Title: Unsecured Vulnerability on PUT:/api/v1/primary-transaction
Project: NB latest API
Description: The unsecured exploit gives an attacker full access to the vulnerable endpoint without credentials.
Assertion
Name:
Broken Authentication ( 1 )
Overview:
The "Broken Authentication" scanning identifies vulnerabilities resulting from either skipping or using cached
results for expired or invalid tokens/authorization header values.
Authentication mechanisms are often
implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to
assume other user"s identities temporarily or permanently. Compromising system"s ability to identify the client/user,
compromises API security overall.
Severity:
The difficulty of achieving API security has increased exponentially and unprotected APIs are one of the top web
application security risks organizations face. OWASP included “Unprotected APIs” in its proposal for 2017 top 10 list.
( 2 )
Vulnerability Impact:
Every exposed API end-point will have some action to be performed thru appropriate HTTP method and not all methods
are valid for every single end-point. Left unchecked and opened for access to all, the following are some of the
consequences ( 3 ).
Unnecessary Data Exposure and Data theft and corruption
Denial of Service Attacks - can render your RESTful API into non-functional state
Malicious Code Injection - including SQL Injections
Anti-Farming - RESTful APIs should be prevented from excessive farming.
Exploitation:
Almost all kinds of authentication, injection, encryption, configuration, access control, and other issues can
possible in the RESTful APIs as like the traditional application. Since APIs includes complex data structures and
protocols, the security testing may become cumbersome for an attacker. But it is quite possible to analyze APIs and
discover vulnerabilities and exploit ( 4 ).
Remediation:
The following techniques may be utilized for having Secured Endpoints ( 3 ) ( 5 ) ( 6 ).
Session Management and Authentication
API Keys
OpenID Connect, OAuth2, and SAML
Access Controls
Rate Limits
Input Validation and HTTP Return Codes
References:
Representational State Transfer (REST) - https://en.wikipedia.org/wiki/Representational_state_transfer
OWASP 2017 Top 10 Proposal -Unprotected APIs -
https://www.owasp.org/index.php?title=Top_10_2017-A10-Underprotected_APIs&oldid=228947
RESTful API Security - https://dzone.com/articles/restful-api-security
REST API Security Guidelines - https://dzone.com/articles/top-5-rest-api-security-guidelines
Title: Unsecured Vulnerability on PUT:/api/v1/primary-transaction Project: NB latest API Description: The unsecured exploit gives an attacker full access to the vulnerable endpoint without credentials.
Assertion
Name: Broken Authentication ( 1 )
Overview: The "Broken Authentication" scanning identifies vulnerabilities resulting from either skipping or using cached results for expired or invalid tokens/authorization header values.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user"s identities temporarily or permanently. Compromising system"s ability to identify the client/user, compromises API security overall.
Severity: The difficulty of achieving API security has increased exponentially and unprotected APIs are one of the top web application security risks organizations face. OWASP included “Unprotected APIs” in its proposal for 2017 top 10 list. ( 2 )
Vulnerability Impact: Every exposed API end-point will have some action to be performed thru appropriate HTTP method and not all methods are valid for every single end-point. Left unchecked and opened for access to all, the following are some of the consequences ( 3 ) .
Exploitation: Almost all kinds of authentication, injection, encryption, configuration, access control, and other issues can possible in the RESTful APIs as like the traditional application. Since APIs includes complex data structures and protocols, the security testing may become cumbersome for an attacker. But it is quite possible to analyze APIs and discover vulnerabilities and exploit ( 4 ) .
Remediation: The following techniques may be utilized for having Secured Endpoints ( 3 ) ( 5 ) ( 6 ) .
- Session Management and Authentication
- API Keys
- OpenID Connect, OAuth2, and SAML
- Access Controls
- Rate Limits
- Input Validation and HTTP Return Codes
References:* If this endpoint intentionally does not have any authentication requirements, you can disable scanning on it at a playbook level where the category is applied to the endpoint.Risk: Unsecured Severity: Critical API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-transaction Environment: Master Playbook: ApiV1PrimaryTransactionPutAnonymousInvalid Researcher: [apisec Bot] QUICK TIPS Suggestion: Make sure the endpoint is secured as part of the authentication framework. Effort Estimate: 4.0 Hrs Wire Logs: 05:15:55 [D] [AVPTPAInvalid] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction] 05:15:55 [D] [AVPTPAInvalid] : Method [PUT] 05:15:55 [D] [AVPTPAInvalid] : Authorization [] 05:15:55 [D] [AVPTPAInvalid] : Request headers [[Accept:"application/json", Content-Type:"application/json"]] 05:15:55 [D] [AVPTPAInvalid] : Request [{ "amount" : 197.0, "availableBalance" : 1466529589, "createdBy" : "", "createdDate" : "", "description" : "1zz8P5s3", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "1zz8P5s3", "type" : "1zz8P5s3", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "1zz8P5s3", "version" : "" }, "version" : "" }] 05:15:55 [D] [AVPTPAInvalid] : Status code [200] 05:15:55 [D] [AVPTPAInvalid] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:15:55 GMT"]] 05:15:55 [D] [AVPTPAInvalid] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:15:55 [D] [AVPTPAInvalid] : Response time [33] 05:15:55 [D] [AVPTPAInvalid] : Response size [252] 05:15:55 [E] [AVPTPAInvalid] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @StatusCode == 404] resolved-to [200 == 401 OR 200 == 403 OR 200 == 404] result [Failed] IMPORTANT LINKS Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc81a88538ca6e01853ab1f1a31dc5/dashboard/8adc81e585bef95e0185c8747ecd28fb/details Project: https://cloud.apisec.ai/#/app/projects/8adc81a88538ca6e01853ab1f1a31dc5/dashboard Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc81a88538ca6e01853ab1f1a31dc5/environmentList Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc81a88538ca6e01853ab1f1a31dc5/profiles/8adc80b08538cdab01853ab21b0a05a2/runs/8adc800d85bef5300185c87453df4bc4 Playbook: https://cloud.apisec.ai/#/app/projects/8adc81a88538ca6e01853ab1f1a31dc5/playbooks/ApiV1PrimaryTransactionPutAnonymousInvalid Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc81a88538ca6e01853ab1f1a31dc5/categories Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc81a88538ca6e01853ab1f1a31dc5/dashboard/8adc81e585bef95e0185c8747ecd28fb/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---