Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoine Carossio, Escape

Transcript

1. /56 API Secret Tokens Exposed in Frontends Insights from Analyzing

   1 Million Domains Reveal Critical Risks of the Modern Web 1
2. None

3. /56 Why looking for API Secrets in the wild? Detecting

   hard-coded secrets in frontends Critical findings… and millions of $ Recommendations for mitigating risks On today’s agenda 2 1. 2. 3. 4.

4. /56 3 Tristan Kalos linkedin.com/in/tkalos • Co-founder & CEO of

   Escape • Graduate from UC Berkeley • Ex-Researcher in Artificial Intelligence applied to Cybersecurity • Got hacked, built a cybersecurity startup Antoine Carossio linkedin.com/in/acarossio • Co-founder & CTO of Escape • Graduate from UC Berkeley • Passionate open-source contributor, co-author of GraphQL Armor • Huge Apple fan

5. /56 4

6. /56 Escape - the API Security Platform We help security

   teams discover and secure all their exposed APIs using AI, without an agent

7. /56 Past research 6 escape.tech/resources/

8. /56 7 Past research escape.tech/resources/

9. /56 8 https://escape.tech/the-api-secret-sprawl-2024

10. /56 9 Why is an API Secret leak a problem?

    1

11. /56 The significant rise of secret sprawl 10 • Tech

    is booming: every company has resources on the web • DevOps teams struggle to deploy assets effectively and security

12. /56 The significant rise of secret sprawl 11 • Tech

    is booming: every company has resources on the web • DevOps teams struggle to deploy assets effectively and security • Companies of all sizes are affected > Attack vector: Exposed APIs and exposed secrets

13. /56 12 SAST DAST RASP Why does this still happen?

    Threat Modeling SCA

14. /56 13 What about secrets?

15. /56 14 What about secrets in… repos?

16. /56 15 What about secrets in… APIs?

17. /56 What about secrets in… frontends??? 16 ?

18. /56 Detecting Hard-Coded Secrets in Frontends The algorithmic "Tour de

    Force" 17 2

19. /56 Frontend architecture 18

20. /56 Frontend architecture 19

21. /56 Frontend architecture 20

22. /56 Zoom on Javascript assets 21

23. /56 How to detect hard-coded secrets in frontends? 22 Documented

    Secrets

24. /56 How to detect hard-coded secrets in frontends? 23 Documented

    Secrets ⇒ use the good old regex!

25. /56 Filtering scoped tokens and public keys 24 Does not

    Protect Assets Filtered Out

26. /56 What about proprietary & undocumented secrets? 25 Proprietary &

    undocumented secrets?

27. /56 What about proprietary & undocumented secrets? 26 Entropy! Proprietary

    & undocumented secrets?

28. /56 What about proprietary & undocumented secrets? 27 Entropy! Javascript

    bundle randomness Proprietary & undocumented secrets? 💀 False positives

29. /56 28 Only true positive counts as we cannot emit

    confidence Unauthorized to test the tokens Entropy! Proprietary & undocumented secrets? 💀 False positives What about proprietary & undocumented secrets? Javascript bundle randomness

30. /56 29 Only true positive counts as we cannot emit

    confidence Unauthorized to test the tokens Entropy! Javascript bundle randomness Proprietary & undocumented secrets? 💀 False positives What about proprietary & undocumented secrets? Leveraging AST for high confidence signal

31. /56 Secret Sauce: Leveraging Abstract Syntax Tree (AST) 30 Goal:

    Restructure the code to understand the context where variables are declared and used

32. /56 Dead-simple and scalable architecture 31 150 Concurrent Pods

33. /56 32 956K Input Domains

34. /56 33 4 Domain per second 956K Input Domains

35. /56 34 4 Domain per second 69 hours Total scanning

    time 956K Input Domains

36. /56 Millions of requests later … 189.5M URLs scanned 35

    4 Domain per second 69 hours Total scanning time 956K Input Domains

37. /56 Millions of requests later … 189.5M URLs scanned 36

    4 Domain per second 69 hours Total scanning time 956K Input Domains 💰 $100 Computing cost

38. /56 Analyzing 1 Million Domains or how we traded $100

    for $ 20M… 37 3

39. /56 Nature of the findings 38 18,458 Total secrets found

40. /56 World-Wide exposure 39 #1 󰎙 with 6.26% of total

    exposed domains #1 EU 󰐗 with 5.89% of total exposed domains

41. /56 When it rains…💧 40

42. /56 When it rains, it pours… 🌧 41 28 biggest

    number of secrets exposed per domain 1.7 average exposed secrets per “vulnerable“ domain

43. /56 Frontend development bad practices are still prevalent 42

44. /56 Some development trends: Javascript Single Build 43 CI/CD tokens

    and environment secrets leaks in Javascript assets + .env

45. /56 Critical findings 44 1/3 could lead to an entire

    business shutdown

46. /56 Hard-coded private Keys, including Private RSA Keys (25%) 45

47. /56 Million $$ findings 46

48. /56 20 Million $$ findings (0.9%) 47 $17M on a

    single token

49. /56 How to secure API Secrets from being exposed? Our

    recommendations 48 4

50. /56 The secrets should not be accessed by the frontend…

    49 Frontend OpenAI Key ❌

51. /56 The secrets should not be accessed by the frontend…

    but the backend 50 Frontend OpenAI Key Frontend Backend OpenAI Key ❌ ✅

52. /56 Leveraging Type Prefixes 51 jetpack-io/typeid

53. /56 Leveraging Type Prefixes 52 jetpack-io/typeid The Perfect Example: Stripe

54. /56 Store your Secrets in Vaults, not .env files! 53

    Hashicorp Vault AWS Secret Manager

55. /56 Automation as a Service: Rotating and Scoped Tokens 54

    Vault Key Rotation Vault Dynamic Secret

56. /56 55 API Discovery & API Security 55 Thank you!

    Any questions? Antoine Carossio linkedin.com/in/acarossio Tristan Kalos linkedin.com/in/tkalos Try it yourself in 1 minute! app.escape.tech