Issue 93: API authentication flaw in Chingari, a guide to OAuth Authorization Code grant


This week, we have a report of a vulnerability in Google Sign In in a popular Indian video-sharing app, a new guide on typical OAuth implementation flaws, a tool for importing OpenAPI definitions into Burp, and a virtual training on API security.

Vulnerability: Chingari

Chingari is a popular Indian video-sharing app. With the latest steps by the Indian government to block TikTok and other Chinese apps, Chingari has gathered more than 10 million users.

Girish Kumar found that the app had a flaw its API authorization. User signs in with Google ID but can then use APIs to fetch profile information of any user in the system using the internal system ID for that user:

https://youtu.be/GuGCfGSNmMQ

This is a classic API1:2019 โ€” Broken object level authorization (BOLA/IDOR) vulnerability from OWASP API Top 10.

Resources: An offensive guide to the Authorization Code grant

NCC Group has released a guide that โ€” instead of offending you โ€” provides a useful resource for the OAuth 2.0 Authorization Code flow.

“An offensive guide to the Authorization Code grant” by Rami McCarthy provides details of the possible vulnerabilities and how to locate them. The guide includes OAuth vulnerabilities in the different aspects of the flow, such as:

  • state
  • code
  • redirect_url
  • client_secret
  • Access token
  • Clickjacking

For each of these, McCarthy provides the typical usage scenario. how attackers (or pen testers) can exploit the vulnerability, and how to detect if this vulnerability is present.

This is a nice addition to the “Penetration Tester’s Guide to Evaluating OAuth 2.0 โ€” Authorization Code Grants” by Maxfield Chen that we covered in our issue 85.

Tools: Swagger-EZ

Swagger-EZ is a tool by Rhino Security Labs that lets you to import OpenAPI REST API definitions into Burp.

This is not a Burp plugin, but rather a request generator. You proxy the API requests that the tool generates through your browser into Burp. Then, in Burp, you can modify the requests to actually simulate attacks.

Training: API Attacks Beyond the OWASP API Top 10

Like so many other events, OWASP AppSec Days are going virtual this year.

OWASP AppSec Days – Summer of Security- virtual training courses (July 28-29, 2020) start next week, with several courses running at the same time over the two days. For API security enthusiasts, we would recommend Jason Kent’s course “API Attacks Beyond the OWASP API Top 10”.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy