists seven of their most popular API style guides. Although somewhat ancillary to API security, a uniform API design will greatly aid the efforts of security teams in performing design and code reviews, and testing.
The two guides that stood out for me during a quick read-through were the GitLab API style guide and the wonderfully detailed Stoplight API style guide and best practices. In particular, the latter provides excellent guidance on what to include in a style guide and how to ensure that these guidelines are enforced uniformly across an organization. They recommend using open-source Spectral guides and audits throughout the CI/CD lifecycle.
NordicAPIs produce several other excellent guides which are worth bookmarking, namely:
- Tips for creating an API design style guide
- API best practices
- REST design tips
- Specific naming conventions
Thanks to NordicAPIs for their valued contribution to the API community.
News: 42Crunch expands Microsoft collaboration by joining MISA
At the beginning of 2023, 42Crunch announced that it had joined the Microsoft Intelligent Security Association (MISA), a group of security technology providers who have integrated their solutions with Microsoft’s security technology products to better defend against a world of increasing threats. 42Crunch has integrated with Microsoft Sentinel to provide enterprises with end-to-end API protection and visibility, critical to the success of their API-driven digital initiatives.
“As a pioneer of the DevSecOps approach for API Security, 42Crunch is proud to join the Microsoft Intelligent Security Association and help organizations to ensure they have the tools they need to proactively defend against increasingly sophisticated threats in a digital world” said Jacques Declas, CEO of 42Crunch.
I have previously hosted webinars on the 42Crunch integration with Microsoft Sentinel (here and here) if you want to see the integration in action. I’m particularly excited about the opportunity that this integration brings in allowing SOC security specialists to create sophisticated rules to detect advanced API attacks using the power of the Microsoft platform with all the advanced threat detection and analytics it provides.
Tools: BankGround vulnerable API application now available as OSS
Finally, this week, we have news of another deliberately vulnerable API application which are always popular with our readers wishing to learn the skills of API hacking. BankGround is a banking playground and is an open-source project to learn REST/OpenAPI and GraphQL APIs. The project is the brainchild of Karel Husa, who also provides API security training and testing services.
The project looks extensive and well-designed, with an OpenAPI definition and a source code repository in GitLab.
Thanks to Karel for contributing this project to the community.
Webinar: Build Secure APIs in VS Code with Instant API Security Testing
The DevSecOps movement has resulted in vendors providing developer tools inside their IDEs. Unfortunately, many security tools integrated into the IDE leave a lot to be desired – slow scanning times, noisy results, and no real added productivity value to busy developers. However, the 42Crunch VS Code API security audit integration is a complete game changer, evidenced by the nearly half a million downloads in the marketplace. Developers have come to love the powerful OpenAPI audit facilities, but with the recent release of this plugin, developers can now audit and test their APIs almost instantly as they code.
Join yours truly on 21 March 2023, at 8 am PST / 4 pm GMT, as I demonstrate the new powerful features:
- Audit existing OpenAPI definitions for data and security best practices.
- Powerful remediation guidance from the industry’s largest OpenAPI knowledge base.
- Validate the conformance of your API against the contract within seconds.
- Identify any unexpected API behavior such as:
- Incorrectly responding to undefined verbs.
- Unexpected responses to error conditions.
- Malformed responses to operations (excessive information exposure)
- Incorrect handling of edge-case input (fuzzing of inputs).
- Other undefined behavior.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
