apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 Protecting financial grade API: adopting the right security stack Isabelle Mauny, Co-founder & Field CTO at 42Crunch

1. Protecting Financial
Grade APIs
Getting the right security stack
ISABELLEMAUNY
ISABELLE@42CRUNCH.COM

2. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
API Breaches are on the rise!
• 300+ breaches reported on apisecurity.io since
Oct. 2018
• And those are just the public ones!
• Most recurrent causes (combination of):
• Lack of Input validation
• Lack of Rate Limiting
• Data/Exception leakage
• BOLA/IDOR (Authorization)

3. Applications Architecture has changed!
Source: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm

4. TITLE TEXT
Complex deployments
✓
4
FROM PROTECTING THE PERIMETER…

5. 5
…TO PROTECTING THE DATA

6. 6
Hypervisor, VMs
Intra-services communication (auth, azn, TLS)
App level security (auth, azn, libs, code, images, data)
OS / Network / Physical Access
API Security Applies at Multiple Levels

7. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
OWASP API Security
Top 10
• API1 : Broken Object Level Authorisation
• API2 : Broken Authentication
• API3 : Excessive Data Exposure
• API4 : Lack of Resources & Rate Limiting
• API5 : Missing Function/Resource Level Access Control
• API6 : Mass Assignment
• API7 : Security Misconfiguration
• API8 : Injection
• API9 : Improper Assets Management
• API10 : Insufficient Logging & Monitoring
•
DOWNLOAD

8. UBER (SEPT 2019)
The Attack
✓ Account takeover for any Uber account from a phone number
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ First Data leakage : driver internal UUID exposed through error message!
✓ Hacker can access any driver, user, partner profile if they know the UUID
✓ Second Data leakage via the getConsentScreenDetails operation: full account
information is returned, when only a few fields are used by the UI. This includes the
mobile token used to login onto the account
8
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://hackernoon.com/how-i-could-have-hacked-all-uber-accounts-rtzl3z72

9. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
Leaking Mobile Token
• {“data":{“language":"en","userUuid":"xxxxxx1e"},"getUser":{“uuid":"cxxxxxc5f7371e",
{"firstname":"Maxxxx","lastname":"XXXX","role":"PARTNER","languageId":1,"countryId":77,"mo
bile":null,"mobileToken":1234,"mobileCountryId":77,"mobileCountryCode":"+91","hasAmbig
uousMobileCountry":false,"lastConfirmedMobileCountryId":77,"email":"xxxx@gmail.com","em
ailToken":"xxxxxxxx","hasConfirmedMobile":"no","hasOptedInSmsMarketing":false,"hasConfir
medEmail":true,"gratuity":0.3,"nickname":"abc@gmail.c","location":"00000","banned":false,"car
dio":false,"token":"b8038ec4143bb4xxxxxx72d","fraudScore":0,"inviterUuid":null,"pictureU
rl":"xxxxx.jpeg","recentFareSplitterUuids":
[“xxx"],"lastSelectedPaymentProfileUuid":"xxxxxx","lastSelectedPaymentProfileGoogleWalletU
uid":null,"inviteCode":
{“promotionCodeId":xxxxx,"promotionCodeUuid":"xxxx","promotionCode":"manishas105","cre
atedAt":{“type":"Buffer","data":[0,0,1,76,2,21,215,101]},"updatedAt":{“type":"Buffer","data":
[0,0,1,76,65,211,61,9]}},"driverInfo":
{“contactinfo":"999999999xx","contactinfoCountryCode":"+91","driverLicense":"None","firstDri
verTripUuid":null,"iphone":null,"partnerUserUuid":"xxxxxxx"

10. API1 (BOLA) MITIGATION
Fine-grained authorisation in every controller layer
Do not use IDs from API request, use ID from session instead (implement
session management in controller layer)
Additionally:
✓ Avoid guessable IDs (123, 124, 125…)
✓ Avoid exposing internal IDs via the API
✓ Alternative: GET https://myapis.com/resources/me
Prevent data scrapping by putting rate limiting in place (by token, not by IP!)
10

