APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Exploiting multi-step business logic vulnerabilities in APIs Inon Shkedy, API Security Project Lead at OWASP

1. Multistep Business Logic
Vulnerabilities In APIs
Inon Shkedy
Security Researcher

2. ▪ Head of Security Research @ Traceable.ai
▪ Co-author of OWASP Top 10 for APIs
▪ 9+ Years in AppSec; 200+ Pen Tests
▪ I’ve grown up with APIs
Whoami?
INON SHKEDY
Security Researcher
Government, Military, Financial
Multi Page Apps, On Prem, Waterfall, Less APIs
Startups, Tier 1 Companies
Single Page Apps, Cloud, CI/CD, Mostly APIs

3. Working as a
security researcher
for a small startup
▪ Harder to show value when you protect
▪ Need to find something as fast a possible (POCs are time-limited)
▪ Customers already have security teams & programs
▪ Finding Critical Vulns in minimum time
▪ Many B2B APIs

4. What are business
logic vulnerabilities?
▪ No strict definitions
▪ App Business Logic:
▪ Defines the users and their roles
▪ Defines how different features can manipulate different types of data
▪ How each user should use each feature (legitimately)
▪ BL Vulns:
▪ Leverage innocent features to harm the app
▪ Often related to Authorization

5. BL Vulns & APIs
▪ It’s much easier to understand the full context of the
application through APIs App Business Logic:
▪ Predictable
▪ Documentation
▪ Self explanatory
▪ Pentesters should always be curious about the API and
all the features
▪ They often exist in the most niche features of the API

6. ▪ Abuse of the following features:
▪ Import Users from CSV file
▪ File Upload
▪ Async background jobs
▪ Leveraging the nature of REST APIs to bypass
security mechanisms
Exposing plain text
passwords of users

7. Fleet App
Fleet Management
▪ Routes
▪ Trucks
▪ Sensors
▪ Drivers
▪ Settings

8. User Menu - Always a Good
Place to Begin With
Fleet Management
▪ Routes
▪ Trucks
▪ Sensors
▪ Drivers
▪ Settings
▪ Profile
▪ Organization
▪ Privacy
▪ Help
Hey Piney

9. “Tenants” in B2B
SaaS APIs
SHOPIFY’S TENANTS
▪ Users
▪ Roles
▪ Products
POKEMON STORE
▪ Users
▪ Roles
▪ Products
DBZ STORE
▪ Users
▪ Roles
▪ Products
TECH STORE
SHOPIFY

10. Fleet App
Manage Org
▪ USERS
▪ Roles
▪ Contacts
▪ Org Settings
ORG Name:
Super Duper Deliveries
Users:
NAME ROLE PHONE EMAIL
Hugo Admin 1234 Some@name
Bugo User 3456 Some@name
Import Users From EXCEL/CSV File Download CSV sample file

11. Download Sample
& Upload to S3

12. ▪ The uploaded list contains plain-text passwords!
Import Users from
CSV file

13. Create a File
Object on API
Evidence that the CSV file is stored on the server!

14. Initiate Import Process
using file ID
Async background job is created!

15. Browser Checks On Job
Behind The Scenes
Async job is checked by the browser

16. Job is Complete
Async Jobs are very common in B2B APIs
Look for the heaviest operations

17. Async Jobs in B2B APIs
SHOPIFY’S BACKGROUND JOBS
Import Catalog
From Magento
SHOPIFY
Upload Large
Video
Upload Large
Video
▪ Used to prevent the annoying “Loading…” User Experience
▪ Implemented over REST
▪ JS Application keeps checking when job is done behind the scenes

18. ▪ Access jobs of other users
▪ Access files of other jobs
Let’s Get
Malicious

19. Access All Jobs
▪ Returned jobs of other users 😈
▪ Returned too many irrelevant jobs 😔
▪ Need to find a way to search in results
Leverage The Predictable nature of REST APIs

20. Leverage the Predictable
nature of REST APIs
GET /users/1122 → GET /users Extract all users
GET /api/v3/users → GET /api/v2/users Find old versions
GET /users/1122 → DELETE /users/1122 Find Admin Endpoints

21. Leverage Filters
REST API EPs often share the same behaviors and patterns
▪ API EPs often support Filters by default. Leverage
them 😈

22. Summary Of Phase #1
▪ API stores files based on file_id
▪ There’s a BFLA on “GET /api/rpc/async/jobs” that exposes jobs of other
users, including the job’s:
▪ Job_id
▪ File_id
▪ Org_id
▪ Challenge: How can we download a file based on its ID??
▪ (Unfortunately, not part of the natural process of importing users)

23. Expand your test -
look for more features!
Manage Org
▪ Users
▪ Roles
▪ Contacts
▪ ORG SETTINGS
ORG Name:
Super Duper Deliveries
Upload Logo
▪ Look for other features allowing file upload!
▪ They might share the underlying file storage mechanism

24. Logo Upload API Call
Looks familiar?
It’s also based On file ID

25. CSV upload
vs. Image Upload
Let’s take a look at the Image download process!
CSV upload Image Upload
Based on file ID
Downloadable

26. View Logo
▪ We found a way to download a file based on an ID 😈
▪ EP receives a URL from which to download the Image
EP Receives a file path, and extracts the
Image content from it

27. Direct Access to
File Path
Just to make our lives easier

28. Access The CSV File
Instead Of Image
▪ Upload logo feature & upload uses features share the same
underlying mechanism == great news! 😈
▪ I can access my own file
▪ Let’s try to access a file from a different job

29. Access The CSV File
Instead Of Image
Previous gap leaks file_id of a CSV file from other users.
Let’s try to download it
//from previous step

30. We Received An ERROR :(
Why can we access our own file, but not a file of someone else?

31. Mapping Between ORG →
Unique Folder
Org Host header Org ID Folder
superduper.fleet.com aab1da6e-092f-49af-9aa0-260131482c94 var/media/969f601c91d946cca3b
e6ef7ed5a1f29c03abf5deaac438
2a3ba008d3ead5f86/documents
▪ Mapping is done based on the org name in host header 🤔
▪ BFLA provides us only the org_id of the victim 😔
▪ How can we find the org name based on an org ID?

32. Feature To Find Org
Name Based On ID 😈
//from previous step
Job of the victim includes org_id

33. 500 ERROR
Changing the hostname solved the problem ==
Plain text passwords are leaked 😈

34. Questions?
DM
@InonShkedy

35. THANK YOU

36. Multistep Business Logic
Vulnerabilities in APIs
Some Text Goes Here