It's the usual case for API-first projects to get hacked because of API token leaks.
Tokens leaks happen mainly because of the hardcoding that can be found on:
- Mobile apps packages (AppStore and Google Play packages)
- Github
- Public API collections such as Postman
The best way to find such leaks is to search by the API domain name you know and keywords such as:
- Bearer
- Token
- Secret
- Access
- Password
- Oauth
- Authorization
Look at this GitHub dork for salesforce APIs https://github.com/search?p=2&q=%22my.salesforce.com%22+bearer&type=Code
OK, we found leaked tokens; what's next?
The best way is to invalidate all of them at IDM/auth level. However, it's not an easy task if you have many auth services and/or don't have sessions/tokens invalidation controls in place.
In this case, you can try to block such tokens as strings inside incoming API requests. For unmanaged APIs, you can install the OSS API-firewall proxy https://github.com/wallarm/api-firewall
And just list leaked API keys in a deny list https://docs.wallarm.com/api-firewall/installation-guides/docker-container/#blocking-requests-with-compromised-authentication-tokens
[link] [comments]
from hacking: security in practice https://ift.tt/fdSK0v5
Comments
Post a Comment