Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #137
Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks
This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on  how the API security vendor landscape looks like.
Vulnerability: VMware vCenter
 

A recently patched vulnerability in VMware vCenter is now being actively exploited.

The vulnerability in question, CVE-2021-21985, is a critical one: it has a severity level of 9.8 out of 10 and it allows remote code execution (RCE). As mentioned, VMware has already released a patch, but attackers are now actively going after unpatched instances of vCenter.

The root cause lies in the lack of validation of JSON payloads in API calls. Attackers have found a sequence of 6 POST calls where the JSON payloads allow them to take control over the system. All they need is accessing the vCenter system over the network (HTTPS, so port 443.)

The proof of concept code for the exploit is — unfortunately — also publicly available, flying this vulnerability off the criticality charts.

If you are a vCenter customer, make sure this vulnerability is patched as quickly as possible. If you are an API provider, make sure you have strict data validation on all JSON payloads.

We have previously covered vulnerabilities in VMware vCenter in our issue 123.

Vulnerability: Apache Pulsar
 

JSON Web Token (JWT) is one of the popular formats of API security tokens. This is a Base64 encoded JSON structure that contains arbitrary claims (information about the token and the user) and that is signed to prevent token forgery.

Apache Pulsar has recently fixed a JWT alg:none vulnerability (CVE-2021-22160) that allowed account takeovers. Only systems that were configured to accept JWT (just one of the supported authentication schemes in Apache Pulsar) were vulnerable.

The alg:none attacks work as follows:

  1. Attackers take a valid token and decode it into JSON.
  2. The attackers manipulate the claims in that JSON, for example, to grant themselves an administrative role, or change their ID to that of another user.
  3. The attackers replace the original signing algorithm name in the JWT header with "alg":"none", indicating that no signature algorithm is specified.
  4. The attackers encode the JSON back to a token and include this newly forged token in the bearer header in their API calls.
  5. If the API implementation is vulnerable, it blindly trusts the incoming  JWT header values, sees that no signature algorithm is specified, and accepts the unsigned, forged token without signature verification.

We have covered JWT, JWT attacks, and the ways to protect against them in several of our previous issues. For example, see the recent webinar recording on JWT attacks and their remediation that we posted in issue 118.

Attack vectors: GraphQL and CSRF
 

CSRF attacks occur when malicious sites or apps cause a web browser to perform an unwanted action on behalf of an authenticated user. Browser requests automatically include all cookies — including session cookies — and the site cannot distinguish between legitimate requests and forged requests.

GraphQL developers rarely consider CSRF but Tomasz Swiadek and Andrea Brancaleoni from Doyensec have found a few scenarios when such vulnerabilities might exist. They provide details on:

  • POST-based CSRF
  • GET-based CSRF
  • XS-Search attacks (when attackers can determine the existence of objects based on the speed of the response)

Swiadek and Brancaleoni do promote their open-source GraphQL InQL Burp extension as a tool that can be used to locate such vulnerabilities.

Plus, finally, they give some advice from us on how to prevent CSRF attacks on GraphQL:

  • Use modern frameworks with built-in CSRF protection.
  • Verify origins.
  • Double-submit cookies.
  • Base the protection on interaction with the user instead of under-the-hood processes.
  • Do not use GET requests for state-changing operations.
  • Make sure GET requests, too, are covered by enhanced CSRF protection.
Webinar: API Security in Postman
 

Postman is a popular API testing tool. Next week, on June 16th, Postman’s Kin Lane and Isabelle Mauny from 42Crunch will be doing a webinar on how one can use 42Crunch API Security technology inside Postman.

See details and register here.

42c-postman-social

 

DZone meetup: Latest API Security Vulnerabilities and Q&A
 

Next Tuesday, DZone is hosting a virtual meetup in which we will go through a few of the recent API vulnerabilities and breaches from this newsletter, and answer any questions that you might have.

This will be live on DZone, Facebook, Twitter, Twitch, and LinkedIn. See you there!

img.evbuc.comhttpscdn.evbuc.comimages1374138213962777022871original.20210602-194325

 

Market overview: API security
 

As the readers of this newsletter know, API security is a hot market. Companies implementing API security programs have to separate the wheat of the marketing pitches of prospective vendors from the chaff of the reality of what the pushed products actually do.

