whetwitter.blogg.se - Solarwinds api

Although the algorithm in use was supposed to be RS256, in reality, JWTs were missing the signature section altogether, allowing attackers to change tokens. This was an issue with unsigned JWT tokens. Ron Chan has posted a quick video on how he found an API vulnerability in Microsoft’s Office 365 Outlook. Ensure that APIs invoked on behalf of a user only have access to the data of that particular user.Do not provide direct database service access use multi-tier system design.Do not trust client applications they might get breached.Let’s repeat together: Never hard-code API keys!.This allowed the attacker to access Ledger’s e-commerce database.

The sensitive information got breached in the first place because an API key was hard-coded in the source code of the client application. Ledger, a digital wallet service, was breached in July, and now the attacker has dumped a database with 270,000 personal account details of Ledger users.

Make sure that anything outside of the expected values gets rejected.

Test APIs from the security perspective.

Fully document all parameters and their acceptable values.

In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products.

Some extra parameters in the URI of the request caused Orion to set the SkipAuthorization flag, allowing attacking requests to proceed without authentication. However, it has turned out that, as a cherry on top, SolarWinds Orion API also had an authentication bypass vulnerability. The now-infamous SolarWinds breach that hit multiple US government agencies last month was a supply chain attack. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs. This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach.