This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect.
OAuth2 implementation can be tricky. SEMrush has fixed an OAuth
redirect_uri bypass reported by Yassine Aboukir.
The problem was in how SEMrush handled international domain names (IDN). IDNs can include non-Latin characters that might look similar or even identical to Latin ones. For example, the Cyrillic
е looks exactly like the English
e, but it is actually a completely different character.
In the case of SEMrush, the vulnerability was that their code did not differentiate non-Latin characters from Latin ones. Instead, homographs, such as
šemrush, were considered to be identical to
Thus, attackers could register a domain like
oauth.xn--emrush-9jb.com) and make an OAuth call where the
redirect_uri parameter was set to their domain. The system accepted this just fine and the redirect took the user to the attackers’ domain (
oauth.šemrush.com), not the vendor one (
Be careful when you implement OAuth2: use well-established and trusted solutions, and make sure that your validation for strings is strict.
Tooling: Common JWT mistakes and the Semgrep tool
JSON Web Token (JWT) security has been a recurring theme in this newsletter. For example, see the JWT security videos in issue 72, or check out the JWT toolkit in issue 88. Not to abandon a good theme, this week we have a recent summary of the recurring issues with JWT.
Vasilii Ermilov from R2C has analyzed 2,000 node package manager (npm) modules for different JWT security implementation flaws. The following is the list he compiled on the JWT mistakes that cropped up most often:
- Hardcoded secrets
- Allowing the
nonealgorithm for signing
- Incorrectly verified tokens (or no verification at all)
- Sensitive data exposure
Ermilov provides code examples for each of these mistakes, as well as rules to catch these issues with his company’s tool, Semgrep.
Cheat sheet: Preventing regex DoS
Regular expressions (regex) are a common way to define string parameter patterns for API inputs. However, the regex language is extremely flexible, and can easily be abused to create expressions that require enormous amounts of memory and compute power to evaluate. Such attacks are known as Regular Expressions Denial of Service (ReDoS).
James Davis has put together a cheat-sheet for ReDos attacks and how to mitigate them. A good resource to check out!
Training: OAuth2 and OpenID Connect
OAuth2 and OpenID Connect (OIDC) continue to be misunderstood and misimplemented, which leads to API vulnerabilities.
Philippe De Ryck has made his course “Introduction to OAuth 2.0 and OpenID Connect” available online for free (registration required).
The curriculum of the course includes:
- OAuth2.0 and OIDC concepts
- Using OAuth 2.0 with backend web clients
- Introduction to OIDC
- Mobile and native clients
- Frontend web clients
- Additional flows
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy