A Python exploit gives access to more than 10,000 API (Application Programming Interface) keys via Wayback Machine, a project that archives the content of internet sites.
While conducting a security assessment on a website, security researcher Abdulrahman-Kamel created a Python script that searched through archived requests in the Wayback Machine.
By using this code, the researcher found that they could extract all APIs from Wayback Machine and filter to remove those that had been expired or revoked, reaching more than 10,000 API keys.
In this case, the impacted sites committed the worst form of offense where they relied on API keys submitted as parameters within a URL (i.e., a GET request), says Michael Isbitski, Technical Evangelist at Salt Security. “This implementation approach goes against security best practice, where no sensitive data should be submitted in a URL. Sensitive data in URLs is often logged, and such data can often be harvested later by an insider threat or external attacker. API keys fit the definition of sensitive data, and they can provide access to poorly designed and protected API endpoints. This sensitive data is also sometimes inadvertently and automatically archived by the Wayback Machine project.” Isbitski adds.
The Python script created by the researcher also tested for the validity of a given API key as an access credential to a given API endpoint, Isbitski says. “Knowing that many organizations fail to rotate API keys though, the API keys in question still gave access to many API endpoints.”
As an API security best practice, no API keys or secrets should be embedded in applications or code because attackers can easily harvest them. API keys alone are not intended as a means of authentication — they must be paired with other authentication and authorization material to provide robust access control, Isbitski says. Salt Security, for example, speaks to this in the recently published API Security Best Practices at https://content.salt.security/wp-api-security-best-practices.html.
Because attackers regularly steal credentials or hijack authenticated sessions through various techniques, including social engineering, phishing, person-in-the-middle attacks, and reverse engineering code, Isbitski says organizations need runtime behavior analysis to detect and stop events when authentication material is compromised and in turn used to abuse APIs. “Strong access control is only one aspect of API security.”
Ryan Kennedy, Application Security Consultant at nVisium, says API security is becoming increasingly important in modern applications, with OWASP having released the first version of the API Security Top Ten in 2019. “Developers should be proactive in ensuring that API tokens can be properly rotated in the case of accidental exposure. Users may accidentally expose tokens in various ways, such as being submitted to an archiving service or included in a public Github repository,” he adds. “Developers can also mitigate the potential impact of API token leakage. For instance, sensitive operations should require a tightly scoped token which can only be sent in requests using a subset of permitted methods, such as POST requests to the relevant API endpoints.”
Securing APIs and understanding how they’re being used or abused is crucial for keeping data safe in cloud-based apps and infrastructure, explains Hank Schless, Senior Manager, Security Solutions at Lookout.
“Just like any other integrated or connected technology, IT and Security teams need to have visibility into how data flows through APIs, whether they’re properly configured, and how they behave. Advanced cloud access security broker (CASB) solutions can help mitigate the risk of misconfigured or abused APIs. Cloud security posture management (CSPM) and SaaS security posture management (SSPM) are aspects of many CASB solutions that help admins understand whether a SaaS or IaaS app’s APIs are configured correctly. This is often done according to known best practices and industry benchmarks such as those from the CIS. It’s just as important to understand the behavior of the API and the data it helps move, which user and entity behavior analytics (UEBA) can help grant visibility into,” Schless notes. “Understanding the risks posed by APIs in your infrastructure is key in the journey to minimizing your risk surface by implementing zero trust across your infrastructure. While there’s no silver bullet to solving the challenges of zero trust, which is a constantly evolving battle, this type of visibility is a small but very important part of that journey that organizations need to be sure they’re solving for.”