This week, we have news of a recent API token breach affecting the popular Hugging Face AI portal and a vulnerability in the SonicWall firewall affecting 178,000 instances. We also have a comprehensive API security checklist and a guide on selecting the most suitable API gateway for Kubernetes environments. Finally, we have a practical guide on securing APIs using the Express framework and a pair of blogs from Dana Epp.
Breach: Hugging Face AI platform exposes API tokens
This week’s main news is recent research indicating large-scale leakage of API tokens on the popular Hugging Face AI portal.
Hugging Face hosts over 500,000 AI models and 250,000 datasets for developers working on LLMs and Generative AI projects and can be thought of as the GitHub for AI developers. The platform provides an API and Python library to enable developers to access their models and data. Security researchers at Lasso Security discovered that this API opened three potential AI security vulnerabilities (see the newly released OWASP Top 10 for LLM Applications), namely:
- Supply Chain Vulnerabilities: the large-language model (LLM) application lifecycle can be compromised by vulnerable components or services in the same way applications are vulnerable to supply chain attacks.
- Training Data Poisoning: training data can be tampered with, resulting in vulnerabilities or biases that compromise security, behavior, or biases.
- Model Theft: Models represent potentially valuable intellectual property and can be the target of theft via exfiltration.
The researchers used fairly basic methods to exfiltrate API keys from both GitHub and the Hugging Face platform. Both offer a search capability and by using a suitable regular expression term, they could identify API keys in public repositories. In their research, they discovered a total of 1,681 valid tokens, including high-value organizations such as Meta, Microsoft, Google, and Vmware. The keys had sufficient access rights to access Meta-Llama, Bloom, Pythia, and HuggingFace repositories fully.
The following recommendations will minimize the likelihood of similar vulnerabilities in the future:
- Do not store login information in public repositories
- Use multiple API keys and rotate them
- Be aware of third-party API usage
- AI tools need to handle data securely
- AI providers need to create trust in APIs and more
The other obvious recommendation is to ensure regular scans are run against repositories such as GitHub and Hugging Face to detect accidentally exposed tokens as early as possible, ideally before any adversary finds them.
Vulnerability: SonicWall firewall RCE vulnerability
The second vulnerability this week comes courtesy of research from Bishop Fox, who discovered a pair of vulnerabilities in the API of SonicWall’s next-generation firewall 6 and 7 families of devices. The first, tracked as CVE-2022-22274, was disclosed in March 2022, while the second, CVE-2023-0656, was revealed in March 2023.
For the technically minded, the research report from Bishop Fox makes an interesting read. It covers the initial vulnerability analysis, the development of a proof-of-concept exploit, and live scans to identify affected systems. The root cause was – as is so often the case – a buffer overflow vulnerability relating to their use of the __snprintf_chk() function. Their proof of concept exploit shows how an attacker could use this vulnerability to execute code capable of crashing the device – perfect for a denial of service attack against a firewall.
The researchers did note that the likelihood of an exploit in the real world was likely to be low since very specific combinations of hardware and firmware versions were necessary as preconditions for the exploit. The researchers also published a script on GitHub that allowed firewall users to determine if they were vulnerable to the exploit.
Their advice was to ensure that the web management interface (hosting the vulnerable endpoint) was either disabled or removed from the public network. Simultaneously, users of SonicWall firewalls are urged to upgrade to the latest firmware.
Article: API security checklist
API security best practices and checklists are always popular with readers, and this week, we have a good checklist courtesy of pentest provider Astra. Their list of nine items includes the following:
- Use API keys and/or common authentication: Avoid username/password authentication on APIs under all circumstances since these are easily bypassed and are difficult to change.
- Enforce transport layer security: Ensure that API data is encrypted in transit, both internally and externally, using TLS.
- Add rate limits to APIs: Prevent abuse and misuse of your APIs by enforcing rate limiting on all endpoints, including those involving an account reset process.
- Mitigate any exposure of data: Avoid exfiltrating excessive data. Instead, limit data to the minimum data required for the business function of the API.
- Implement zero-trust security: Assume all APIs will be accessible regardless of perimeter and explicitly enforce authentication and authorization for all APIs.
