Issue 216: Hacking a .Net application, state of API security report, myths of API security

This week, we have another excellent guide from Dana Epp, this time focusing on hacking .Net applications in the real world. We have coverage on the recent Radware 2022 state of API security report and views from Matthew Reinbold on using ChatGPT for API design.

Article: Real-world guide to hacking a .Net application

Dana Epp has contributed a lot of content to this newsletter over the last year, and he returns with an excellent deep dive on how to hack .Net based APIs and applications. I particularly enjoyed the article since it is written with a different perspective from many hacking guides โ€” Epp’s approach is to understand the host environment and use reverse engineering techniques to attack the hosted APIs and applications. As powerful as many modern environments are, they do have one glaring weakness โ€” they tend to leak a lot of the implementation detail.

During the reconnaissance of an API-based application, Epp discovered that the application was built on the .Net framework. By using Burp Repeater and a wordlist of interesting input, he could exfiltrate multiple files via the endpoint. One of these files was the /etc/passwd local file which indicated that he had unearthed a local file inclusion (LFI) issue. The fact that the path was a Linux path indicated the host was not Windows-based. Epp then determined the exact host OS and the fact that the application was hosted within a container. He then discovered that he could access the /app/appsettings.json and /app/appsettings.Development.json files that determine various application metadata in a .Net application.

With a final piece of luck (via overly verbose logging messages), he determined the full assembly filename (and hence location) for the application DLL in the form <Company>.<Component>.dll. Armed with a local file inclusion vulnerability and the exact path of the DLL, it was a series of simple steps for Epp to reverse engineer the full source code of the API. He then discovered both a command injection and SQL injection vulnerability in the code, which he could use for the rest of this research.

This write-up reveals how easy it is to gain access to the full source code of an application running in a containerized .Net environment. A few key learning points here include:

  • Always harden your application environment. In this case, the Debug artifacts existed in standard locations.
  • Using default settings and locations makes attacks easy โ€” consider using non-standard paths and naming conventions.
  • Remember that your source code is always available in bytecode-based runtimes such as .Net and JVM.
  • Whilst containers offer tremendous convenience to application developers, they are transparent to an attacker.

Beyond the environmental issues detailed above, the API itself had two fundamental issues: command injection and SQL injection. Both of those classes of flaws can be eliminated using Static Code Analysis (SAST) during development.

A great article showing how easily a skilled attacker can achieve total pwnage.

Report: Radware’s 2022 state of API security report

Radware recently released the findings of its sponsored research into the state of API security in 2022. The full report, conducted with Enterprise Management Associates, is worth reading (requires registration), but in brief, the key takeaway is that over half of organizations believe their APIs are not properly protected. Even those who feel protected may be operating with a false sense of security.

Taken directly from the report, the following key figures highlight the report findings:

  • 59% are running most of their applications in the cloud.
  • 92% has seen increases in API use.
  • 62% indicated that over a third of their APIs are undocumented.
  • 74% believe that containers and microservices are more secure by default.
  • 65% believe that open-source code is more secure.
  • 70% believe they have visibility into applications processing sensitive data.
  • 44% reported that their APIs were already well protected.

Article: Dispelling the myths and false beliefs of API security

Next is a deeper dive from Yaron Azerual of Radware into the report’s findings. Azerual draws on the results of the 203 companies from across Europe, Asia, and North America, giving a real-world insight into API security.

The first takeaway is that undocumented APIs pose a substantial and underestimated threat to organizations. This will come as no surprise to readers of this newsletter, where we frequently report the danger of unknown inventory in the form of shadow or zombie APIs. Unfortunately, the report stops short of concrete recommendations on dealing with undocumented APIs at scale.

The second takeaway is the fact that API attacks are largely undetected, with only half of the companies feeling confident that their existing tools were effective at detecting attacks. This gap in detection may result in organizations grossly underestimating the real risk that APIs attacks present to this organization. Certainly, the recent Twitter API vulnerability suggested that the issue had remained undetected for some considerable time before being addressed.

The final takeaway is also unsurprising โ€” one-third of companies report that bot-based attacks are their number one concern. This serves to highlight how more traditional protection defense mechanisms, such as API gateways and traditional WAFs, do not offer sufficient protection against complex, distributed bot attacks.

The author concludes with the following false assumptions pertaining to API security:

  • “A WAF will protect our APIs and applications”
  • “An API gateway will manage and protect our APIs”
  • “The APIs we are using are well-documented, enabling effective protection”

This is a timely and useful report and correlates well with the evidence I am seeing from real-world API breach data over the last year.

Article: Using ChatGPT for API design

Finally, this week we have views from Matthew Reinbold on using ChatGPT for API design. By now, I’m sure we have all had a chance to experiment with ChatGPT in some capacity; certainly, I have been looking at its rather impressive capabilities to generate API server stubs and to explain common API vulnerabilities.

In this article, Reinbold showcases his experiments with using ChatGPT to assist with coding an OpenAPI Pet Store 3.o backend. Starting with the specification, he asked ChatGPT to write a list of jobs-t0-be-done to implement the backend, and in his own words, the result “is much better than I had anticipated”. ย He then used the memory feature of ChatGPT to generate some Node.js code for CRUD endpoints and then asked it to add basic pagination to the list endpoint.

Reinbold concludes:

That said, I’ve gotten more support here from an inanimate language model than I ever did from a senior engineering “mentor” during my career. Thatโ€™s something.

Industry News: 42Crunch recognized as a finalist in the Microsoft Security Excellence Awards

42Crunch announced it is a Security Software Innovator award finalist in the Microsoft Security Excellence Awards. The company was honored among a global field of industry leaders that demonstrated success across the security landscape during the past 12 months.

On April 24, 2023, Microsoft will announce the awards winners, honoring partner trailblazers, solution innovators, customer champions, and changemakers.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy