This week, we look at API security vulnerabilities discovered in Versa Director and in dating app Feeld. We share insights from ethical API hackers on how they find API vulnerabilities and bugs in mobile apps. We have two separate reports on industry trends and priorities for API security in 2024, and a how-to article on API discovery.
Vulnerability: Networks exposed to Versa Director API flaw
According to a report by The Cyber Express, a vulnerability was recently discovered in Versa Director, a platform used by service providers to manage network configurations. The vulnerability is caused by improper input validation in a REST API exposed by the platform.
APIs must be developed with secure coding practices to properly validate all user input. Without this basic security check, an attacker can carefully craft input that is not expected by the API and can lead to unintended consequences.
In this case, an attacker could inject an invalid property into a GET request to the vulnerable API, which would cause an unintentional leak of authentication tokens of other users logged into the system. Armed with the valid tokens of other users, the attacker could then send additional API requests with the permissions and privileges of those other users.
A recommended workaround is to use a WAF or API gateway to block all traffic to vulnerable API endpoints. However, a more granular API firewall would only block API requests that include invalid properties, to protect the system from malicious requests without impacting all users.
Vulnerability: BOLA undermines privacy in Feeld dating app
The Fortbridge research team has discovered a series of API vulnerabilities in the dating app Feeld, demonstrating the real-world consequences of broken object-level authorization (BOLA).
BOLA tops the OWASP Top 10 ranking for API security. It is an extremely common vulnerability in API development and it is also easy to exploit.
These BOLA vulnerabilities allow a malicious user to access other users’ private photos and chat groups. In one example, the team demonstrated how they were even able to modify other users’ chat messages.
To find these vulnerabilities, the research team was able to monitor the API traffic sent by the mobile dating app. They noticed that the app sends unique IDs to the API server whenever they accessed a resource such as a photo or chat message.
By manipulating the ID sent to the API server, the team was able to gain unauthorized access to other user’s photos and chat messages. This showed that the API was not checking whether a logged-in user was authorized to access a particular resource. In other words, the API’s authorization is broken at the resource or object level.
Mobile apps are particularly vulnerable to BOLA attacks if frontend and backend development teams are not clued in to the risks. For hackers who know how to look inside a mobile app to monitor and manipulate API traffic, BOLA is often a very effective method of attack.
Article: How hackers access the APIs behind your mobile app
I recently read an interesting article by Dana Epp on how to hack mobile apps and APIs. It’s basically a step by step technical guide on how to connect the Burp Suite tool with an Android device in order to access and manipulate a mobile app’s API traffic. It also explains how to circumvent the latest Android security features as part of the setup.
The guide is technically detailed and well illustrated, making it easy to follow and set up your own mobile hacking environment. So it’s a great share for the benefit of other API enthusiasts.
One thing that stood out to me while reading this guide is that even though security is continually improving in mobile devices, software and hardware, hackers (ethical or otherwise) will always find a way to gain access.
What does this mean for mobile app development and security teams?
Teams must assume the app’s API traffic will be exposed and manipulated by hackers to probe and test for vulnerabilities. For that reason, API developers should follow secure API coding practices to remove or mitigate common risks, and consistently authorize all user requests to return only data that the user is specifically authorized to access.
Also, API testers will need to be just as creative and diligent as hackers to find ways to uncover API vulnerabilities, before mobile apps go into production and become prime targets.
Article: API Discovery – How to Achieve a complete API Inventory
In a recent article, Axel Grosse of 42Crunch discusses the challenges enterprise security teams face in establishing a comprehensive inventory of their API estate. API discovery is often misinterpreted as being API security and not just a facet of a bigger picture as this article explains.
In the rush to find quick fixes, teams often overlook the fact that existing API knowledge and records are already available within the organization. It’s just a matter of knowing where to look and who to contact for directions.
Luckily, Axel has you covered! The article provides guidance for security teams on how and where exactly to begin API discovery. And, most importantly for API security, it asks the question, “now what?”
If you’re starting on the API discovery journey, or if you’re struggling with the “now what?” question, this article will give you some food for thought.
Report: API vulnerabilities costing companies up to $87 billion
An industry analysis of over 161,000 cybersecurity incidents reveals some interesting statistics about the risks and potential costs associated with API vulnerabilities.
The report published by Imperva estimates the average annual cost of API-related incidents worldwide is between $35 billion and $87 billion.
These losses associated with API incidents somewhat offset the benefits of API adoption, such as reduced operational costs and increased revenue. And as organizations expand their adoption of APIs, the cost and risks of API incidents also increase.
“On average, organizations have 613 API endpoints, providing many potential entry points for attackers.”
Some of the top API vulnerabilities identified in the report include BOLA, broken authentication, undocumented APIs, and automated bot attacks.
Organizations are advised to invest in comprehensive API security strategies to address these API vulnerabilities and their associated costs.
Article: How small mistakes create big API risks
In this article, Katie Paxton-Fear describes three different API security incidents she has encountered in her role as an ethical hacker.
One of the incidents involves broken authentication that could have led to a plane crash. Katie describes how her role often involves learning about the logic of an API and the functionality it’s supposed to provide in order to uncover vulnerabilities. Understanding how a relatively simple development mistake can lead to potentially serious real-world consequences is part of the role of an experienced ethical API hacker.
An important takeaway from the article is the importance of involving developers in finding and fixing API security issues, despite an already heavy workload. I completely agree that for teams to be successful in securing APIs, developers need to be invested and enthusiastic about the security of their API code, and organizations need to foster a culture of security.
I also recommend watching the full video presentation for more detail on API vulnerabilities.
By the way, I think the images in the article of vulnerable and not-vulnerable code may be accidentally reversed.
Report: API security a top priority for digital businesses in Asia
A survey of over 200 technology leaders at digital native businesses (DNB) across Asia highlights the top security concerns in 2024. API security tops the list of cybersecurity investment priorities, surpassing web application and anti-phishing security.
The report links the need for DNBs to deliver more services to customers, faster and at scale, to the growing adoption of APIs to create a system that can meet these needs. This increased reliance on APIs is driving technology leader’s urgency to improve their API security posture.
The survey highlights why the need for API security is more acute for DNBs that are heavily invested in cloud-based technologies. APIs are widely used to support interconnected microservices running in the cloud, and also to support integration of cloud and on-premise systems and applications.
The report concludes that API security must be integrated into every step of the development process to protect against the various threats and methods used by hackers, including:
- API path parameter fuzzing
- malicious JSON payloads
- unauthorized API access
Secure API design, rigorous API testing, and a robust governance process for API lifecycle management are some of the essential and recommended steps to help mitigate the risk of API vulnerabilities.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy