API Security Tips for Developers Isabelle Mauny, CTO at 42Crunch

1. Securing an API World
API SECURITY TIPS
FOR DEVELOPERS
ISABELLEMAUNY
ISABELLE@42CRUNCH.COM

2. WHAT IS API SECURITY?
API Threat Protection API Access Control
➡ Content validation
➡ Token validation
➡ Traffic management
➡ Payload security
(encrypt/sign)
➡ Threat detection
➡Access tokens management
➡Authentication
➡Authorization
➡Identity management
API Security

3. GUIDING
PRINCIPLES…
3

4. 4
GUIDING PRINCIPLE:
ZERO TRUST ARCHITECTURE
1

5. 5
GUIDING PRINCIPLE:
ALL APIS ARE OPEN APIS
2
“Dance like no one is watching, encrypt like everyone is!”
Werner Vogels, Amazon CTO

6. …TO PROTECT
NEW APPLICATION
ARCHITECTURES…
6

7. TITLE TEXT
Complex deployments
✓
7
FROM ESTABLISHED PERIMETER…

8. 8
…TO BLURRY PERIMETER

9. MODERN DEPLOYMENT ARCHITECTURES
9
App icon made by https://www.flaticon.com/authors/pixel-buddha
Front Process/Controller Data
North
South
North
South
East
West
Service Mesh
Service Mesh

10. …FROM
SPECIFIC API
THREATS!
10

11. APIS ARE THE NEW ATTACKS VECTOR…
Data breaches via APIs are on the rise
✓ 200+ breaches reported on
apisecurity.io since Oct. 2018
✓ And those are just the public ones!
Most recurrent causes:
✓ Lack of Input validation
✓ Bad security configuration
✓ Broken authentication
✓ Broken authorization
11
By 2022 APIs will become the most common attack vector - Gartner*
*https://www.gartner.com/en/documents/3834704/how-to-build-an-effective-api-security-strategy

12. OWASP API SECURITY TOP 10
12
• API1 : Broken Object Level Authorisation
• API2 : Broken Authentication
• API3 : Excessive Data Exposure
• API4 : Lack of Resources & Rate Limiting
• API5 : Missing Function/Resource Level Access Control
• API6 : Mass Assignment
• API7 : Security Misconfiguration
• API8 : Injection
• API9 : Improper Assets Management
• API10 : Insufficient Logging & Monitoring
DOWNLOAD

13. T-MOBILE (JULY 2017)
The attack
✓ https:/wsg-t-mobile.com/…..?access_token=validtoken&misdn=+1xxxyyyzzzz
✓ Any user with a valid token can get the full profile of any phone number
The breach
✓ 76 million users’ records at risk
✓ Public exploit on YouTube!
✓ Went un-noticed for months until a white hat hacker raised the issue.
Core issues
✓ No fine-grained authorisation
✓ No rate limiting by token
✓ No logging/monitoring/alerting 13
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://www.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number

14. MITIGATION
Fine-grained authorisation in every controller layer
Do not use IDs from API request, use ID from session instead
(implement session management in controller layer)
Additionally:
✓ Avoid guessable IDs (123, 124, 125…)
✓ Avoid exposing internal IDs via the API
✓ Alternative: https://t-mobile.com/phonemanagement/mine
Prevent data scrapping by putting rate limiting in place
Log all API activity, so that this activity can be pushed to
security platforms such as SIEMs for Threat detection.
14

15. FACEBOOK (FEB 2018)
The Attack
✓ Account takeover via password reset at https://www.facebook.com/login/
identify?ctx=recover&lwv=110.
✓ facebook.com has rate limiting, beta.facebook.com does not!
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ Rate limiting missing on beta APIs, which allows brute force guessing on
password reset code
✓ Misconfigured security on beta endpoints
15
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it

16. MITIGATION
Protect authentication endpoints from abuse (this includes
password reset!)
✓ Smart rate limiting : by token/user identity
✓ Short time span
✓ Counter example: Instagram, 200 attempts/min/IP for password reset
Enforce 2FA, captcha, use secure storage for credentials
Use short-lived access tokens and limit their scope
Govern all endpoints and protect all APIs independently from
their development stage ( dev, QA, staging, etc.)
Separate non-production from production data
16

