I will IDOR myself in

hello this is the first time that I'm giving that talk so expect some kind of dolphin consistencies uh the talk is named I will either myself in for those who you don't know what either means it means insecure direct object reference or how everyone else is saying it plus running your parameters and other Tales From API crypts first of all an introduction I'm Greek as you can say from from my speech I'm currently a CTO at the French startup which is called remote it has nothing to do with security it's a compliance and direct Tech regulation texture tab my research interests are mainly API of iot devices and Industrial iot devices and web application Security in general I'm

developing a machine learning tool to find the API flows that's part of my 11-year PhD that I'm just not going to finish at any time soon and I like my younger one said like I'm not even trying anymore so and you can find me on Evie stickers on Twitter I'm gonna start with a really good uh applique what API stands for this is uh from mulesoft as you can see on down there I apis the acronym for application programming interface which is a software intermediary that allows two applications to talk to each other and many more words it means that whenever you're talking something to a backend to the internet you are talking to an API

where our apis used they are used on iot devices they're used in web applications they're used on mobile application they are used in industrial iot they're used in vehicles they're used in Chargers they're used in pretty much everything whenever you're opening up a mobile application and you're interacting with a device you are using a two-way API you are doing a call to the API and the API is also doing a call either Vim qtt or HTTP to the device the vulnerabilities back when I started pen testing seven or eight years ago we were always saying it's just an API you can't do anything really bad with that well you can gain full functionality of all the iot devices

you can make them do really really unintended things you can pass through firewalls so keep in mind that if you have your iot's in your same uh Network yeah and someone compromises your uh your iotv and API or any other way he can pivot into internal networks and he could reflux and potentially break the iot device uh the other attacks that we are going to see is SMS attacks you can use if the iot device has an SMS a Sim in there it could you be used to fishing or win your vision as I usually say so you can send 1000 or million of sms's if you are good enough you can also distribute the denial of

service attack as Mirai did back in the day you can do ransomware attacks on the same iot device and when you're using an API you don't need to shut down you don't need to search for anything you're just accessing the API and when you are moving laterally you can find all the devices that you want the couple of years the last couple of years we have seen a lot of people using third-party backends which means that as you can see from there uh we are hacking an iot thing we end up on a third-party backend which has access to a lot of other iot things the last example that I have is we I have done a charger hack we're going to

treat a car charger heart and I ended up with a couple of million devices which were not only chargers but also PVS and a lot of other iot devices the special device that I always like attacking is industrial iot why is that because historically they're isolated so if you get access to and Industrial iot you are respected and accepted as authenticated they have a really long life span so you will be able to see things in that reliability that are older than me and then close to 40 right now they're rarely updated so you will see a lot of TLS issues a lot of issues that you never ever would expect to see in 2022 they're safely critical they

have a high up time they have unencrypted protocols which means that once you're in you can sniff everything and usually when they want to make it smart they end up with IP to RS3 232 or other kind of monstrosities that yeah they're just putting serial into internet and as Mikko hiponen said when it is smart it's vulnerable so what's the plan how we're going to approach the talk from here on I'm going to provide to present you with some vulnerabilities it's mostly rewarded a wasp API top 10. we have to you have to read it you have to understand it it's pretty easy to replicate it the exploitability ranges from really really easy to just easy

there's nothing which is really like kernel hacking or anything really extreme I always will like the easy way and the severity is from bad to I don't know nuclear bad I have to say that before I start doing a presenting API research 101 uh you it's quite tricky when you're doing API research uh you in the UK there is a low which is called CMA in the EU we also have uh computer misuse act I don't remember its name it's quite easy to break it and become a criminal just by doing some API testing never ever interact with a device that you don't own if you by mistake which is quite easy to be done uh do and interact with the

device or you get a platform admin that would be breaking the CMA notify the vendor immediately and hope that in good faith you're not going to be under law whatever is with red on my talk is breaking the CMA don't do it so we're starting with classic either either stands for insecure direct object reference that's you would have to learn that when you're authenticated you are not authorized if you don't learn it API Jesus will be after you so what is the classic either it's the classic plus one when you see parameter and it has a number and if you go up one or down up one and this device is not on is not yours and

you can interact with it you have a classic either it's a typical symptom of missing authorization the uid is not the solution the fact that I cannot plus one or minus one but I do have access if I have a way to either leak get from the liquor somehow guess the juid means that this is not solved this is just another uh hurdle that I will have to to pass it could look into leaking everything and breaking everything the first example is Viper start smart that's a car alarm uh you can see it in here right so you are updating your own you can see on the top the number eight six one seven seven two when you were updating eight

six one seven seven one with your email also if you are a developer and you have seen something like that email at millionaire.com I'm sorry I have tested your system sorry I'm it's not bad so uh what's uh that either uh if you could change uh that's how anyone could update their own profile so you would just change the ID in there and you would update someone else's profile which means you could update the email the password of anyone else then go to his uh uh go to his vehicle actually you could delocate his vehicle so you could start moving around changing password see find the purse I don't know you're a Tesla guy go to a Tesla unlock

