Issue 145: APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0 🔩

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #145
APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0
This week, we take a look at the recently discovered (and fixed) API vulnerabilities in electric car charging stations, a Udemy course on OAuth 2.0, the recently released Gartner Hype Cycle on APIs, and how APIs in microservices architectures can be exploited if they construct backend calls without properly validating inputs.
Vulnerability: Electric vehicle charging stations

Researchers at Pen Test Partners looked into the security of several popular smart charging stations for electric vehicles.

The chargers are typically controlled through a cloud platform and a mobile app, and hence have APIs that can be accessed remotely and can be vulnerable.

The potential exploits that Pen Test Partners found were threefold:

  • Attackers might be able to retrieve users’ personal details.
  • Attackers might be able to control the charging process for an individual car.
  • Attackers might be able to mass-control all charging stations in a country or region and use them to cause massive spikes of power consumption, affecting the national power grid.

Here are some API vulnerabilities that they found:

  • Project EV / ATESS / Shenzen Growatt (the largest platform that they looked at with over 2.9 million devices):
    • The API call for login (POST on /ocpp/user) did not actually need a password and would let anyone in if they simply supplied the username or the serial number of the charger!
    • The serial numbers were predictable and easy to enumerate (TTD0xxxxx).
    • Starting or stopping a charger was a matter of sending the corresponding lock/unlock command to the /ocpp/api endpoint:
      POST /ocpp/api/ HTTP/1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 64
      User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Redmi 8A MIUI/V11.0.3.0.PCPMIXM)
      Host: charge[.]growatt[.]com
      Connection: close
      Accept-Encoding: gzip, deflate

  • Wallbox had Broken Object-Level Authorization (BOLA/IDOR) issues, meaning that the attacker could log in with their account but then use device IDs belonging to other customers to take over their chargers:
  • EVBox had an API flaw that allowed unprivileged accounts to be escalated as administrators through what seems to have been a mass assignment vulnerability. In a profile update call, a user could add additional roles (possible values discoverable through error messages) as the roles array, and the backend just applied the requested change. By adding the tenant admin role to their user, attackers could take over  all charging stations in that tenant:
    PATCH /api/users/profiles/00uascl0k2XXZXT8w416 HTTP/1.1
    Host: api[.]everon[.]io
    Accept: application/json, text/plain, */*

    "roles":["ADMIN","ACCOUNT_OWNER", "tenantadmin"]
  • Chargepoint, a charging infrastructure provider with about 150,000 stations globally, had a GraphQL endpoint that allowed introspection, thus exposing customer database details. The researchers didn’t retrieve or manipulate any data as they assumed this was a production system with real customer information.

All vendors have since fixed the vulnerabilities, but the magnitude of what could potentially have been achieved through them is quite chilling here.

Lessons learned:

  • In the world of the Internet of Things (IoT), API security — or the lack of it — can have significant privacy, personal, and even national security consequences.
  • Authentication, authorization, and data validation are all extremely important and serve as the foundation of API security.
  • If using GraphQL, learn more about its security and don’t just go with the defaults.
Training: The Nuts and Bolts of OAuth 2.0

Learn OAuth from one of its creators! Aaron Parecki has released his “The Nuts and Bolts of OAuth 2.0” class on Udemy that covers:

  • OAuth 2.0
  • OpenID
  • PKCE
  • Deprecated flows
  • JSON web tokens (JWTs)
  • API gateways
  • Scopes

No programming knowledge is needed. Here’s a 5-minute intro video:



Analysts: Gartner Hype Cycle on APIs

Gartner Hype Cycles offer nice visual representations of where the technologies are in terms of their hype, maturity, and adoption.

Mark O’Neill and John Santoro have just released their “Hype Cycle for APIs and Business Ecosystems, 2021” report. As the chart below shows, API security testing is sharply on the rise (as are Graph APIs), API threat protection is still near the top but further along the maturity route.

See the full report (behind a paywall) for more details on the technologies mentioned.



Video: Traversing My Way in the Internal Network

A huge number of APIs these days are APIs exposed by microservice-based applications. This means that the APIs exposed by an app are implemented as microservices that receive your call and likely make their own API calls to other, more back-end microservices in the system.

For example, a call to api/v1/user?id=1337 might mean that this microservice is making its call to some_internal_domain/users/1337.

That backend likely blindly trusts the frontend microservice, and if there is no data validation in place, an attacker may be able to get to other parts of the system by manipulating the parameters in the API call. For example, calling api/v1/user?id=1337/../../ might get translated to some_internal_domain/users/1337/../../ and thus normalized to some_internal_domain/, getting to the root of the backend.

