Even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily.
While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs.
When structured data is being relied on, such as within API contracts, Structured Format Injection becomes a thing.
SFI allows an attacker to manipulate the structure of the data being transferred between systems in order to exploit vulnerabilities and gain unauthorized access.
To exploit an API with SFI, you first need to identify the data format being used.
Even better, the API spec docs should showcase what object models it may be expecting.
Of course, if you don't have access to detailed documentation, you can generate your own rogue docs from the traffic you record while using the API. Once the data format is identified, you can manipulate its structure to carry out your attack.
You could add additional fields or values to bypass authentication checks, inject malicious code, or modify existing data to change the behavior of the application.
In this article, I want to focus on injecting malicious input that may cause the API on the server to behave differently by polluting parameters.
It isn't uncommon to find API endpoints that are used to do partial updates to a data record.
You may be able to manipulate parameters to exploit vulnerabilities in the server's structured data processing.
To test for this, inject unexpected structured data into user inputs and see how the server responds.
Now imagine that the server processes this data to call the backend server API that you don't have direct access to.
While we could not directly update the user, we still exploited a Broken Object Property Level Authorization vulnerability to give ourselves the admin role by using SFI. When software frameworks automatically bind request parameters to fields on an internal object, it can lead to hidden parameters in an API that developers didn't even intend to allow to be read or written.
You already know I am a big fan of tainting data in weird places.
One great place is to manipulate the Content-Type and see if the API might act differently.
Depending on how the server processes the request and creates the JSON object going to the backend API, it may inject the role property and ultimately give you admin access.
YMMV. Every API is going to act differently but you get the general approach now.
Through Server Side Parameter Pollution, it may be possible to abuse an API and find Broken Object Property Level Authorization vulnerabilities.
The post Exploiting an API with Structured Format Injection appeared first on Dana Epp's Blog.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 02 Jan 2024 18:13:04 +0000