API Security Weekly: Issue #128 | DevsDay.ru

IT-блоги API Security Weekly: Issue #128

DZone Security 8 апреля 2021 г. Dmitry Sotnikov


This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws.

Vulnerability: VMware vRealize Operations API

VMware has just patched two critical security issues in their vRealize Operations API. The patched vulnerabilities are CVE-2021-21975 and CVE-2021-21983, and affect the products Cloud Foundation and vRealize Suite Lifecycle Manager.

As it often happens with vendor patch announcements, details are scant. Hopefully, after the embargo period is over, the researcher who reported the issues (Egor Dimitrenko from Positive Technologies) will publish a detailed write-up on how he came upon them.

For now, all we have are these quotes from the VMware patch announcement:

  • The vRealize Operations Manager API contains a Server Side Request Forgery. A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
  • The vRealize Operations Manager API contains an arbitrary file write vulnerability. An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

Neither sounds very palatable, so if you are affected by these vulnerabilities, do go and install the patch as soon as possible.

And if you are on the API provider side, make sure to define and enforce strict patterns for URL parameters and enforce paths for all REST API calls.

Vulnerability: GitLab

Muthu Prakash found a vulnerability related to user permissions in GitLab. In private GitLab projects, users demoted to the Guest role lost their access to merge requests on the GitLab UI (as expected.) However, they could still get to the merge requests through APIs. GitLab has since fixed the issue.

This is an example of what happens when access to data and functionality is controlled by the UI. If (when) attackers go directly against the APIs behind the UI, they can simply bypass the UI limitations. They can find the required endpoints and parameters simply by proxying the calls while using a more powerful user account.

API URL Parameters and SSRF

SSRF vulnerabilities (that already made their entrance here in the VMware case a few paragraphs up!) happen when attackers make API or web app servers invoke malicious HTTP requests that they supplied.

SSRF attacks can be very dangerous because the servers are within the API provider’s infrastructure and often run under powerful accounts. Calls from the server may be considered internal and could bypass a lot of security checks.

A researcher called secureITmania has written a nice case study on an SSRF vulnerability found in an undisclosed API for PDF generation. A quick recap:

  1. The API accepted a URL as a parameter. Such APIs are often vulnerable to SSRF:
    https://www.example.com/api/v03/create_pdf?url=http://testsite.com&cookies=a&server=web
  2. Replacing the URL with a Burp Collaborator link allowed the researcher to observe how the API backend interacted with the urlparameter:
    https://www.example.com/api/v03/create_pdf?url=http://<burp-collaborator-link>&cookies=a&server=web
  3. Adding the command `whoami` to the url parameter provided results showing that the command was indeed executed, indicating the vulnerability:
  4. The researcher then managed to send in cat /etc/passwd request, thus extracting sensitive account information and proving the vulnerability:

This shows well how dangerous URL parameters are. Make sure you provide strict pattern definitions for them in your API definition and enforce the defined patterns before the value ends up in the backend for processing.

Webinar: Dissecting the Biggest API Breaches From Q1 2021

In this newsletter, we typically have a couple of API vulnerabilities every week, give a quick overview, and link it to the original story.

Next week, we will be trying out a new format: a webinar that goes into the details of a few of such vulnerabilities.

Next Thursday, April 15, at 8 am PST, yours truly (Dmitry Sotnikov) will be presenting a webinar: “Dissecting the Biggest API Breaches from Q1 2021“.

I will take a few of the illustrative API vulnerabilities from the first quarter of the current year and dig deeper into the details of them:

  • The story behind the attack or vulnerability
  • Potential or actual business impact
  • What went wrong?
  • The OWASP API Security classification
  • What could have been done to prevent the attack?
  • Relevant technology that could have helped
  • Answers to questions from the audience

If this format proves successful, we plan to start hosting similar webinars regularly. Register here to reserve your spot, join the webinar, and do provide us feedback.

You can subscribe to this newsletter at APIsecurity.io.

