Issue 115: Vulnerabilities in SolarWinds, Ledger, Outlook, new plugin for JetBrains IDEs 🛠️

The now-infamous SolarWinds breach that hit multiple US government agencies last month was a supply chain attack. However, it has turned out that, as a cherry on top, SolarWinds Orion API also had an authentication bypass vulnerability.

Some extra parameters in the URI of the request caused Orion to set the SkipAuthorization flag, allowing attacking requests to proceed without authentication. Quoting from the vulnerability note:

The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

In your own APIs, make sure to:

• Fully document all parameters and their acceptable values.
• Test APIs from the security perspective.
• Make sure that anything outside of the expected values gets rejected.

Ledger, a digital wallet service, was breached in July, and now the attacker has dumped a database with 270,000 personal account details of Ledger users.

The sensitive information got breached in the first place because an API key was hard-coded in the source code of the client application. This allowed the attacker to access Ledger’s e-commerce database.

Lessons learned:

• Let’s repeat together: Never hard-code API keys!
• Do not trust client applications; they might get breached.
• Do not provide direct database service access; use multi-tier system design.
• Ensure that APIs invoked on behalf of a user only have access to the data of that particular user.

Ron Chan has posted a quick video on how he found an API vulnerability in Microsoft’s Office 365 Outlook.

This was an issue with unsigned JWT tokens. Although the algorithm in use was supposed to be RS256, in reality, JWTs were missing the signature section altogether, allowing attackers to change tokens.

Check out Chan’s video for more details:

API security needs to start with API design, development, and testing.

We have already covered the OpenAPI plugin for Microsoft Visual Studio Code that provides security testing for your API definitions right from the design phase. Now there is a similar plugin for the family of IDEs (Integrated Developer Environments) by JetBrains, including IntelliJ, PyCharm, and PhpStorm.

The plugin makes OpenAPI development easier by providing:

• OpenAPI HTML preview
• Navigation
• Go to Definition
• IntelliSense
• Code snippets

And there’s a built-in static security testing of API contracts, API Contract Security Audit from 42Crunch that runs 200+ different security checks shows found security issues and their possible exploit scenarios, and provides advice on remediation: