qauser21
commented
3 years ago Message : This issue is manually closed from FX control plane.
Title: InvalidAuthEmpty Vulnerability on DELETE:/api/v1/primary-transaction/{id} Project: Sanity 19th Aug Description:
Assertion
Name: Authentication Exploit (Empty) ( 1 )
Overview: RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST, and DELETE data. A RESTful API — also referred to as a RESTful web service — is based on representational state transfer (REST) technology, an architectural style and approach to communications often used in web services development. These exposed endpoints should not be open to all and should be protected. A top priority for the organizations is to have Secured Endpoints.
The 'Authentication Exploit (Empty)' scanning identifies vulnerabilities resulting from either skipping or using cached results for expired or invalid tokens/authorization header values.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising system's ability to identify the client/user, compromises API security overall.
Severity: The difficulty of achieving API security has increased exponentially and unprotected APIs are one of the top web application security risks organizations face. OWASP included “Unprotected APIs” in its proposal for 2017 top 10 list. ( 2 )
Vulnerability Impact: Every exposed API end-point will have some action to be performed thru appropriate HTTP method and not all methods are valid for every single end-point. Left unchecked and opened for access to all, the following are some of the consequences ( 3 ).
- Unnecessary Data Exposure and Data theft and corruption
- Denial of Service Attacks – can render your RESTful API into non-functional state
- Malicious Code Injection – including SQL Injections
- Anti-Farming – RESTful APIs should be prevented from excessive farming.
Exploitation: Almost all kinds of authentication, injection, encryption, configuration, access control, and other issues can possible in the RESTful APIs as like the traditional application. Since APIs includes complex data structures and protocols, the security testing may become cumbersome for an attacker. But it is quite possible to analyze APIs and discover vulnerabilities and exploit ( 4 ).
Remediation: The following techniques may be utilized for having Secured Endpoints ( 3 ) ( 5 ) ( 6 ).
- Session Management and Authentication
- API Keys
- OpenID Connect, OAuth2, and SAML
- Access Controls
- Rate Limits
- Input Validation and HTTP Return Codes
- Representational State Transfer (REST) - https://en.wikipedia.org/wiki/Representational_state_transfer
- OWASP 2017 Top 10 Proposal –Unprotected APIs - https://www.owasp.org/index.php?title=Top_10_2017-A10-Underprotected_APIs&oldid=228947
- RESTful API Security - https://dzone.com/articles/restful-api-security
- API Exploits - https://www.hack2secure.com/blogs/what-are-api-exploits
- REST API Security Guidelines - https://dzone.com/articles/top-5-rest-api-security-guidelines
- OWASP REST Security Cheat Sheet - https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Risk: InvalidAuthEmpty Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/primary-transaction/12345 Environment: Master Playbook: ApiV1PrimaryTransactionIdDeleteAuthInvalidEmpty Researcher: Invalid_Auth_Empty
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs:
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/dashboard/null/details
Project: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/allScans
Coverage: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/dashboard/null/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---
Title: InvalidAuthEmpty Vulnerability on DELETE:/api/v1/primary-transaction/{id} Project: Sanity 19th Aug Description: The Invalid-Authentication exploit gives an attacker full access to the vulnerable endpoint without a valid credentials.
Assertion Name: Authentication Exploit (Empty) ( 1 )
Overview: RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST, and DELETE data. A RESTful API — also referred to as a RESTful web service — is based on representational state transfer (REST) technology, an architectural style and approach to communications often used in web services development. These exposed endpoints should not be open to all and should be protected. A top priority for the organizations is to have Secured Endpoints.
The 'Authentication Exploit (Empty)' scanning identifies vulnerabilities resulting from either skipping or using cached results for expired or invalid tokens/authorization header values.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising system's ability to identify the client/user, compromises API security overall.
Severity: The difficulty of achieving API security has increased exponentially and unprotected APIs are one of the top web application security risks organizations face. OWASP included “Unprotected APIs” in its proposal for 2017 top 10 list. ( 2 )
Vulnerability Impact: Every exposed API end-point will have some action to be performed thru appropriate HTTP method and not all methods are valid for every single end-point. Left unchecked and opened for access to all, the following are some of the consequences ( 3 ).
Exploitation: Almost all kinds of authentication, injection, encryption, configuration, access control, and other issues can possible in the RESTful APIs as like the traditional application. Since APIs includes complex data structures and protocols, the security testing may become cumbersome for an attacker. But it is quite possible to analyze APIs and discover vulnerabilities and exploit ( 4 ).
Remediation: The following techniques may be utilized for having Secured Endpoints ( 3 ) ( 5 ) ( 6 ).
- Session Management and Authentication
- API Keys
- OpenID Connect, OAuth2, and SAML
- Access Controls
- Rate Limits
- Input Validation and HTTP Return Codes
References:Risk: InvalidAuthEmpty Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/primary-transaction/12345 Environment: Master Playbook: ApiV1PrimaryTransactionIdDeleteAuthInvalidEmpty Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Make sure the endpoint is secured as part of the authentication framework. Effort Estimate: 1.5 Hrs Wire Logs:
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/dashboard/8a8094a07b731c32017b77638a6b1465/details
Project: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/environments/8a80932a7b4f1826017b5bdbcadf5788/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/profiles/8a80932a7b4f1826017b5bdc023259a8/runs/8a8094a07b731c32017b776341671340
Playbook: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/playbooks/ApiV1PrimaryTransactionIdDeleteAuthInvalidEmpty
Coverage: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a80932a7b4f1826017b5bdbca935785/dashboard/8a8094a07b731c32017b77638a6b1465/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---