Источник: DZone Security

api apis api security newsletter cybersecuity ssrf

Читайте также


How to Handle Spreadsheet Uploads for Your Web App

Разработка DZone Web Dev 12 апреля 2021 г. 0:32
Handle Spreadsheet Import, Mapping, and Validation for Your Web App When it comes to data, spreadsheets are incredibly useful and versatile. If your web app deals with any type of data  —  from sales pipelines to profit and loss statements, you’ve li...... читать далее
open source web dev data + integration

Flutter 2.0: All About the New Updates for App Development

Разработка DZone Web Dev 11 апреля 2021 г. 8:57
Over 150,000 Flutter applications have so far been launched into the Google Play Store. The open-source app development framework has been widely accepted by the developer community. No surprises thus that Flutter 2.0 was a much-awaited launch. Is it...... читать далее
flutter flutter app development flutter framework flutter app developers flutter vs react native flutter sdk

DevOps DZone DevOps 11 апреля 2021 г. 7:33

What Is GitOps and Why Is It Such a Big Deal? According to Weaveworks, the company who coined the term "GitOps," defining the term is two-fold. First, it is "an operating model for Kubernetes and other cloud-native technologies, providing a set of be...... читать далее

cloud devops kubernetes interview podcast gitops coding over cocktails

Разработка DZone Web Dev 10 апреля 2021 г. 18:44

When connecting an iOS or Android app built using Expo to your data endpoints hosted on your localhost, you might hit a couple of roadblocks in terms of connectivity. This article covers ways to fix that issue in the subsections below. SAME Wi-Fi Tal...... читать далее

tutorial android web development mobile app development ios expo

DevOps DZone DevOps 10 апреля 2021 г. 18:17

Any Jenkins Job can be triggered remotely through an API call. We can extract the API output either in XML(SOAP) or in JSON(REST) format.... читать далее

tutorial devops api jenkins ci/cd

Разработка DZone Web Dev 10 апреля 2021 г. 16:31

This is a two-part series to help you get started with Rust and Kafka. We will be using the rust-rdkafka crate which itself is based on librdkafka (C library). In this post, we will cover the Kafka Producer API.... читать далее

tutorial big data web dev kafka rust

DevOps OpenNET 10 апреля 2021 г. 11:40

В кодовую базу XWayland, DDX-компонента (Device-Dependent X), обеспечивающего запуск X.Org Server для выполнения X11-приложений в окружениях на базе Wayland, приняты изменения, позволяющие задействовать аппаратное ускорение отрисовки на системах с...... читать далее

Популярные темы

новости (389) ux (357) design (326) headline (263) python (226) ubuntu (218) ux-design (213) devops (205) новость (204) javascript (200) web dev (193) security (186) seo (149) tutorial (140) дайджесты вакансий от new.hr (136) working in tech (132) статьи (130) ui (126) programming (117) testing roundup (113) software testing (110) user-experience (109) дизайн (97) google (93) product-design (93) java (89) игровые проекты (85) ui-design (84) design-thinking (83) api5 (76) технологии (76) primary (76) прочее (70) windows 10 (68) движки и конструкторы игр (67) бизнес (67) php (66) bash programming (66) laravel (65) technology (64) job hunting (64) hardware (60) debian (58) css (57) linux mint (57) uncategorized (56) обучение (55) мероприятия (53) работа (52) español (51) docker (50) covid-19 (50) case-study (49) web design and applications (49) android (49) chrome (48) cloud (48) турбо-страницы (47) инструкции (46) обзоры (45) data (45) angular (44) publication (44) machine learning (44) ux-research (44) tutorials (43) навыки алисы (43) inspiration (43) home page stories (43) apple (42) web (41) art (41) networking (41) разработчики (41) mysql mariadb (40) c++ (40) powershell (40) job skills (40) kubernetes (40) kali linux (40) ios (40) virtual reality (39) google ads (39) автоматизация (38) wp (38) vue.js (37) маркетинг (37) cybersecurity (37) тестирование (36) полезное (36) productivity (36) wordpress (36) события (36) aspnet (36) arch linux (36) marketing (36) кейсы (35) centos (35) events (35) обновления в instagram (35)