11. API3 MITIGATION
Take control of your JSON schemas !
✓ Describe the data thoroughly and enforce the format at runtime (outbound)
✓ Review and approve data returned by APIs
Never expose tokens/sensitive/exploitable data in API responses
Never rely on client apps to filter data : instead, create various APIs
depending on consumer, with just the data they need
Beware of GraphQL queries!
✓ Validate fields accessed via query
11

12. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
Another API3 vector: JWTs!
Recommended best
practice:
Use opaque tokens
for external
consumption
Use JWTs for internal
consumption

13. FACEBOOK (FEB 2018)
The Attack
✓ Account takeover via password reset at https://www.facebook.com/login/
identify?ctx=recover&lwv=110.
✓ facebook.com has rate limiting, beta.facebook.com does not!
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ Rate limiting missing on beta APIs, which allows brute force guessing on
password reset code
✓ Misconfigured security on beta endpoints
13
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it

14. API2 (BROKEN AUTH) MITIGATION
Choose the right authentication depending on data/operation sensitivity !
Enforce 2FA, captcha
Use secure storage for credentials
Use short-lived access tokens and limit their scope
Use MutualTLS when applicable (known/controlled partners)
Use OAuth properly (most likely authorization_code with PKCE)
✓ Financial API Grade profiles as reference (https://openid.net/wg/fapi/)
Make sure you validate JWTs according to Best Practices (RFC 8725) - https://
www.rfc-editor.org/rfc/rfc8725.txt
14

15. © COPYRIGHT 42CRUNCH | CONFIDENTIAL
Beware of URLs
https://www.trendmicro.com/en_us/research/19/i/when-psd2-opens-more-doors-the-risks-of-open-banking.html

16. API4 (RATE LIMITING) MITIGATION
Protect all authentication endpoints from abuse (login, password reset,
OAuth endpoints)
✓ Smart rate limiting : by API Key/access token/user identity/fingerprint
✓ Short timespan
✓ Counter example: Instagram, 200 attempts/min/IP for password reset
16
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actua
easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to
perform the complete attack of one million codes”

17. APACHE STRUTS : EQUIFAX AND MANY MORE (2017)
The Attack
✓ Remote command injection attack: server executes commands written in ONGL language when a
Content-Type validation error is raised.
✓ Example:
✓
Core Issue
✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited
during months.
17
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

18. API 7 MITIGATION
Reject requests with unknown path/verbs
TLS is on by default
✓ TLS 1.2 minimum with strong cipher suites
✓ Test your API endpoints with SSLLabs.com
Change default credentials/ports
Automatically inject security headers
18

19. API 7 MITIGATION
Keep systems and software at
latest level
Limit your external
dependencies
Control those dependencies in-
house (enterprise repository)
No Trust !! Continuously test for
vulnerabilities and leaking
secrets (OS, libraries, docker
images, kubernetes deployment
files, etc.)
19

20. API 7 MITIGATION
20

21. API 8 MITIGATION
No Trust! (even for internal APIs and for East-West traffic)
Validate user input, including headers like Content-Type or
Accept
Check behaviour of your dev frameworks when wrong
Content-Type is used
✓ Many default to sending an exception back but experience varies
21

22. A10 : LOGS, LOGS, LOGS!
Log all API activity
Pushed to security platforms such as SIEMs for automated Threat
detection.
22

23. FINAL THOUGHTS!
Start worrying about API Security at design time
✓ A vulnerability discovered at production time costs up to 30x more to solve
Hack yourselves!
✓ For each functional test, create 10 negative tests
✓ Hammer your APIs with bad data, bad tokens, bad users
Automate Security
✓ Inject Security into DevOps practices and don’t rely on manual testing of APIs.
23

24. Thank you!
Contact us | info@42crunch.com | 42crunch.com
Free security tools from 42Crunch
https://42crunch.com/resources-free-tools/

25. News and tools for better API Security
SUBSCRIBE TODAY!