This week, we examine three recent API security incidents, uncovering valuable lessons to help you protect your APIs. We also highlight key insights from Jetbrains’ comprehensive developer survey, and explore an article on how teams inadvertently leak API keys and tokens through their Postman workspaces and what you can do about it.
Breach: Black-listing fails to block SSRF attack
A research team from Pretera has identified a critical server-side request forgery (SSRF) vulnerability in the popular invoicing software, Invoice Ninja.
The root cause of the issue lies in the use of a blacklisting approach to mitigate such attacks. Specifically, the vulnerable code attempts to identify and strip out malicious strings from user input. For instance, the code aims to block SSRF attempts by detecting patterns like “file://” in user-submitted data.
However, by simply changing the input to use a different case, such as “File://”, researchers successfully bypassed the application’s security measures and executed the attack. This underscores a fundamental weakness of blacklisting: it cannot account for all possible variations of malicious input, making it a flawed and unreliable security mechanism.
I spent some time examining the underlying API traffic behind the Invoice Ninja application, and also found the API documentation online, which includes a schema definition for the API endpoint that processes the vulnerable data. If the API developers tighten the schema to explicitly define and allow only valid and expected data formats, then all other inputs including this SSRF attack could be blocked by default.
This alternative method of input validation (white-listing) significantly reduces the API attack surface, making it much harder for attackers to exploit vulnerabilities like SSRF, SQL injections, and path traversal attacks.
Breach: Unauthorized API access to McNuggets
This detailed writeup by a security researcher highlights API authorization vulnerabilities discovered in McDonald’s India’s online delivery system. These vulnerabilities allowed unauthorized users to view and modify the orders of other customers, exposing critical flaws in the API design.
The underlying vulnerabilities, BOLA (Broken Object Level Authorization) and BOPLA (Broken Object-Property Level Authorization) are included in the OWASP API Security Top 10 list. These vulnerabilities typically arise from poor API security design, where developers fail to verify if a logged-in user has the necessary permissions to access a specific object (e.g. a food order) or to change an object’s properties (e.g. updating the delivery address or price of an order).
To prevent such issues, authorization requirements must be explicitly defined and thoroughly documented early in the API development process. Also these requirements should be rigorously tested throughout the API lifecycle to ensure the authorization mechanisms are working as intended.
Fortunately for McDonald’s, this API vulnerability was ethically reported and fixed before the news got out about the potential for unlimited McNuggets at $0.01 USD!
Vulnerability: URL validation flaw in the Truecaller mobile App
A bug bounty report on HackerOne demonstrates how the Truecaller mobile app was vulnerable to XXS and SSRF attacks due to improper API input validation.
The targeted API was designed to accept a URL as input, making it an attractive target for hackers. By injecting a malicious URL, hackers could manipulate the API to execute unintended actions or expose sensitive data.
In this specific case, a security researcher crafted an input by appending a valid URL to a malicious one. The API’s validation mechanism only checked the valid portion of the input but still processed the malicious segment, leading to the vulnerability.
Similar attack patterns that misuse URL path endings have been observed in other cases. For instance, a reported vulnerability in the Apache Solr platform API allowed attackers to bypass authentication by exploiting poorly validated input.
These incidents underscore the critical need for robust input validation as a cornerstone of API security best practices.
The collaboration between the Truecaller team and the security researcher who reported the vulnerability highlights the value of open communication in identifying and resolving API security issues. Even if you don’t have a formal bug bounty program, it’s essential to provide a clear and accessible channel, such as a dedicated contact page, for ethical reporting of discovered API vulnerabilities.
Industry report: APIs matter to software developers
JetBrains recently released their “State of Developer Ecosystem” report, providing a comprehensive look at what mattered most to developers in 2024. The survey gathered insights from over 23,000 developers worldwide.
The report highlights interesting statistics on developers’ preferred programming languages, the testing methodologies they use, and the growing adoption of AI tools to streamline development tasks.
From an API perspective, the findings reveal that 49% of developers focus on writing code to integrate with APIs and services (API consumers), while 41% develop code to provide APIs and services (API producers). This data underscores the central role APIs play in modern software development.
A notable implication of this trend is the expanding attack surface as developers create and integrate more APIs. Each API serves as a potential entry point for attackers, so developers must take ownership of API security by incorporating best practices during the design and development phases to safeguard their systems.
For those seeking more insights, the raw data from this research is available for download and further analysis.
Vulnerability: Improper use of Postman Workspaces
A research team recently spent a year analyzing publicly accessible Postman workspaces and uncovered over 30,000 instances of leaked sensitive data, including API keys, credentials and access tokens.
We’ve previously covered similar incidents in this newsletter where teams inadvertently leaked private API keys and access tokens on other platforms like DockerHub, Gitlab and Dropbox. So the issue isn’t so much the platform, but rather the development teams’ insecure practices for handling sensitive API information.
The report provides some practical recommendations to secure your Postman workspaces which should help API teams to improve their security posture and avoid exposing APIs and services to unauthorized access.
Given the prevalence of leaked API data, it’s also recommended for teams to carefully evaluate the security implications of their chosen API access control methods. API keys and access tokens come with different trade-offs between ease of implementation and the level of security provided.
For example, API keys are often simpler for developers to implement but typically lack expiration dates, leaving APIs more vulnerable to persistent attacks if compromised. In contrast, JWT-based access tokens usually expire automatically, reducing the risk from leaked tokens.
For more information on token management best practices you can read this article.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
