This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws.
VMware has just patched two critical security issues in their vRealize Operations API. The patched vulnerabilities are CVE-2021-21975 and CVE-2021-21983, and affect the products Cloud Foundation and vRealize Suite Lifecycle Manager.
As it often happens with vendor patch announcements, details are scant. Hopefully, after the embargo period is over, the researcher who reported the issues (Egor Dimitrenko from Positive Technologies) will publish a detailed write-up on how he came upon them.
For now, all we have are these quotes from the VMware patch announcement:
Neither sounds very palatable, so if you are affected by these vulnerabilities, do go and install the patch as soon as possible.
And if you are on the API provider side, make sure to define and enforce strict patterns for URL parameters and enforce paths for all REST API calls.
Muthu Prakash found a vulnerability related to user permissions in GitLab. In private GitLab projects, users demoted to the Guest role lost their access to merge requests on the GitLab UI (as expected.) However, they could still get to the merge requests through APIs. GitLab has since fixed the issue.
This is an example of what happens when access to data and functionality is controlled by the UI. If (when) attackers go directly against the APIs behind the UI, they can simply bypass the UI limitations. They can find the required endpoints and parameters simply by proxying the calls while using a more powerful user account.
SSRF vulnerabilities (that already made their entrance here in the VMware case a few paragraphs up!) happen when attackers make API or web app servers invoke malicious HTTP requests that they supplied.
SSRF attacks can be very dangerous because the servers are within the API provider’s infrastructure and often run under powerful accounts. Calls from the server may be considered internal and could bypass a lot of security checks.
A researcher called secureITmania has written a nice case study on an SSRF vulnerability found in an undisclosed API for PDF generation. A quick recap:
urlparameter provided results showing that the command was indeed executed, indicating the vulnerability:
cat /etc/passwdrequest, thus extracting sensitive account information and proving the vulnerability:
This shows well how dangerous URL parameters are. Make sure you provide strict pattern definitions for them in your API definition and enforce the defined patterns before the value ends up in the backend for processing.
In this newsletter, we typically have a couple of API vulnerabilities every week, give a quick overview, and link it to the original story.
Next week, we will be trying out a new format: a webinar that goes into the details of a few of such vulnerabilities.
Next Thursday, April 15, at 8 am PST, yours truly (Dmitry Sotnikov) will be presenting a webinar: “Dissecting the Biggest API Breaches from Q1 2021“.
I will take a few of the illustrative API vulnerabilities from the first quarter of the current year and dig deeper into the details of them:
If this format proves successful, we plan to start hosting similar webinars regularly. Register here to reserve your spot, join the webinar, and do provide us feedback.
You can subscribe to this newsletter at APIsecurity.io.
Источник: DZone Securityapi apis api security newsletter cybersecuity ssrf
What Is GitOps and Why Is It Such a Big Deal? According to Weaveworks, the company who coined the term "GitOps," defining the term is two-fold. First, it is "an operating model for Kubernetes and other cloud-native technologies, providing a set of be...... читать далееcloud devops kubernetes interview podcast gitops coding over cocktails
When connecting an iOS or Android app built using Expo to your data endpoints hosted on your localhost, you might hit a couple of roadblocks in terms of connectivity. This article covers ways to fix that issue in the subsections below. SAME Wi-Fi Tal...... читать далееtutorial android web development mobile app development ios expo
This is a two-part series to help you get started with Rust and Kafka. We will be using the rust-rdkafka crate which itself is based on librdkafka (C library). In this post, we will cover the Kafka Producer API.... читать далееtutorial big data web dev kafka rust
В кодовую базу XWayland, DDX-компонента (Device-Dependent X), обеспечивающего запуск X.Org Server для выполнения X11-приложений в окружениях на базе Wayland, приняты изменения, позволяющие задействовать аппаратное ускорение отрисовки на системах с...... читать далее