SlideShare uma empresa Scribd logo

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend

Transferir como PPTX, PDF
APIsecure_ Official
APIsecure_ Official

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Method for exploiting IDOR on nodejs+mongodb based backend Luis Alvarado Day, Associate Manager at Arstar IT

Tecnologia
1 de 21
Method for exploiting IDOR on mongoDB based API ARSTAR IT ARSTAR IT
Who we are? ARSTAR IT Arstar IT provides high-profile consulting services and solutions to several verticals like: • Gaming Industry (casinos) • Agritech • Localization • Tech Startups Founded in 2011. We delivering value to customers in the USA, Europe and LatAm.
What we will be covering ARSTAR IT ➔ Attack made to a B2C App servicing a Country capital city (+500k user base) ➔ Blackbox mode. External attacker's perspective ➔ Hunt for IDOR vulnerability ➔ Citizen personal data exfiltration (POC) by develping a custom API fuzzer
Scenario: Topology ARSTAR IT
IDOR = Insecure Direct Object Reference ARSTAR IT According to the OWASP definition: “ IDOR occurs when a user supplied input is unvalidated and direct access to the object requested is provided.” IDOR is referenced in element A4 of the OWASP Top 10 in the 2013 edition. IDOR is referenced in element A01 of the OWASP Top 10 in the 2021 edition.
IDOR - Attack flow ARSTAR IT
Object ID in Relational databases vs mongoDB ARSTAR IT Key is usually an integer It is maintained at Table level Object Key looks like a string (12byte hex) It is maintained at System level SQL MongoDB
MongoDB ObjectID ARSTAR IT Looks like random but it is definitely not random (100% deterministic) 12-byte structure, represented as a string in json ie: The structure can be parsed as following: Note1: machineID will change when working in a cluster/farm environment Note 2: ProcID will change when the farm node gets restarted
Phases ARSTAR IT APK Reverse Object relevance analysis IDOR validation Fuzzing attack
Phase 1 - APK Reverse engineering ARSTAR IT Used a decompiler and found a clean js file with all the API routes Alternative: use an SSL capable rest sniffer like Fiddler and perform all the possible use cases in the app. Decompile APK Analyze code Find API routes
Phase 2 - Business Object relevance analysis ARSTAR IT Inspect the data model and try to determine which object type contains: - Personal info (email, social id, location, salary) - Org private info (invoice amount, client - System parameters (system settings singleton) Subscriptions Invoices User Payslip
Phase 3 - IDOR existence validation ARSTAR IT 1 - Created two accounts (like any regular Joe signing up) 2 - Obtained a valid firebase token for each 3 - Used token from account A to fetch for a business object from account B
Phase 4 - Fuzzer logic - loading initial data ARSTAR IT 1 - Collect a sample of licit business object ID (we’ll call them SEEDS) 2 - Parse the mongoId to determine machine id , timestamp etc
Phase 4 - Fuzzer logic - loading initial data ARSTAR IT ● Parameters: UnixTimeStampMax: For setting a range of seconds to be scanned CounterMax: For setting a range of counter value to be scanned ● Launch one thread for each found MachineID value. MachineID and process ID will remain fixed. ● Thread logic Initial timestamp read from seed objectID ● Loop: For each TimeStamp value until UnixTimeStampMax, increment step 1s Increment the counter until it reaches CounterMax laod seed Loop: For each TimeStamp Loop: For each counter value
Fuzzer in action ARSTAR IT
ARSTAR IT Possible fuzzer performance Improvements - Bidirectional fuzzing (increasing and decreasing ) - Recycle object keys to enumerate objects from other classes - beaconing. Injecting new items to detect current objectKey allowing real-time attack - Mix faulty requests with licit ones (WAF evasion) - RPM throttling (WAF evasion)
IDOR root causes - common pitfalls ARSTAR IT ● IDOR is 100% caused by human mistakes and has nothing to do with vulnerable software, 0 days, or missing patches ● Confusing authentication with authorization ● Lack of granular access control mechanism in the framework. (Or skipping the existing one) ● Confusing layers: ie “we have SSL in place anyways”, “We are safe because we’ve implemented Auth0!” ● Product launch frenzy. Features eat the whole sprint. ● Nonexistent access control change management and continuous audit process. ● Thinking that DevSecOps is about scripting stuff for infra provisioning
Mitigation - Technical Level ARSTAR IT - Monitor changes in your API contract structure (ie swagger contract). Route additions should never happen unnoticed - Implement a simple IDOR testing step on the your CI/CD pipelines (you’ll have to feed it with fresh valid auth tokens) - Put access control on top of your code-review procedure - Feed your WAF with 500/404 events - Do not import the whole API routes contract into the client side files
IDOR Mitigation - Product Management Level ARSTAR IT - Treat Access Control as a continuous process. Hire a pentester on early stages. - Evangelize about the difference between Authentication and Authorization - Understand that a single data leakage will kill your business reputation - Never promote an MVP / prototype to be the real thing (get the funding to do things right!) - Embrace complexity (because attackers do). - Accept a small amount of bureaucracy (c’mon it’s not that tedious) - Classify the information for each API route. - Do not mix API scope B2B , B2C , Integrations and Internal scope. Keep those isolated. Implement only strictly required routes on each. - Get a framework when deciding on architecture. Vanilla code is way more security error prone. If you get a framework in place, leverage all its security features - Treat security as a product feature!
Who we are? ARSTAR IT Arstar IT provides high-profile consulting services and solutions to several verticals like: • Gaming Industry • Agritech • Localization • Tech Startups. Founded in 2011. We delivering value to customers in the USA, Europe and LatAm.
Ping me ARSTAR IT lalvarado@arstar.com.ar Linkedin: Luis Alvarado Day

