Issue 230: OpenSea API breach, flaw in Atlas VPN, using API fuzzing

This week, we have news of a breach affecting users of the OpenSea NFR trading platform, requiring a key rotation; and disclosure of an API vulnerability in the Atlas VPN exposing user IP addresses. We also have an article from The New Stack on API fuzzing and its benefits and a guide on using Keycloak for RBAC in microservices. Finally, Dana Epp makes it three issues in a row for a doubleheader of awesome guides, this time on prototype pollution and then AI testing in Postman.

Breach: OpenSea API users warned of breach

The popular NFT trading platform OpenSea has warned certain platform users to rotate their API keys. Although few details are provided in their official release, they suggest that one of their vendors may have experienced a security incident that led to the disclosure of OpenSea API keys. At the time of writing, there is no further detail of the number of users affected or whether other data besides these keys is impacted.

The article speculates whether this breach may be related to a breach at the third-party vendor of a popular blockchain analytics platform. OpenSea themselves were among several crypto companies to experience leakage of customer emails in an incident in June 2022. As is common with email leakages, attackers may use them to launch spear phishing campaigns against platform users (or even third-party vendors).

Vulnerability: Flaw in Atlas VPN exposes user IPs

Infosec Magazine reports on a vulnerability affecting users of the Atlas VPN service that can potentially expose user’s IP addresses to an attacker or allow the attacker to control the VPN itself. The vulnerability was discovered by a user and confirmed by the vendor, who has advised users to avoid using the Linux VPN client until a patch is released. There is no report of this vulnerability having been exploited at all.

The vulnerability arises via an unauthenticated API in the Linux VPN client, which exposes a localhost API on port 8076. This API is meant to be used as an administrative interface, most likely from web clients in a browser. It is possible the designers were relying on the Cross-Origin Resource Sharing (CORS) protection of the browser. However, by executing a command instead of a request, the researcher demonstrated a proof-of-concept that bypassed this CORS protection. This proves the important security adage: always use a layered approach built on a defense-in-depth approach. Even a simple key or token could have prevented this attack vector.

Article: API fuzzing and why you should use it

One of the most effective approaches to API testing (including security) is to use an extensive fuzzing approach to detect deviations from intended behavior or failures with edge case data. Our next article from The New Stack features this topic in-depth and covers how the Schemathesis tool can be used for API fuzzing.

Fuzzing is a long-established approach in software testing that involves providing synthetic and random data to a system under test. In the case of web applications, it is perhaps somewhat ineffective as a test method, but against APIs with well-defined contracts and behaviors, it can be invaluable in detecting deviations from expected behavior.

The article describes the following benefits of API fuzzing for API testing:

  • Error handling and resilience: Rather than letting your users discover how well your API handles malformed or unexpected data input, use a fuzzing engine to exhaustively test with a large, varied payload. By identifying weaknesses in handling unexpected data, the API developer can greatly improve the resilience of their API.
  • Compliance and standards: Various regulations require a thorough testing regime and fuzzing is a good way to prove you meet these requirements.
  • Third-party integration: If you are integrating with a third-party API, then apply fuzz testing to that API to see how it behaves before integrating with it.
  • Cost-effectiveness: Fuzz testing can be fully automated at a massive scale and run within modern pipelines, eliminating the need for almost any human interaction.
  • Security assessment: Most important, though, is the value of API fuzzing as a means of security testing. Fuzzing can identify various input validation vulnerabilities, including buffer overflow and injection attacks. It can also detect where the API has responded incorrectly to deliberately malformed input, such as invalid data formats or schema.

The article concludes with a showcase of the Schemathesis tool. This tool appears to offer a highly configurable and scalable approach to fuzzing both OpenAPI (REST) and GraphQL APIs. Some of the benefits include positive and negative tests, stateful testing, session replay, and various integrations with Python and CI/CD platforms. The tool can be run locally at the CLI or in Docker, or via a SaaS platform.

It’s always good to see new API security testing tools; this looks like a good one to add to the inventory.

Guide: Using Keycloak for RBAC in microservices

Next up is an article of interest primarily for Java developers wanting to integrate Single Sign-On into their applications. Keyclock joined the Cloud Native Computing Foundation in April 2023 as an incubator project and is a favorite as a cloud-native SSO server focusing on role-based access control (RBAC) across various complex landscapes from on-premises to full cloud-native cloud environments.

The article describes using the Keycloak server to implement an OpenID Connect authorization code flow using the Quarkus Java framework, which has its own OIDC connector. The tutorial shows the mechanics of setting up an application and getting it working with Keycloak for OIDC, and then gets on to the interesting topic of how to add RBAC security to REST APIs.

Keycloak seems to be an increasingly popular choice for SSO solutions, and this article shows how easily it can be integrated into an API.

Article: Exploiting APIs with prototype pollution

Next up is a real mind-bender of an article from Dana Epp on the topic of prototype pollution on Node.js, and how this can be exploited to create remote code execution (RCE) attacks. I’d recommend that the reader invest the time to work through the article as it’s definitely worth the effort; it took me a few reads before I understood what was possible.

Prototype pollution is a particular issue affecting JavaScript and results when a user can modify the prototype (a construct that allows JavaScript to manage inheritance) of an object. Essentially, if an attacker can modify the prototype of an object, they can change the underlying data object to something of their choosing. It’s not exactly like this, but it’s a fair approximation.

Dana describes how to test Node.js servers running the Express framework for susceptibility to a server-side prototype pollution attack (if you want to learn more, then Port Swigger have you covered). He then describes how to inject a dangerous payload (a script to open a reverse shell) and then inject that into an object’s prototype to get a reverse shell.

I’ve not had the time to try this myself, but I am quite fascinated by the mechanics of a prototype pollution attack (and why such a mechanism would exist at all ?) and will work through this and the PortSwigger labs in due course.


Guide: Using AI for API testing in Postman

The final article this week comes from Dana Epp again and covers the recent testing he did with the new Postbot features within Postman. Tl;dr: he found it to be a really useful tool in writing API test code in Postman. My own tests concluded that it’s likely to be quicker than I am.

API developers are used to using Postman to perform basic acceptance testing of their APIs while they’re coding them, but many are unaware of the powerful test automation features incorporated in Postman via the integrated scripting engine. Using this feature, creating custom scripts and checking the API responses for custom conditions and response codes is easy.

Recently, Postman got the AI buzz and added the ability to generate test scripts courtesy of an AI prompt familiar with the scripting framework. Simply describe your test requirement to the prompt (“check if the response contains a field called ‘CVV'”), and it does a pretty good job of writing the test code, certainly quicker than it would take me to read the manual.

Dana takes it to the next level with some of the scenarios he gave to Postman, such as:

“write a test that loops through an array of common command injection payloads and inserts them into the "query" parameter of this request. For each item in the array send one request URL encoded, and one that is not.”

Postbot really did a surprisingly good job of writing a test for this – as Dana concludes: “I’ll be damned. Postbot is a thing.”

API World Event, Santa Clara – Complimentary Tickets

Join 42Crunch this month at API World, Santa Clara, Oct 24-26 where 42Crunch will be revealing some new platform capabilities and running several workshops. Booth#115-117.

We have a limited number of free passes, so if you would like to attend please follow this link to register for your free OPEN Pass.

Isabelle Mauny, Field CTO & Co-Founder at 42Crunch will be talking on the following topics:

  • API Workshop: Common API Security Pitfalls
  • Why so many API Security Solutions have failed to Deliver
  • How to Protect your APIs from the new OWASP API Top 10 Security Risks

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy