Issue 50: Harbor API vulnerability, and the dangers of CRUD APIs


This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling.

Vulnerability: Harbor

Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability.

The vulnerability is a classical case of mass assignment API flaws. An API represents a data structure in internal database. It takes a set of submitted properties and applies them to an object in the database as is. As a result, if attackers are able to guess an internal property and include it in their request, they can overwrite the data in the database.

In this particular case, this was a POST request to the API to self-register a new user. It turned out that including "has_admin_role"=True in the API call set that property on the new user object. This made the new users administrators of the registry, allowing them to modify the registry as well as all the containers in the system.

Design flaws: CRUD APIs

One of the popular ways to design a modern application is:

  1. Take a database, such as MongoDB.
  2. Wrap the database into a simple CRUD REST API, meaning that the API that has Create, Read, Update, and Delete methods for all data in the database.
  3. Create web and mobile clients around the data.

In her piece, Isabelle Mauny explains why this approach is flawed and leads to highly vulnerable systems. In fact, it directly leads to the A1, A3, A5, and A6 flaws from the OWASP API Security Top 10 list.

She also explains how to mitigate the vulnerabilities by adding a controller layer that isolates, formats, and filters data, and enforces authentication and authorization.

Industry trends: PSD2, Open Banking, FAPI

PSD2 and Open Banking are forcing banks to open up APIs to their highly sensitive data. A new research by Trend Micro looks into API security risks that emerge as a result of this regulation.

On the one hand, regulation replaces the dangerous scraping approach and promotes secure authentication. This standardization helps reduce the issues that stem from ad hoc flawed API designs.

On the other hand, it also significantly expands the attack surface:

  • Proliferation of APIs that can be attacked
  • FinTech companies with potentially low cybersecurity expertise and resources
  • User attacks

Tools

API security tooling keeps on growing. Kristopher Sandoval from NordicAPIs has compiled a list of his favorite 20+ tools and resources for API security.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy