Issue 109: API token best practices, Dredd, IDOR hunting tips 🔬

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #109
API token best practices, Dredd, IDOR hunting tips
This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs.
Vulnerability: Trump campaign’s post-election site
 

Although the campaigns are finally over, the US elections still feature in our newsletter. This time the dubious star of the week is the website that Trump campaign launched to collect anecdotal evidence of voting issues. Unsurprisingly, researchers found that the APIs behind the site where poorly protected and leaking voter information.

The first issue was in an API behind the site allowed bulk retrieval of voter registration data. Secondly, the API key and application ID required for the API calls could be easily found and reused. This way, attackers could programmatically crawl through the data set and scrape the personal details to build a nice asset for further attacks.

The API in question has since been removed from the page.

In addition to this, there have been allegations on SQL injections that would allow retrieving a lot more data from the underlying database, as well as allegations of the site leaking the last 4 digits of social security number (SSN) and dates of birth on top of voter names and addresses.

We covered in our issue 102 how both campaigns’ mobile apps also had API vulnerabilities.

Best practices: API tokens
 

API tokens (API keys) can be pretty much anything, so it is always good when companies are sharing their design decisions and rationale behind them. Barbara Schachner from Dynatrace has written a blog post on the new API token format that they have adopted.

All API tokens there now consist of 3 sections, separated by dots:

  1. The dt0c01 prefix, to clearly separate Dynatrace tokens from others.
  2. A 24-character public alphanumeric string that is both unique as well as safe to display on the UI and write to logs for troubleshooting and account identification.
  3. A 64-character secret alphanumeric string that acts as the password, never to be shared or made visible anywhere.

Dynatrace have also shared a regular expression for the token detection and are working with GitHub to get the GitHub secret scanning service to automatically detect their tokens in the committed source code.

Tools: Dredd
 

If left unchecked, API responses may leak data (see OWASP API3:2019 — Excessive data exposure) and lead to further attacks and breaches. Thus, it is important to ensure that your APIs only return the data they are supposed to return, and that new versions of the API don’t accidentally change that.

Dredd is an open-source tool that can help with that. It is a response verifier that takes examples from the OpenAPI definition of the API, invokes the API, and then compares the received responses to what is declared in the OpenAPI specification.

A handy way to keep on top of your API responses, and you can integrate it to your test suite.

(Dredd is kind of an open-source alternative to a subset of the 42Crunch Conformance Scan. The difference is that Dredd only looks at API responses while 42Crunch also ensures that the calls outside the contract – different paths, verbs, parameters, payloads, patterns, etc. – also get rejected.)

Video: IDOR Hunting Tips
 

Katie Paxton-Fear has posted a new getting started video in which she covers the basics of Broken object level authorization (BOLA/IDOR), with a little bit of broken authentication, broken function level authorization, undocumented CRUD, tools, and tricks on the side. As always, worth checking out.

 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 108: API vulnerabilities in Thrillophilia and GitLab ✉️

Thursday, November 5, 2020

Hi, today we look at a couple recent API flaws, new OpenID Connect course, recent tool APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #108 API vulnerabilities in

Issue 107: Vulnerabilities in Waze, AWS, and NHS COVID-19 app, Forrester App Sec Tech Tide 🌊

Thursday, October 29, 2020

Hi, today we look into details of 3 recent API flaws, plus Forrester names API Security APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #107 Vulnerabilities in

Issue 106: API flaws at GitLab and Grindr, APICheck, API World and apidays conferences next week 👩‍🏫

Thursday, October 22, 2020

Hi, this week we have 2 API vulnerabilities, two conferences, one tool and one intro APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #106 API flaws at GitLab and

Issue 105: API vulnerabilities in HashiCorp, Azure App Services, and Qiui adult devices

Monday, October 19, 2020

Hi, lot's of content today: 3 API vulnerabilities, a video, a cheatsheet and a webinar APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #105 API

Issue 104: API vulnerabilities at Twitter and Grandstream, mTLS in AWS API Gateway, Application Security Podcast 📻

Thursday, October 8, 2020

Hi, this week we have a couple of recent API flaws, mTLS in AWS, and an AppSec Podcast APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #104 API vulnerabilities at

You Might Also Like

Daily Coding Problem: Problem #1395 [Hard]

Thursday, March 28, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Google. Implement an LRU (Least Recently Used) cache. It should be able to be

72 x $99 tickets left for virtual product conference (May 2)

Thursday, March 28, 2024

​ACT FAST!​ ONLY 72 TICKETS AVAILABLE AT THE DISCOUNTED RATE OF $99! MAY 2, 2024 | ONLINE ACROSS THE WORLD Join product people from around the world on Thursday, May 2, for INDUSTRY, the #1 Virtual

⚙️ "I'm a GPT builder" 😎

Thursday, March 28, 2024

Plus: Elon's Grok will be available to all ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

🔒 The Vault Newsletter: March issue 🔑

Thursday, March 28, 2024

Get the latest business security news, updates, and advice from 1Password. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

📑 Discover The Power of AI With UPDF — 63% Off For a Limited Time

Thursday, March 28, 2024

Digitally Read/Sign/Edit/Summarize PDFs Seamlessly. Available Now at a Huge Discount! How-To Geek Logo March 28, 2024 Tired of Dealing With PDFs? Try AI-Powered UPDF With the Biggest Discount of the

Issue 310 - New Autopark looks awesome!

Thursday, March 28, 2024

View this email in your browser If you are just now finding out about Tesletter, you can subscribe here! If you already know Tesletter and want to support us, check out our Patreon page Issue 310 - New

Programmer Weekly - Issue 199

Thursday, March 28, 2024

View this email in your browser Programmer Weekly Welcome to issue 199 of Programmer Weekly. Let's get straight to the links this week. Quote of the Week "Optimization hinders evolution.

wpmail.me issue#660

Thursday, March 28, 2024

wpMail.me wpmail.me issue#660 - The weekly WordPress newsletter. No spam, no nonsense. - March 27, 2024 Is this email not displaying correctly? View it in your browser. News & Articles What's

New attack targets Apple devices

Thursday, March 28, 2024

Eufy's new Mach S1 Pro; Using VR in a car; April solar eclipse FAQ -- ZDNET ZDNET Tech Today - US March 28, 2024 placeholder New password reset attack targets Apple device users - what to do if it

Web Tools #558 - ImageKit Review, JS Libraries, Git/CLI Tools, Jamstack

Thursday, March 28, 2024

WEB VERSION Issue #558 • March 28, 2024 The following is a paid product review for ImageKit's Video API, a developer-friendly toolkit for real-time video optimizations and transformations, to help