Watch this recording of a talk by Jasmin Landry at a recent OWASP event in which he covers the traversal attacks that can come out of microservices architecture. He discusses various variants of potentially dangerous API inputs (query parameters, path parameters, JSON payloads), as well as his real-life experience in finding and reporting such vulnerabilities:



Lessons learned from this one:

  • Zero trust approach and diligent data validation are really important. Define and enforce all your API inputs (parameters and payloads) as well as outputs in all your API definitions.
  • Validate and enforce all allowed paths and operations.
Dmitry - transparent circle



Dmitry Sotnikov

Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  

Older messages

Issue 144: JustDial API vulnerability re-emerges, API key checker, the state of OAuth

Thursday, July 29, 2021

Hi, this week we have great videos on OAuth roadmap and GraphQL attacks and defenses. There's also an API key validator script and a story of The Latest API Security News,

Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map 🗺️

Thursday, July 22, 2021

Hi, today we have a case study of an API leaking credit card numbers, a lab on SQL injections in JWT, an API Security CTF, and a mind map of The Latest API Security News, Vulnerabilities

Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery 🔎

Friday, July 16, 2021

Hi, this week we look at the recent vulnerabilities in Coursera & Huawei, and discuss rate-limiting best practices for GraphQL as well as new The Latest API Security News,

Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1 🏅

Saturday, July 10, 2021

Hi, today we have a few recent API vulnerability case studies, a research on possible implementation flaws in AWS Lambda Authorizers, and the The Latest API Security News,

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap 🗺️

Thursday, July 1, 2021

Hi, today we look at LinkedIn data getting scraped and WD NAS devices wiped, the recent LazyPay API flaw and an IDOR/BOLA pentesting mindmap The Latest API Security News, Vulnerabilities

Remote working jobs row shows how much tech has changed

Monday, September 27, 2021

Ransomware attackers targeted this company. Then defenders discovered something curious ZDNet Facebook Twitter LinkedIn ZDNet Insights September 27, 2021 Remote working jobs row shows how much tech has

Office space capacity

Monday, September 27, 2021

SQL, Database Querying, InterviewQs Office space capacity SQL Database Querying Forward this email to a friend or colleague and challenge them to solve it. Hi, You are given a table of office sites

Already hyping the iPhone 14

Monday, September 27, 2021

Now available on your smart speaker and wherever you get your podcasts Apple Podcasts | Spotify | Google Play | iHeart Radio It's Monday, September 27, 2021. Is this a record? No sooner has the

GCP Newsletter #261

Monday, September 27, 2021

Welcome to issue #261 September 27th, 2021 News Cloud Deploy Official Blog Introducing Google Cloud Deploy: Managed continuous delivery to GKE - The new Google Cloud Deploy managed services makes it

Import AI 267: Tigers VS humans; synthetic voices; agri-robots

Monday, September 27, 2021

What happens when AI assistants become AI directors? How large can a computer get before distances between processors and memory offset scaling gains View this email in your browser Welcome to Import

Amazon haircuts 💇, OpenAI book summarization 📚, AlphaBay founder returns 👨‍💻

Monday, September 27, 2021

Amazon's first hair salon in London opened to the public at the end of May. TLDR Daily Update 2021-09-27 Discover a future without legacy and join the No‑Code revolution at Unqork Create 2021 (

Issue #64 - Busy - New Owners, FSE Themes, Upcoming Projects

Monday, September 27, 2021

Read on Website WP Weekly 64 / Busy It is super busy for the WordPress ecosystem from every direction. Be it the crowded aspect of who acquired who, a slew of new product launches, WordPress themes

[PythonistaCafe] Q&A

Monday, September 27, 2021

Hey there, At this point you should have a pretty good idea of what PythonistaCafe is about and what makes it special. In this email I want to answer some common questions that I get asked about the

SRE Weekly Issue #289

Monday, September 27, 2021

View on A message from our sponsor, StackHawk: Semgrep and StackHawk are showing you what's new with automated security testing on September 30. Grab your spot:

Congratulations, Mini, you made the stupidest turn signals ever — and JSFuck (2012)

Sunday, September 26, 2021

Issue #538 — Top 20 stories of September 27, 2021 Issue #538 — September 27, 2021 You receive this email because you are subscribed to Hacker News Digest. You can open it in the browser if you prefer.