APIsecurity.io - APISecurity.io Newsletter: Issue 152

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #152
Exposed API keys and tokens, SAST/DAST for API security testing, the value of API specifications
This week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI,  the shortcomings of static and dynamic application security testing (SAST/DAST) for API security, and the value that API specification frameworks bring.
Breach: Exposed payment integration API keys
 

The big news story this week was the leakage of API keys for payment integrations that potentially exposed transaction details and personally identifiable information (PII) of millions of users.

CloudSEK, the maker of artificial intelligence-enabled digital threat protection, revealed that many mobile applications have API keys hard-coded into the application packages. This is security by obfuscation, because a hacker could easily recover such tokens, using just basic reverse engineering skills.

Indeed, the researchers at CloudSEK discovered that of the 13 000 applications currently uploaded to their BeVigil site, approximately 250 used the Razorpay API to enable financial transactions — the most critical information since it pertains directly to users’ financial details and PII.

Most worryingly, CloudSEK found that ten applications using the RazorPay API appeared to be exposing their integration key ID and secret. The impact of such exposure includes the possibility for a rogue actor doing the following:

  • Query payment information
  • Revoke unauthorized transactions
  • Access PII details (like phone numbers and email addresses), transaction details, order and refund details

The researchers suggest that such key exposure could allow attackers to issue high-value refunds for items purchased, or sell the details on the dark web.

Lessons learned here include:

  • Being reliant on security by obscurity (here “hiding” API keys in an application package) is no substitute for robust security controls. In this case, it is the equivalent of locking a house door and leaving the key under the doormat.
  • Application developers should anticipate that sensitive API keys and tokens may be exposed during an application’s lifecycle and should have robust, repeatable mechanisms in place for revoking and recycling exposed credentials.
  • Sensitive credentials should never be committed into version control systems — we discuss this below in more detail.
Breach: Leaked API tokens on Travis CI
 

The other big news this week was the breach at the popular CI SaaS platform, Travis CI. They have acknowledged the breach, but sought to downplay its significance in a post on their community forum.

The breach was significant in terms of both the scope and the potential impact: by forking a public repository and then issuing a pull request, attackers could gain access to the entire environment of the upstream repository, including all secret values like API keys and tokens. Such credentials would typically be used for access to downstream infrastructure environments, such a cloud hosting and binary repositories. A compromise of such API tokens could quite easily poison entire software supply chains. We all still remember SolarWinds, right?

Travis CI stated that they had resolved the underlying problem with a series of security patches, and suggested that users change passwords and rotate tokens and keys. As further mitigation, they noted that this vulnerability applied only to public repositories, although in practice these are simply the ones most likely to be forked at scale.

The security industry was somewhat critical of this response. A member of the security research team at Etherium, Péter Szilágyi, was critical of Travis CI, in particular on their incident response, stating:

No analysis, no security report, no post-mortem, not warning any of their users that their secrets might have been stolen“.

Furthermore, the renowned malware researcher Jake Williams concluded that they were “guilty of an abysmal failure in handling an extremely serious vulnerability”.

The key lesson here for users and API consumers is that API tokens and keys are valuable assets, particularly when they govern access to your downstream supply chain. Unfortunately, as this Travis CI incident reveals, the token or key owner is at the mercy of 3rd party platforms for the secure storage and use of said tokens. Best practice would be to assume that a total disclosure of all API tokens and keys is a possibility and set in place a well-rehearsed procedure for the revoking and re-issuing them.

Opinion: SAST/DAST shortcomings for API security testing
 

I was pleased to be featured in the NewStack this week, discussing the pros and cons of the stalwarts of Application Security (AppSec) testing — namely SAST and DAST — for the security testing of APIs.

My view is that most organizations will be running some form of AppSec program, nearly always deploying SAST and in most cases some form of DAST too. As organizations increasingly adopt APIs, the discerning AppSec manager is posed with a question if the existing tools are adequate for the task of API security testing, or whether they should be supplemented with more specialist tools. My conclusion is that the best approach is to complement your existing test regime with specialist tools that give more insight and context into API-specific security issues.

Based on over a decade’s experience using and developing SAST/DAST tools, my view is that fundamentally these tools lack the context required to accurately detect many API security issues. In the case of SAST, these tools were designed to work with web pages built, for example, on Java Servlet Pages or .Net ASP pages. Such tools may not be able to adequately recognize API ingress points — like function decorators in a Python Flask API application — and as such are unable to construct a sufficiently accurate model for analysis.

DAST also lacks context when analyzing APIs, because the technology is typically expecting a website and will “spider” the site to find entry points, such as forms that can be attacked or fuzzed. Many DAST tools lack the ability to enumerate REST API endpoints, meaning that large gaps may exist in their coverage. Additionally, DAST is typically performed later in the development lifecycle because they require a largely functional application to assess, whereas API-specific test tools can be deployed in parallel to the initial development activity, thus allowing a hard “shift-left” approach. The differences are summarised below:

Article3-1

My conclusion is that SAST/DAST tools provide significant efficacy in reducing application vulnerabilities and that the addition of API-centric test tools into an existing AppSec program ensures that API coverage is even further improved. It’s a case of defense in depth.

Article: The value of API specification frameworks
 

Finally, this week we have an article on the value of API specification frameworks, such as the OpenAPI Specification (OAS),  which allow organizations to drive both the quality and security aspects of their API development.

By using a central repository of APIs and a well-specified and open standard like the OAS, it is possible to define APIs in a language-agnostic and machine-consumable format that allows for the following:

  • Automatically generate API “stub” functions for development activity
  • Auto-generating mocking frameworks for integration and unit testing
  • Test the conformance and performance of API implementations against the specified contract
  • Automatically audit the security and quality of API definitions as they are developed and committed to version control

The author Sheryans Mehta concludes that although an API development approach centered on API specifications requires a commitment in time and effort, this is rewarded in the long run: “The reality is that shift left IS working, it IS catching flaws earlier.”

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 151

Thursday, September 16, 2021

Hi, this week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attack APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 150

Thursday, September 9, 2021

Hi, this week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system APIsecurity.io The Latest API Security News, Vulnerabilities

APISecurity.io Newsletter: Issue 149

Thursday, September 2, 2021

Hi, this week we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user's location APIsecurity.io The Latest API Security News,

Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

Thursday, August 26, 2021

Hi this week, we have Microsoft Power Apps demonstrating the dangers of lax default settings e, yet another (BOLA/IDOR) vulnerability. APIsecurity.io The Latest API Security News, Vulnerabilities and

Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey

Thursday, August 19, 2021

Hi, this week, we have the recent API vulnerabilities in SEOPress plugin and Steam portal, and results from an application security survey. APIsecurity.io The Latest API Security News, Vulnerabilities

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power