Issue 263: Trellix & Aviatrix API exploits, API risks in education, API configuration bugs & secure coding practices


This week, we have an interesting article on the dangers of API integrations in the education sector, and we cover recent incidents involving API vulnerabilities in two popular security platforms from Trellix and Aviatrix. We highlight a recent article by NordicAPIs on API misconfiguration vulnerabilities, and we share a useful list of recommended coding practices to remove common API vulnerabilities.

Article: Universities are vulnerable to API attacks

APIs are the backbone of integrations between diverse systems and applications, providing a standardized framework for data sharing. 

This article explores the risks associated with API integrations in the education sector. It talks about APIs consolidating data from multiple sources into a single unified experience, to benefit students’ productivity. But, poorly implemented integrations can introduce vulnerabilities. 

The education sector has increasingly become a target for cyberattacks. A 2023 Malwarebytes report revealed a 70% rise in attacks on educational institutions, underscoring the growing need for robust cybersecurity measures.

One of the key vulnerabilities discussed in the article is a common oversight in API design. When APIs are intended for direct consumption by external users, such as third-party developers, the need for strong security controls is often apparent. However, when APIs are designed for consumption by trusted, authorized users, developers often make the mistake of omitting those essential security controls, because they assume, incorrectly, that all incoming requests are valid.

Our research at APISecurity.io frequently highlights this issue, particularly with mobile applications. Developers often assume that requests come only from trusted clients. However, attackers can easily bypass client-side security controls and directly exploit vulnerable APIs.

The article emphasizes that secure APIs must be inherently self-protective. All user input should undergo rigorous inspection and validation within the API itself. API security should never be offloaded to the client.

Vulnerability: API bugs in Trellix Enterprise Security Manager

A recent disclosure on the HackerOne platform highlights two API vulnerabilities in the Trellix Enterprise Security Manager (ESM). These vulnerabilities were ethically reported by a researcher and addressed by Trellix in a November software update.

The first vulnerability involves a path traversal flaw, enabling attackers to manipulate the API path to access internal APIs on the server without authorization. By inserting a directory traversal pattern into the URL, like ..; ,  attackers can redirect the API to an unintended endpoint, exposing sensitive functionality.

The second vulnerability stems from improper input validation in JSON requests. The API accepts malicious commands injected into a name property, allowing attackers to create a reverse shell to their machine and gain full control of the API server.

These API vulnerabilities could be exploited to fully compromise the Trellix security platform. To mitigate such risks, API developers should strictly define and enforce precise API input paths and property values, reducing the attack surface for these types of exploits.

Breach: Hackers deliver Malware via insecure Aviatrix API

Another platform with reported API vulnerabilities, the Aviatrix Controller is a widely used platform for managing security and encryption policies across multiple cloud environments. According to one report, attackers are already exploiting these vulnerabilities.

Researchers analyzing the platform’s code discovered that while many API input parameters were sanitized using the PHP escapeshellarg, some were not, leaving certain APIs exposed. This oversight enabled attackers to inject malicious input into the Aviatrix platform.

In their proof-of-concept, the researchers exploited the unsanitized parameter to send a curl request to the API server. The server processed the unsafe input and inadvertently executed the attacker’s curl request, establishing a callback to the attacker’s server. This test confirmed that an unauthenticated malicious user could execute arbitrary commands on the Aviatrix Controller through the vulnerable API.

This type of API vulnerability is very similar to the Trellix API vulnerability described earlier. A lack of validation of all input paths and parameters creates opportunities for attackers to exploit APIs.

To mitigate these risks, developers should follow best practices for input validation. The OWASP Input Validation Cheat Sheet provides valuable guidance to prevent such vulnerabilities in API code.

Article: Lessons learned from API misconfigurations

A recent article on the Nordic APIs website highlights the risks associated with API misconfiguration vulnerabilities, which can lead to serious security breaches.

The article provides a list of common misconfigurations that often arise during the API development lifecycle. It also delves into a recent incident involving Microsoft Power Pages, where default roles and access rights created a security vulnerability. This case study underscores the critical importance of addressing misconfiguration bugs.

The OWASP framework also identifies how APIs can be vulnerable to security misconfigurations, such as missing or disabled security controls, exposing sensitive information in error stack trace messages, or forgetting to apply software patches and updates.

Some of the recommended prevention strategies include:

  • Ensuring all APIs are secured with HTTPS.
  • Whitelisting only the HTTP methods that the API is intended to accept and process
  • Restricting error response messages to avoid exposing sensitive information

These measures can significantly reduce the likelihood of API-related security incidents.

Article: Coding practices to remove common API vulnerabilities 

Finally, this article provides a straightforward summary of common REST API vulnerabilities, along with practical guidance on mitigating risks in your APIs. 

Vulnerabilities like BOLA (Broken Object Level Authorization), broken authentication, and insufficient input validation are often responsible for API exploits, data breaches, and leaks.

By understanding the root cause of these issues, and implementing the appropriate mitigation measures in the earliest stages of API development, you can proactively eliminate entire classes of vulnerabilities from your codebase.

You can use this article as a reference to security test your own APIs against common threats.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy