/api/v3/invoices /api/v3/invoices/123 … /api/v2/messages /api/v2/messages/123 … CORS-requests to different apps: SPA + a lot of JS invoice.example.com conversation.example.com api.example.com
/api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234 The * tells us it supports direct requests or additional paths for IDs or similar: /invoices/123
available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* … • And all subdomains used: invoice.example.com api.example.com business.example.com …
{ "attributes": { "user": { "email": "[email protected]", "phone": "004324235342" … } "New version of JSON-API for message boards leaked emails + phone numbers for all users"
endpoints not in use Might leak more data than the current one • That the micro-services might connect server-side: SSRF, path-traversal, bypass query-strings used…
endpoints not in use Might leak more data than the current one • That the micro-services might connect server-side: SSRF, path-traversal, bypass query-strings used… Example of this happening IRL!
call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })
call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })
with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated
with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated UserID to hijack account
want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0
disclosed Zendesk SSO-key" • Send JWT for UserID you want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0
to sensitive data in public AlgoliaDB" HTTP/1.1 200 OK {"result": [ {"id": 123, "user": "x", "email": "[email protected]", "phone": "003234234.."}, … ]}
expected to be secrets Third party apps with unclear docs if tokens should be secrets. • Secret ENV variables dumped in CI-minification If any minifications or Example of this happening IRL!