17. UBER (SEPT 2019)
The Attack
✓ Account takeover for any Uber account from a phone number
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ First Data leakage : driver internal UUID exposed through error message!
✓ Second Data leakage via the getConsentScreenDetails operation: full account information is
returned, when only a few fields are used by the UI. This includes the mobile token used to
login onto the account 17
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1

18. MITIGATION
Take control of your JSON schemas !
✓ Describe the data thoroughly and enforce the format at runtime (outbound)
✓ Review and approve data returned by APIs
Never expose tokens/sensitive/exploitable data in API
responses
Never rely on client apps to filter data : instead, create various
APIs depending on consumer
18

19. EQUIFAX AND MANY MORE (2017)
The Attack
✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised.
✓ Example:
✓
The Breach
✓ One of the most important in history: 147 millions people worldwide, very sensitive data
✓ Equifax got fined $700 million in Sept 2019
Core Issue
✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months.
19
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

20. MITIGATION
Keep systems and software at latest level
Limit your external dependencies
Control those dependencies in-house (enterprise
repository)
Continuously test for vulnerabilities and leaking secrets
(OS, libraries, docker images, kubernetes deployment
files, etc.)
To limit injections effect:
✓ Validate user input, including headers like Content-Type
✓ Check Content-Type behaviour of your dev frameworks 20

21. HARBOUR REGISTRY
The Attack
✓ Privilege escalation: become registry administrator
The Breach
✓ 1300+ registries with default security settings
Core Issue
✓ Mass Assignment vulnerability allows any normal user to become an admin
POST /api/users
{“username”:”test”,”email”:”test123@gmail.com”,”realname
”:”noname”,”password”:”Password1u0021″,”comment”:null,
“has_admin_role” = True}
21
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/

22. MITIGATION
Do not blindly update data from input structure
Validate Input
✓ Only accept information specified in JSON schema (contract-based, whitelist
approach) - Reject all others.
✓ Beware of GraphQL queries!
Change default settings on any system (ports, credentials)
22

25. WHAT NOW ?
Pick your battles
✓ What are your most sensitive APIs , bringing the highest risk ?
✓ Establish a Threat model
Start worrying about API Security at design time
✓ A vulnerability discovered at production time costs 30x more to solve
Hack yourselves!
✓ For each functional test, create 10 negative tests
✓ Hammer your APIs with bad data, bad tokens, bad users
Automate Security
✓ DevSecOps anyone ?
25

26. GREAT LEARNING EXAMPLE: N26
Major list of issues discovered by PHD student late 2016
Many issues from Top10
✓ No certificate pinning
✓ No rate limiting on Siri (less controlled transactions)
✓ Leaks mastercardID in every transaction
✓ No protection against brute force for passwords
✓ No monitoring
Two years later, N26 has:
✓ A major security program and security focus
✓ Rooted security deep into the development cycle
✓ https://medium.com/insiden26/n26-security-3-0-81a4e85c5fe8
26

27. CONTACT US:
INFO@42CRUNCH.COM
Securing an API World
Start testing your APIs today on apisecurity.io!

28. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
42CRUNCH RESOURCES
• 42Crunch Website
• Free OAS Security Audit
• OpenAPI VS Code Extension
• OpenAPI Spec Encyclopedia
• OWASP API Security Top 10
• APIsecurity.io

29. COMMUNITY RESOURCES
SSL Setup Scan
✓ https://securityheaders.io
✓ https://www.ssllabs.com/ssltest/
Threat Modelling
✓ https://www.owasp.org/index.php/Application_Threat_Modeling
Pixi / DevSlop
✓ https://github.com/DevSlop/Pixi
✓ https://devslop.co
JWT as session data
✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens
Node JS Security recommendations
✓ https://medium.com/@nodepractices/were-under-attack-23-node-js-security-
best-practices-e33c146cb87d
29

30. RESOURCES
Chaos Engineering
✓ http://principlesofchaos.org
✓ https://github.com/dastergon/awesome-chaos-engineering
OWASP ZAP
✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Source Code Analysis
✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Code Security reviews
✓ https://www.owasp.org/index.php/Code_Review_Introduction
Systems Scans
✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
Security Methodology
✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-
engineering-security-team/
30