Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map 🗺️

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #143
GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map
This week, we have a detailed write-up on finding credit card numbers leaking from a GraphQL API, a lab walkthrough on hacking JSON web tokens (JWT) through SQL injection, and HackerOne’s new Capture The Flag (CFT) API Security challenge. On the resource side, we have another good mind map, this time on XML attack vectors with APIs.
Case study: Cracking encrypted credit card numbers exposed by an API
 

Craig Hays has published a fascinating write-up from his recent pentesting in a private bug bounty program.

The company allowed their customer to store their credit cards for ease of use. Hays managed to retrieve and decode credit card numbers that the system stored for all their customers.

The application used a GraphQL API under the hood. Hays found the ‘about me’ call that was susceptible to Broken Object-Level Authorization (BOLA) attacks. He could call that endpoint to enumerate each user in the system and retrieve their profile information.

He found that the API exposed much too much data on each user and even returned stored credit cards on file. The credit card numbers were encrypted. However, Hays noticed that the encryption was 2-way and unsalted, meaning that supplying a specific credit card number to save would always return the same, specific encrypted version of the number.

Considering that the credit card numbers are not completely random but conform to an international standard, he could create a script to enumerate all possible credit card numbers and create a rainbow table of their encrypted counterparts in the system. With such a table, he could then decrypt each card number he got from the API to cleartext by simply finding it in the table.

As Hays notes in his write-up, the main lesson learned here is again to tightly lock down your API responses and avoid exposing any more data than strictly necessary. Other things to consider:

  • As always with cases of BOLA, make sure that on top of authentication, the authorization checks are in place and enforced, so that users can only access data they are supposed to.
  • Rate limiting can help prevent easy enumeration with a flood of calls. We discussed in our last week’s newsletter the quirks of rate-limiting with GraphQL APIs.
  • If using encryption, make sure to use modern best practices: adding salt to randomize the results, and so on.
Lab walkthrough: Hacking JWTs with Blind SQLi
 

JWTs are one of the most frequently used methods to pass caller information in authentication tokens of REST API calls. When JWTs retrieve signing keys from a database using the keyID (kid) header, this itself can become a SQL injection attack vector.

If the API implementation blindly uses kid to retrieve the key from a database, attackers can pass a SQL injection such as “non-existent-index’ UNION SELECT ‘ATTACKER’; --“. Unsanitized SQL request like this will produce “ATTACKER” as the retrieved value. Thus, API would now be verifying JWT signature with the value that the attacker supplied – making it possible for the attacker to forge any tokens they like.

Shivlam Bathla from Pentester Academy has put together a great lab “Hacking JWT Tokens: Blind SQLi” for hands-on experience.

For those too busy to try this themselves, there is a step-by-step walkthrough on how the lab and the attack progresses, but you can also just read the intro for the task description and try to figure it out yourself with the lab.

If you need an overview of JWT and possible JWT attacks, see the recording from my JWT security talk at AppSec California 2020. Isabelle Mauny and I also did a webinar on the approach to externalize JWT security checks.

Capture the Flag: API security
 

CTF challenges are fun security quests and a great way to test your penetration testing skills in action.

HackerOne has just released a new “RTFM”-level CTF by Adam Langley, specifically dedicated to API security. If you are looking for a fun way to hone your skills, check it out.

Mind map: XML attacks
 

APIs that accept XML payloads can be exposed to various XML-related attacks if they do not properly define and validate these payloads.

Harsh Bothra has put together a mind map of possible XML attack vectors, both as an XMind map and a PDF. Many of the attack vectors also provide reference links to further reading.

XML_attacks_mindmap

 

 
Dmitry - transparent circle

 

 

Dmitry Sotnikov

APIsecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery 🔎

Friday, July 16, 2021

Hi, this week we look at the recent vulnerabilities in Coursera & Huawei, and discuss rate-limiting best practices for GraphQL as well as new APIsecurity.io The Latest API Security News,

Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1 🏅

Saturday, July 10, 2021

Hi, today we have a few recent API vulnerability case studies, a research on possible implementation flaws in AWS Lambda Authorizers, and the APIsecurity.io The Latest API Security News,

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap 🗺️

Thursday, July 1, 2021

Hi, today we look at LinkedIn data getting scraped and WD NAS devices wiped, the recent LazyPay API flaw and an IDOR/BOLA pentesting mindmap APIsecurity.io The Latest API Security News, Vulnerabilities

Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar

Thursday, June 24, 2021

Hi, this week we look at the details of 3 recently reported API vulnerabilities and an upcoming free webinar from Gartner APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices

Issue 138: Vulnerabilities in Microsoft Teams and Instagram

Thursday, June 17, 2021

Hi, this week in our newsletter we look at a couple of recent vulnerability reports, awesome-apisecurity repo, and upcoming DevSecCon24. APIsecurity.io The Latest API Security News, Vulnerabilities and

JSK Weekly - August 05, 2021

Thursday, August 5, 2021

Happy Work Like A Dog Day everyone! Depending on what kind of dog you have, that could either mean hard working, lazing around all day or just simply playing in the sun all day but which ever it is,

The numbers don't lie | Act now to save on Disrupt passes

Thursday, August 5, 2021

Don't miss out on $100 savings before Friday Your Logo Disrupt Email Header. Event is September 21 to 23 Sign up to network with 10k TechCrunch enthusiasts at Disrupt Great news for budget-

A terminal dashboard for K8s, semantic grep for code, and a GitHub/GitLab alternative

Thursday, August 5, 2021

StackShare Weekly Email not displaying correctly? View it in your browser. StackShare Weekly Digest August 5th, 2021 Sponsored by CircleCI. Let CircleCI focus on CI/CD, so you can build the next big

Infographic | Visualizing the 4,000-Year History of Global Power 💪

Thursday, August 5, 2021

We examine an ambitious timeline that details the power of various civilizations going all the way back to 2000 BC TIMELESS Histomap: Visualizing the 4000 Year History of Global Power We examine an

Issue 175 - Tesla's mobile app redesign

Thursday, August 5, 2021

🎨 View this email in your browser If you are just now finding out about Tesletter, you can subscribe here! If you already know Tesletter and want to support us, check out our Patreon page If you have

 Automate The Planet- Compelling Tuesday

Thursday, August 5, 2021

Compelling Tuesday xUnit Tutorial | Part 7 | Geolocation Testing Using xUnit The last module of my XUnit course. There I discuss what Geolocation testing is and how to write such automated tests. Check

Programmer Weekly - Issue 66

Thursday, August 5, 2021

View this email in your browser Programmer Weekly Welcome to issue 66 of Programmer Weekly. Let's get straight to the links this week. From Our Sponsor Retool: The Fastest Way To Build Internal

Daily Coding Problem: Problem #486 [Medium]

Thursday, August 5, 2021

Daily Coding Problem Good morning! Here's a solution to yesterday's problem. This is your coding interview problem for today. This problem was asked by Pinterest. At a party, there is a single

New Course: Integrate Combine Into an App!

Thursday, August 5, 2021

Hey there! We have a new course for you. 🎥 Integrate Combine Into an App iOS & SWIFT • 27 MIN • INTERMEDIATE Check it out! Learn Combine in iOS by practice—while building a Chuck Norris jokes app!

Python Weekly - Issue 511

Thursday, August 5, 2021

View this email in your browser Python Weekly Welcome to issue 511 of Python Weekly. Let's get straight to the links this week. From Our Sponsor SonarLint Free and Open Source IDE Extension for