Security researcher Alissa Knight recently dedicated her webcast to exactly that. See the recording of Alissa’s “API Threat Management Buyers Guide” (fast forward the first 10 minutes to get to the actual start):

alissas buyers guide

 

 
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 136: OAuth 2.0 security checklist and pentesting ✔️

Thursday, June 3, 2021

Hi, today we look at a recent API breach, a couple of pentesting case studies, and OAuth 2.0 security checklist and pentesting APIsecurity.io The Latest API Security News, Vulnerabilities and Best

Issue 135: Millions stolen from cryptoexchanges through APIs 💱

Thursday, May 27, 2021

Hi, today we look at the recent Rocket.Chat API vulnerability, cybercriminals exploiting cryptoexchange API keys, effect of Let's Encrypt root APIsecurity.io The Latest API Security News,

Issue 134: API vulnerabilities at Echelon, Instagram, Facebook Workspace

Thursday, May 20, 2021

Hi, today we look into details of 3 recent API vulnerability reports and have an RSCA interview with Forrester's Sandy Carielli APIsecurity.io The Latest API Security News, Vulnerabilities and Best

Issue 133: Vulnerable Peloton APIs, API contract generation for .NET 💻

Friday, May 14, 2021

Hi, this week we look at Peloton and India's CoWIN, OpenAPI contracts based on .NET annotations, API Security sessions at RSAC AppSec Village APIsecurity.io The Latest API Security News,

Issue 132: Experian API leak, breaches at DigitalOcean and Geico, Burp plugins, vAPI lab

Thursday, May 6, 2021

Hi, this week we look at new API tools & recent Experian, DigitalOcean, Geiko, Facebook APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #132 Experian API leak

You Might Also Like

Help Shape the Future of Laravel News - Quick Survey

Friday, December 27, 2024

Help shape Laravel News - Quick 2-minute survey Hi there, As a valued member of the Laravel News community, we'd love to hear your thoughts to help us make our newsletter even better in 2025. Would

Data Science Weekly - Issue 579

Thursday, December 26, 2024

Curated news, articles and jobs related to Data Science, AI, & Machine Learning ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

💎 Issue 449 - JRuby with JBang

Thursday, December 26, 2024

This week's Awesome Ruby Newsletter Read this email on the Web The Awesome Ruby Newsletter Issue » 449 Release Date Dec 26, 2024 Your weekly report of the most popular Ruby news, articles and

💻 Issue 449 - JavaScript Benchmarking Is a Mess

Thursday, December 26, 2024

This week's Awesome JavaScript Weekly Read this email on the Web The Awesome JavaScript Weekly Issue » 449 Release Date Dec 26, 2024 Your weekly report of the most popular JavaScript news, articles

📱 Issue 443 - EU asks for views on plan to force Apple to open up iOS

Thursday, December 26, 2024

This week's Awesome iOS Weekly Read this email on the Web The Awesome iOS Weekly Issue » 443 Release Date Dec 26, 2024 Your weekly report of the most popular iOS news, articles and projects Popular

💻 Issue 442 - SOLID: The Liskov Substitution Principle (LSP) in C#

Thursday, December 26, 2024

This week's Awesome .NET Weekly Read this email on the Web The Awesome .NET Weekly Issue » 442 Release Date Dec 26, 2024 Your weekly report of the most popular .NET news, articles and projects

Daily Coding Problem: Problem #1649 [Easy]

Thursday, December 26, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Dropbox. Spreadsheets often use this alphabetical encoding for its columns: "A

JSK Daily for Dec 26, 2024

Thursday, December 26, 2024

JSK Daily for Dec 26, 2024 View this email in your browser A community curated daily e-mail of JavaScript news Performance Optimization in React Pivot Table with Data Compression The Syncfusion React

📱 Issue 446 - Fatbobman's Swift Weekly #063

Thursday, December 26, 2024

This week's Awesome Swift Weekly Read this email on the Web The Awesome Swift Weekly Issue » 446 Release Date Dec 26, 2024 Your weekly report of the most popular Swift news, articles and projects

💻 Issue 444 - Four limitations of Rust’s borrow checker

Thursday, December 26, 2024

This week's Awesome Rust Weekly Read this email on the Web The Awesome Rust Weekly Issue » 444 Release Date Dec 26, 2024 Your weekly report of the most popular Rust news, articles and projects