Recomendados

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 

Recomendados

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
Vishwas N
 
Zafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleriZafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
Brian Hysell
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
U-level Data Center Asset IoT system
U-level Data Center Asset IoT systemU-level Data Center Asset IoT system
U-level Data Center Asset IoT system
Arron Zhao
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

Mais procurados (20)

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
Zafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleriZafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleri
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 

Semelhante a 2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend

NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 

Semelhante a 2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend (20)

U-level Data Center Asset IoT system
U-level Data Center Asset IoT systemU-level Data Center Asset IoT system
U-level Data Center Asset IoT system
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
 
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
 
iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016
 
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
Architecting Azure (I)IoT Solutions @ IoT Saturday 2019
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor Customizations
 
Security Automation - Python - Introduction
Security Automation - Python - IntroductionSecurity Automation - Python - Introduction
Security Automation - Python - Introduction
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
https://spotintelligence.com
https://spotintelligence.comhttps://spotintelligence.com
https://spotintelligence.com
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
IoT and API Management - A Match Made in Heaven
IoT and API Management - A Match Made in HeavenIoT and API Management - A Match Made in Heaven
IoT and API Management - A Match Made in Heaven
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2
 

Mais de APIsecure_ Official

Mais de APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend

  • 1. Method for exploiting IDOR on mongoDB based API ARSTAR IT ARSTAR IT
  • 2. Who we are? ARSTAR IT Arstar IT provides high-profile consulting services and solutions to several verticals like: • Gaming Industry (casinos) • Agritech • Localization • Tech Startups Founded in 2011. We delivering value to customers in the USA, Europe and LatAm.
  • 3. What we will be covering ARSTAR IT ➔ Attack made to a B2C App servicing a Country capital city (+500k user base) ➔ Blackbox mode. External attacker's perspective ➔ Hunt for IDOR vulnerability ➔ Citizen personal data exfiltration (POC) by develping a custom API fuzzer
  • 5. IDOR = Insecure Direct Object Reference ARSTAR IT According to the OWASP definition: “ IDOR occurs when a user supplied input is unvalidated and direct access to the object requested is provided.” IDOR is referenced in element A4 of the OWASP Top 10 in the 2013 edition. IDOR is referenced in element A01 of the OWASP Top 10 in the 2021 edition.
  • 6. IDOR - Attack flow ARSTAR IT
  • 7. Object ID in Relational databases vs mongoDB ARSTAR IT Key is usually an integer It is maintained at Table level Object Key looks like a string (12byte hex) It is maintained at System level SQL MongoDB
  • 8. MongoDB ObjectID ARSTAR IT Looks like random but it is definitely not random (100% deterministic) 12-byte structure, represented as a string in json ie: The structure can be parsed as following: Note1: machineID will change when working in a cluster/farm environment Note 2: ProcID will change when the farm node gets restarted
  • 10. Phase 1 - APK Reverse engineering ARSTAR IT Used a decompiler and found a clean js file with all the API routes Alternative: use an SSL capable rest sniffer like Fiddler and perform all the possible use cases in the app. Decompile APK Analyze code Find API routes