- Validate all user input for APIs: Never trust user-supplied input since this can be manipulated to leverage injection attacks or mass assignment vulnerabilities.
- Encode all output from the API: If the API output is being rendered directly (such as to a web page), ensure that output is encoded appropriately to prevent cross-site scripting attacks.
- Conduct regular API vulnerability scans: Run automated scans against API endpoints to identify common vulnerabilities.
- Carry out API penetration testing: Use API penetration testing providers who have the specialist skills necessary to identify API vulnerabilities.
This is a useful checklist to run against your APIs; thanks to the team at Astra for contributing.
Article: Choosing an API gateway for Kubernetes
Next, we have a guide from The New Stack on selecting the most suitable API gateway for your Kubernetes installations. Although focused on the capabilities of Ambassador’s Edge Stack, the guide gives useful selection criteria and guidance for selecting a solution.
If you are selecting a Kubernetes API gateway, you should look for Kubernetes-centric integrations; security and scalability; and operational ease, monitoring, and high performance. Whilst more conventional standalone gateways can be utilized in a Kubernetes environment, tighter integrations provide a better experience and greater functionality.
Deeper Kubernetes integration covers the following:
- Service discovery and dynamic routing: the gateway should automatically identify and interact with Kubernetes services.
- Native Kubernetes resource utilization: Leverage pods and ingress to achieve tight integration.
- Real-time responsiveness: Dynamically scale to cluster changes and adapt to changing environments.
For scalability and enhanced security, consider the following aspects:
- Elastic scalability: the gateway should be able to respond dynamically to traffic spikes and low-traffic periods.
- Load distribution: distribute workload across multiple environments and regions.
- Advanced security controls: leverage powerful authentication methods, SSL/TLS management, and rate limiting.
- DDoS mitigation.
Finally, for operational ease and performance, consider the following aspects:
- Intuitive user interface.
- Declarative configuration: since Kubernetes is typically configured declaratively, it makes sense that the gateway should support the same.
- Traffic insights: Provide granular traffic data and logs.
- Performance: Low latency is required for optimal user experience and scalable access.
There are some specific requirements for APIs, including:
- Diverse protocol handling: it may be advantageous to have a gateway that can convert between protocols such as REST, WebSockets, and gRPC.
- SSL termination and encryption management: centrally manage certificates for ease of use.
- API publishing and documentation: provide a central location for API documentation and available API inventory.
- Service mesh integration.
- Automation and CI/CD integration: Improves integration into existing DevOps processes.
An API gateway is an essential element in your API security armory; keep this guide in mind if you use Kubernetes.
Guide: Securing APIs built with Express
For readers with a development perspective, this guide on how to build secure APIs with the Express framework. Express is the most common web framework for Node.js based applications.
The guide covers a broad spectrum of topics, including:
- Input validation
- Output encoding
- CSRF protection
- SQL injection prevention
- Role-based access control (RBAC) using middleware
- Multi-factor authentication
- Password encryption and hashing
- Secure token-based authentication
- Secure password reset process
- Activity logging and monitoring
- Rate-limiting
This is a good guide to hands-on security using Express – worth bookmarking if you are an Express developer.
Guide: Dana Epp on rate limiting and NoSQL injection
Finally, we feature two more guides from Dana Epp. The first covers API rate limit testing, and the second covers bypassing API authentication using NoSQL injection.
The guide on bypassing API authentication bypassing using NoSQL injection was a fascinating read for me – like many; I perhaps had not fully appreciated the risks of injection attacks against NoSQL databases. As Dana’s guide shows, a skilled attacker can easily bypass authentication, shown here in meme form:
We have seen several mentions of rate limiting in this week’s edition, and the article from Dana gives an attacker’s perspective on how to test rate-limiting implementations to prevent outages to services. Be sure to test your rate limits to ensure they behave as you expect.
Event: 42Crunch at API Summit in Austin
The Austin API Summit 2024 is approaching fast! Don’t miss your chance to join us on March 12-13th in Austin, TX – to meet industry colleagues, get inspired, and gather knowledge about the technology, trends and best practices shaping today’s API economy.
The event includes a fantastic lineup of speakers who will discuss many different aspects and best practices of API design, security, documentation, management, and more.
To get a 15% discount please use the following coupon code “sponsor15”.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy