That time I broke into an API and became a billionaire

This included an internal API with a dependency on a third-party banking API. We'll get to the banking API later in this story.
That's all thanks to developers embracing agile development, microservices, and API gateway redirection that exposed something no one considered.
The whole point of API pentesting is to look at the target objectively with a clear and unbiased view.
The API servers were configured for years to only support a Content-Type of 'application/json'.
This makes sense since it was a RESTful API that relied on data models structured in JSON. In fact, we've had automated tests that verify that using any other Content-Type would return an HTTP status code of 415.
It turned out that the developers were working on an internal API to bridge between the main API and a third party that processes currency conversion and transfers.
As that external API required an XML call-back service, a slight tweak was made to the API framework to allow for a Content-Type of 'application/xml' for the new service endpoint.
They assumed the API gateway would protect them as they had yet to publish the new endpoints through it.
Let me sum it up by saying API gateways aren't always the smartest.
The tests were passing because the API gateway failed the request not the API server.
This one little config change to the API server to allow XML let me get a foothold on the API server thanks to XML Entity Injection.
This let me exfiltrate the API artifacts from the server and ultimately reverse engineer the compiled API into source code allowing me to find out about the external banking API before I should have known.
Some API frameworks will auto-detect the media type based on the payload. This technique has the added benefit that it can sometimes bypass content type filtering in WAF and API gateways.
Whenever I conduct a pentest, one of my personal goals is to get access to API artifacts and ultimately the source code.
Since I knew the API was written in Java using a special framework, I had a good idea of where to look for the files I wanted.
First, I needed to know the full path, including the filenames, of the API artifacts I wanted.
In this case, the API server was built upon a base image that included PHP binaries.
We've tainted a request to send the API server something it wasn't expecting, which returned to us the compiled assets of the API we wanted.
From there, I was able to hone in on the undocumented API endpoints, the expected models and schema, and the corresponding business logic within the API that used the external banking API. I won't bore you with the gory details, but the developers were right they weren't ready to release the code to this new functionality.
The post That time I broke into an API and became a billionaire appeared first on Dana Epp's Blog.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 19 Dec 2023 17:43:05 +0000


Cyber News related to That time I broke into an API and became a billionaire

That time I broke into an API and became a billionaire - This included an internal API with a dependency on a third-party banking API. We'll get to the banking API later in this story. That's all thanks to developers embracing agile development, microservices, and API gateway redirection that exposed ...
1 year ago Securityboulevard.com
Defining Good: A Strategic Approach to API Risk Reduction - A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs ...
11 months ago Securityboulevard.com
Salt Security Delivers API Posture Governance Engine - PRESS RELEASE. PALO ALTO, Calif., Jan. 17, 2024 /PRNewswire/ - Salt Security, the leading API security company, today announced multiple advancements in discovery, posture management and AI-based threat protection to the industry leading Salt ...
11 months ago Darkreading.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
1 year ago Imperva.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Unified API Protection - A massive segment of organizations' digital footprint today is built around internal and external APIs. As more IT leaders realize and acknowledge the size of APIs' influence, it's become clear that new methods are needed to secure those APIs. While ...
1 year ago Cequence.ai
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
1 year ago Cybersecurity-insiders.com
Adobe Real-Time CDP: Personalized Customer Experience - Adobe Experience Cloud Products like Adobe Real-Time CDP are available to assist. A revolutionary solution called Adobe Real-Time Customer Data Platform was created to assist companies in realizing the whole value of their customer data. Adobe ...
1 year ago Hackread.com
How AI is revolutionizing "shift left" testing in API security - Catching coding errors in API preproduction, before they are spun up and go live is critical in preventing exploitable vulnerabilities. For developers who are not security experts, fixing code or knowing business logic abuse possibilities can be ...
1 year ago Helpnetsecurity.com
API security in 2024: Predictions and trends - As technology continues to advance at an unprecedented pace, so does the complexity of API security. With the proliferation of APIs in modern applications and services, organizations will need to develop a better understanding of their API ...
1 year ago Helpnetsecurity.com
API Gateways and API Protection: What’s the Difference? - Security Boulevard - At the security level, API security tools and gateways provide different controls to protect APIs from various threats. API protection – or API security – refers to a comprehensive set of security capabilities designed to protect APIs from a wide ...
2 months ago Securityboulevard.com
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com
API Security: The Big Picture - Given this, it is no surprise that API security is a top priority for many security teams in the coming year. Here are 10 strategic things to look for in an API security offering. Multiple Environment Capability API security isn't very helpful if it ...
1 year ago Darkreading.com
How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages - Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual testing provides human insight, ensuring comprehensive coverage for robust development. In the domain of software ...
10 months ago Hackread.com
API Analytics - Managing APIs effectively is no longer just about designing and deploying them-it's also about harnessing the power of data-driven insights through API analytics. In this article, we'll explore the transformative role of API analytics in enhancing ...
1 year ago Feeds.dzone.com
7 Essential Practices for Secure API Development - The necessity for API security cannot be overstated. Authentication and Authorization Authentication and authorization form the cornerstone of secure API interactions. In the world of API security, managing identities accurately ensures that only ...
9 months ago Feeds.dzone.com
API Security in 2024: Navigating New Threats and Trends - As we step into 2024, the landscape of API security is at a critical juncture. The previous year witnessed a significant escalation in API-related breaches, impacting diverse organizations and bringing to light the critical vulnerabilities in API ...
10 months ago Cybersecurity-insiders.com
Optimizing API Lifecycles - In this article, we will delve into the intricacies of optimizing API lifecycles-an essential aspect for product managers navigating the dynamic landscape of digital integration. From conceptualization to retirement, understanding and implementing ...
1 year ago Feeds.dzone.com
The 9 Most Essential API Security Tools to Protect Against Cyber Threats - Understanding the importance of API security is crucial as technological advancements across various industries continue to make our lives easier. Through APIs connecting different systems and services together, automation is becoming increasingly ...
1 year ago Csoonline.com
Helping to keep the lights on in Ukraine in the face of electronic warfare - Ukraine's high-voltage electricity substations rely on GPS for time synchronization. Many of Ukraine's high-voltage electrical substations - which play a vital role in the country's domestic transmission of power - make extensive use of the ...
1 year ago Blog.talosintelligence.com
Navigating API Governance: Best Practices for Product Managers - As the complexity of API ecosystems grows, the need for robust governance becomes paramount. In this article, we will explore in-depth the best practices for product managers in navigating API governance, ensuring secure, scalable, and compliant ...
1 year ago Feeds.dzone.com
Managing API Contracts and OpenAPI Documents at Scale - This global event for API practitioners gets bigger. This year the event was held in the newly renovated CNIT Forest - a central and easy to join location in the Paris La Defense business area. Many of us were amazed by the number of talks and ...
1 year ago Feedpress.me
Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security - In today's interconnected digital landscape, the proliferation of Application Programming Interfaces has revolutionized the way systems communicate and exchange data. This underscores the pivotal role of API Gateways as the guardians of digital ...
1 year ago Feeds.dzone.com
What We Learned from These 3 API Security Breaches - If we look closely, there are lessons to be learned from these five fateful API attacks that can help any organisation secure its APIs better. The scenario: The helpdesk ticketing platform Zendesk was exposed to attackers thanks to a SQL injection ...
9 months ago Itsecurityguru.org
Most API security strategies are underdeveloped. Let's unpack that. - Adaptation to Change: Strategies are not static; they evolve over time. Applying these concepts to information security and cyber security in general, we can easily see that having a strategy is a) nothing novel and b) applicable to all. Filter down ...
1 year ago Itsecurityguru.org

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)