  • 11. Phase 2 - Business Object relevance analysis ARSTAR IT Inspect the data model and try to determine which object type contains: - Personal info (email, social id, location, salary) - Org private info (invoice amount, client - System parameters (system settings singleton) Subscriptions Invoices User Payslip
  • 12. Phase 3 - IDOR existence validation ARSTAR IT 1 - Created two accounts (like any regular Joe signing up) 2 - Obtained a valid firebase token for each 3 - Used token from account A to fetch for a business object from account B
  • 13. Phase 4 - Fuzzer logic - loading initial data ARSTAR IT 1 - Collect a sample of licit business object ID (we’ll call them SEEDS) 2 - Parse the mongoId to determine machine id , timestamp etc
  • 14. Phase 4 - Fuzzer logic - loading initial data ARSTAR IT ● Parameters: UnixTimeStampMax: For setting a range of seconds to be scanned CounterMax: For setting a range of counter value to be scanned ● Launch one thread for each found MachineID value. MachineID and process ID will remain fixed. ● Thread logic Initial timestamp read from seed objectID ● Loop: For each TimeStamp value until UnixTimeStampMax, increment step 1s Increment the counter until it reaches CounterMax laod seed Loop: For each TimeStamp Loop: For each counter value
  • 16. ARSTAR IT Possible fuzzer performance Improvements - Bidirectional fuzzing (increasing and decreasing ) - Recycle object keys to enumerate objects from other classes - beaconing. Injecting new items to detect current objectKey allowing real-time attack - Mix faulty requests with licit ones (WAF evasion) - RPM throttling (WAF evasion)
  • 17. IDOR root causes - common pitfalls ARSTAR IT ● IDOR is 100% caused by human mistakes and has nothing to do with vulnerable software, 0 days, or missing patches ● Confusing authentication with authorization ● Lack of granular access control mechanism in the framework. (Or skipping the existing one) ● Confusing layers: ie “we have SSL in place anyways”, “We are safe because we’ve implemented Auth0!” ● Product launch frenzy. Features eat the whole sprint. ● Nonexistent access control change management and continuous audit process. ● Thinking that DevSecOps is about scripting stuff for infra provisioning
  • 18. Mitigation - Technical Level ARSTAR IT - Monitor changes in your API contract structure (ie swagger contract). Route additions should never happen unnoticed - Implement a simple IDOR testing step on the your CI/CD pipelines (you’ll have to feed it with fresh valid auth tokens) - Put access control on top of your code-review procedure - Feed your WAF with 500/404 events - Do not import the whole API routes contract into the client side files
  • 19. IDOR Mitigation - Product Management Level ARSTAR IT - Treat Access Control as a continuous process. Hire a pentester on early stages. - Evangelize about the difference between Authentication and Authorization - Understand that a single data leakage will kill your business reputation - Never promote an MVP / prototype to be the real thing (get the funding to do things right!) - Embrace complexity (because attackers do). - Accept a small amount of bureaucracy (c’mon it’s not that tedious) - Classify the information for each API route. - Do not mix API scope B2B , B2C , Integrations and Internal scope. Keep those isolated. Implement only strictly required routes on each. - Get a framework when deciding on architecture. Vanilla code is way more security error prone. If you get a framework in place, leverage all its security features - Treat security as a product feature!
  • 20. Who we are? ARSTAR IT Arstar IT provides high-profile consulting services and solutions to several verticals like: • Gaming Industry • Agritech • Localization • Tech Startups. Founded in 2011. We delivering value to customers in the USA, Europe and LatAm.