the car start it because it also had the start stop and then drive away with it just with the plus one the second one is even funnier it's a Chinese card charger project TV it's probably one of the worst apis I have ever seen and I have seen a lot of apis that's the whole request every request is that you can see that it has a tar a charge ID and it's missing something quite like the most important stuff it doesn't even have authorized authentication so it was checking for a login uh it was saying yeah this is your login this is your charger and then every request was done anonymously so you could just

do all the Chargers and do full functionality on all the devices you could lock it unlock it you could feel more updated because yeah who needs signatures on their update you could back door pivot into internal Network that should also be read sorry pii Lake you could break it and you could also take a platform admin on the server again just with the plus one the solution is you have to learn that authorization doesn't mean authentic authentication doesn't mean authorization if someone is authenticating doesn't mean that he should have he should have access into all the devices of your platform second issue is the lazy rest implementation that's called Mass assignment on a wasp top 10.

usually what we do what they automated tools do and what my tool my AI tool tries to do is it gets the request it gets a response and it seems and it tries to find if something that is in the request in the response is not in the request this means that someone might be using an orm object relational mapping lazily and it could just pass the full object that means that you could change things that you shouldn't another chart a charger a really really good API that's one of the best apis that I have ever seen but yeah unfortunately they were passing on their profiles your own roles so and when I passed the role which was a test

it said no this is not an accepted role you you could also pass you could pass user account owner admin and then admin so looks really nice right so what was that total compromise of everything pii Cuts I had all admin functionality I had platform admin I had server admin I could literally just delete everything don't do that that's also unread what we should do to fix that you should always need to check response and requests no no that's not what it should say in there so what you should do is never use a norm lazily always the white list what you are accepting never Blacklist always use the white list so if your profile

you should only you are trying and you are accepting only username password you should accept only those and not the rows there is no way anyone should should be able to self upgrade themselves to anything else another lazy rest implementation it's uh the Troy hunt story as you can see in here this was a kid's Watcher which had a one press phone call and you if you were a helicopter parent you could see where your uh where your kid was this is an open API you can see the filter that says family identifier equals with 2034 so if you just remove the filter you would get all the users why not if you remove if you change that

family identifier you would get some other family uh and the even worst thing is that you could do that and change the location of somebody else so they sent it up with me this is treyhan's daughter and I'm in Greece she's in Australia you're not going to hear it the the watch is ringing she's responding she's seeing that uh he wrote that that is calling her um somebody else's dad that's stories and she responds me and I respond to her so that's really really lazy implementation what I could do total compromise of everything pii leakage all admin functionality platform admin again a really bad API uh if possible avoid using factions that automatically bind the client's input

into code variables or in general objects that's a wasp for recommendation white list as I said if applicable explicitly defined and enforce schemas for input data payloads as I said try to White list try to use models that have only the data that you accept that you should accept and process them User Group exact link this is my favorite vulnerability a lot of a lot of people don't look after it so what you're doing is when a web application or an API is giving you User Group you try to trick it into adding your user into another group into changing your group into someone else or adding your group into another company because that's what you

do uh multiple potential ways of User Group juggling I just told you a lot you have to be creative the developers cannot have they should cover everything but they usually don't uh if create is not vulnerable always use also use edit group because more often than not the edit is more insecure than the create and could leak the platform admin accounts they cover and a lot of things because if you could add the group or an admin on the company on the initial company group you practically have a platform admin you know Sonic will Sonic world is one of the I think the fifth biggest firewall provider can you see the issue in here they're providing the party group ID

and I just added somewhere on another party group ID so if I went to party Group id1 which was Sonic wall and added as an admin I could have done all those Sonic will accepted that said about that I didn't do that I'm not criminal so I could have access to routers firewalls vpns security reports traffic Analytics all those things and it was really really bad we were looking at uh 50 million devices and five I think 55 000 internal networks behind the firewall that we should we we had access I had access uh followed access Mimosa is another uh antenna provider slash firewall it is being used by some military you can say it again right it's you're

adding on one two three four but the organization is one so I just got admin on organization one which was the Mimosa root account all users in bii make access to all internal networks full organization access Mimosa just said Thank you and that was it there really both of them were really cool they fixed it in less than a work day which is really really nice bugs are going to happen issues are going to arise it's how the providers treat the the whole security issue that makes them look good or bad yeah you should never be lazy actually be lazy but when you go don't be lazy and always check for a correct authorization check create and edit groups especially

on user access functions when you have user access when you're creating a user when you're editing a user be check your ACL code miraculously so that you know that everything went well second level either which means when there is an either there's an ID which is okay but there is a second level in there that it is not checked and you can do it you can manipulate it there uh check every combination we're an attacker could leak into info leak and account they cover check everything there is not a lot of cases that everything is vulnerable one parameter is enough to be vulnerable so that you can take an account takeover wallbox and other card charger

