Issue 136: OAuth 2.0 security checklist and pentesting ✔️

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #136
OAuth 2.0 security checklist and pentesting
This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing.
Vulnerability: Russian opposition email list breach
 

Companies typically avoid providing details on their data breaches. Today we have a rare exception. The staff of the Russian opposition leader, Alexey Navalny, has posted a detailed report on both the breach they had earlier this year and their investigation into the breach. Unfortunately, the report is in Russian, so you might need to use Google Translate or auto-generated English subtitles in the video version that they posted on YouTube.

When Navalny got imprisoned earlier this year, his supporters set up a website to campaign for his release. The site collected supporters’ email addresses and approximate postal addresses to be used to coordinate public protests across the country.

Right before the protests, attackers that are believed to be connected to the Russian government leaked the list of the email addresses. Later, they used the email addresses along with additional data from government sources (names, registration addresses, dates of birth, employer information) to intimidate the supporters and their employers. The consequences have been very real, with multiple reports of people losing their jobs as a result.

According to the investigation, attackers got in through the API of the mass email system, Mailgun, that the campaign used.

  1. One of the former administrators of the system (fired years before the breach) had retained an API key to Mailgun issued to the campaign.
  2. The ex-admin used the API key for a scraping script to extract the email addresses from Mailgun. This script had built-in delays to avoid getting throttled or causing suspicious spikes, thus not raising an alarm.
  3. Looks like there were early reports of the ex-admin possessing at least some of the email addresses as early as January this year, but the reports were ignored at that time.

The investigators managed to correlate Mailgun logs and the leaked data to prove that this was indeed the system that was breached and that no other system or data got compromised.

Quite a few lessons learned here:

  • Personally identifiable information (PII) can be extremely sensitive, and even just breached email addresses can lead to very tangible real-life consequences.
  • We live in a world in which breached PII can be augmented with data from other sources and thus further weaponized.
  • Long-living API keys are extremely dangerous and must be avoided. Use OAuth whenever possible, and frequently rotate API keys if not.
  • Limit API key access, issue the keys with minimal permissions, control which employees have access to the keys, deprovision the keys when employees who potentially have access to them depart the company.
  • Use IP whitelisting and check IP addresses in the logs to ensure that only the expected client call your APIs.
  • Monitor API logs.
  • Take any reports on data leaks seriously and investigate and treat them promptly.
OAuth2: Security checklist
 

Researchers from Binary Brotherhood have taken IETF OAuth 2.0 Security Best Current Practice and added other common OAuth2 vulnerability lists that they found on the internet to compile their well-rounded OAuth 2.0 Pentest Checklist.

Check out their page for the detailed checklist and links to additional resources.

oauth2.0_security_testing_mindmap_main

 

OAuth2: Common vulnerabilities and mitigation
 

Nishith K has posted both an introduction to OAuth 2.0 and details on the following common vulnerabilities:

  • Improper implementation of the implicit grant type
  • Flawed cross-site request forgery (CSRF) protection
  • Leaking authorization codes and access tokens
  • Flawed scope validation
  • Unverified user registration
  • Host header injection
  • Reusable OAuth access tokens
Best practices: Penetration testing case study
 

A researcher going by the name of Bend Theory has posted details on his API penetration testing process:

  • Google Dorking, or using Google search techniques to locate JavaScript and other files that contain API endpoint references
  • Using web apps in the browser while proxying calls through Burp
  • Analyzing JavaScript files and endpoints, including BurpJSLinkFinder plugin and Python scripts
  • Wordlists
  • CLI recon tools, such as gau, qsreplace, httpx, LinkFinder, dirsearch, ffuf, kiterunner, urlscan.io

He then gives examples on the approach he used to discover a couple of recent real-life vulnerabilities:

  • A profile access API call leaking user profile data due to BOLA/IDOR
  • API information disclosure and privilege escalation to administrative access
 
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 135: Millions stolen from cryptoexchanges through APIs 💱

Thursday, May 27, 2021

Hi, today we look at the recent Rocket.Chat API vulnerability, cybercriminals exploiting cryptoexchange API keys, effect of Let's Encrypt root APIsecurity.io The Latest API Security News,

Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace

Thursday, May 20, 2021

Hi, today we look into details of 3 recent API vulnerability reports and have an RSCA interview with Forrester's Sandy Carielli APIsecurity.io The Latest API Security News, Vulnerabilities and Best

Issue 133: Vulnerable Peloton APIs, API contract generation for .NET 💻

Friday, May 14, 2021

Hi, this week we look at Peloton and India's CoWIN, OpenAPI contracts based on .NET annotations, API Security sessions at RSAC AppSec Village APIsecurity.io The Latest API Security News,

Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab

Thursday, May 6, 2021

Hi, this week we look at new API tools & recent Experian, DigitalOcean, Geiko, Facebook APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #132 Experian API leak

Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL 🔎

Thursday, April 29, 2021

Hi, this week, we look at the recent API vulnerability in farming machinery and a few APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #131 API vulnerabilities at

You Might Also Like

SWLW #592: Advice that I can't get out of my head, The Compass vs. Map method, and more

Friday, March 29, 2024

Weekly articles & videos about people, culture and leadership: everything you need to design the org that makes the product. A weekly newsletter by Oren Ellenbogen with the best content I found

ASP.NET Core News - 03/29/2024

Friday, March 29, 2024

View this email in your browser Get ready for this weeks best blog posts about ASP.NET Core! This newsletter is sponsored by elmah.io - the most advanced, yet so simple to set up, error logging and

New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking

Friday, March 29, 2024

THN Daily Updates Newsletter cover Refactoring in Java ($36.99 Value) FREE for a Limited Time Refactoring in Java serves as an indispensable guide to enhancing your codebase's quality and

Post from Syncfusion Blogs on 03/29/2024

Friday, March 29, 2024

New blogs from Syncfusion Introducing the New .NET MAUI Chat Control By Piruthiviraj Malaimelraj This blog explains the features of the new Syncfusion .NET MAUI Chat control added in the 2024 Volume 1

Re: Last Chance

Friday, March 29, 2024

Dear there, By this time tomorrow, your exclusive new subscriber discount will be gone and you'll have to pay twice as much to join Insider and master everything your iPhone has to offer. If, like

Hacker Newsletter #694

Friday, March 29, 2024

Always forgive your enemies - nothing annoys them so much. //Oscar Wilde hackernewsletter Issue #694 // 2024-03-29 // View in your browser Happy Easter if you celebrate it! Heads up - we're taking

Apple RCS 📱, SBF's 25 year sentence 👮, Linux Foundation's Redis fork 👨‍💻

Friday, March 29, 2024

RCS is coming to the iPhone in the fall of 2024 Sign Up|Advertise|View Online TLDR Together With Veracode TLDR 2024-03-29 Build fast, build secure (Sponsor) Software is drowning in security debt.

Data Science Weekly - Issue 540

Friday, March 29, 2024

Curated news, articles and jobs related to Data Science, AI, & Machine Learning ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

This Week in Rust #540

Friday, March 29, 2024

Email isn't displaying correctly? Read this e-mail on the Web This Week in Rust issue 540 — 27 MAR 2024 Hello and welcome to another issue of This Week in Rust! Rust is a programming language

The Value Of A Promise 🤞

Friday, March 29, 2024

How much is a promise from a tech company really worth, anyway? Here's a version for your browser. Hunting for the end of the long tail • March 28, 2024 The Value Of A Promise When you hear a