that doesn't shoot so in here the access config which is who could access it the one zero one six one two was not vulnerable but you could pass any charger that you want so I could pass to my user having access to all the Chargers and end it up with total control of all the Chargers lock and lock and it's harder pii leakage I didn't go to platform admin so I guess it was not that bad now that one is really nice but uh wrestler juggling is uh you have to read understand the rest principles and when you're getting a user or getting a device usually when you post or put it will update edit or delete it but

developers are being lazy and again they are using a full what they're calling a full controller mapping so they are also using a post put without having the implementation in there so you could trick the server into doing something that the developer would not expect it it could lead into platform admin account takeover and I don't know everything now that's a bad thing I had a really cool vulnerability in here which is still not fixed it's yeah I yeah I'm not going to put sorry I'm not going to put this here today for use like I had I was 50 50 into dropping it because it's already three months but as this is an iiot I'm not going to drop it

every day sorry so never use the full controller URL mapping unless you know you will need everything so if you don't want to update uh your charger don't don't have the put verb always take for proper authorization and be extra careful on one you do with the URL mapping hide and endpoints so when you're an attacker you should read JavaScript you should get the Android Source you should get the iOS source and get the all the endpoints from there if you don't see anything anything in your interactions when you are doing your tests with the mobile application or the web application this means that this endpoint is either obsolete or for a user that with privileges that you don't have so

this is an interesting endpoint user automatic tools burp has a really good extractor for all endpoints uh try to think where the developers would potentially cut corners and go there and it could lead into really really interesting stuff as you're going to see later on first is Pandora again if you're a developer never ever say you're unhackable no one is unhackable if it's if they say it's unhuggable it attracts a lot of people that you don't want to attract so what in their JavaScript I could see that there was an API Sputnik workers ID this was an internal workflow that Pandora had so that it could update the user to change their email to a Sputnik

Pandora email and then updated what we could do is change the ID change the email then change their Setter reset password and boom that also had a really nice internal microphone that you could Snoop into users and profit SC tracker I don't know if you know it it's a really it's probably the biggest GPA Chinese GPS kid locator it had a Javascript file that was named backup.js I I you should look at when you see backup.js you look in there it was referenced in the map it had older backup procedure in there it was starring all the source code and putting it in the Webroot so with a really strange file name but I had the

file name so I downloaded all the source code this is red don't do it the source code had static Keys SSH passwords database passwords it has everything you could get full RC and 40 servers you could do anything on 50 million devices you could delocate any device you could use it to send any text SMS call any phone use it to you to win your vision so I don't know 30 million devices in the Europe in Europe I could send and make Greece I don't know Norway win Eurovision and you could also listen to someone from the microphone hide at endpoints that's also a really nice one uh chargepoint is one of the biggest public sergers it had a public graphql

with no syndication just on the open internet it was not used but it was there on their Android application and it was leaking their full schema you could charge for free anything you could stop a car charger you could I don't know you could pii leak the schema also had some credit card tokens I didn't access them because yeah I'm I want to go back to the US at some point in my life when you're developing keep in mind that people will look and they could buy your application so don't hide in plain sight don't be obscure security through obscurity doesn't work always verify that proper authentication is being done on your admin endpoints test for broken

workflows uh the thing with Pandora it should have been done only from admin a broken workflow should have a broken workflow test automated code testing should have gotten it so back to recommendation it's critical to authorize your requests authentication is nothing if you don't authorize as I previously said it's usually one or two requests that have been forgotten that you can use to get platform admin once you get account admin it's usually easy to go to platform admin check that every request is authorized never ever trust user input thank you

and any questions

okay

foreign

any questions anybody you had you had some more time all right guys in the back so uh what does your normal workflow look like do you do a lot of automation or is it mostly manual work uh for pen testing usually you also uh I'm mostly focusing on uh on the logic flows so as you have seen obviously we also I also found a lot of uh SQL injections xss all of those stuff that can be automatic automatically automatically tested but that can be easily automated the logic flows I have built an AI tool that is trying to find a lot of stuff but it's usually just trying to understand what the developer wanted to

do and trying to separate around it to do something else was there another in the back row here more or less the same question but uh any particular tooling aside from the obvious like burp Suite or gripping through source code or something like that uh usually I use burp and then export everything to my AI tool and actually any money any proxy could be okay to to look at the requests yeah anybody else okay all from the same row very curious people sitting here I noticed a lot of that is from mobile applications do you have any custom tooling for uh proxying mobile applications and decompiling or are you just doing it manually as well

well you you just put your proxy then have Frieda multi and Pinner to unpin it and from there on it's just typical API calls for me I'm not focusing on mobile applications so if it has root detection on everything else I usually try the normal stuff and if that doesn't work I talk to someone who speaks mobile because I I'm I'm not an expert in this kind of things anyone else thank you guys thank you very much [Applause]