This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security.
Vulnerability: SoundCloud
Paulo Silva has published a very systematic and thorough report on API vulnerabilities that the Checkmarx Security Research team found in SoundCloud. (SoundCloud has promptly acknowledged and fixed the issues.)
The team discovered multiple API vulnerabilities, such as:
The /sign-in/password endpoint of api-v2.soundcloud.com did not implement proper account lockout based on failed authentication attempts. It solely relied on rate limiting which can be evaded using several combinations of use_agent, device_id, and signature.
Combined with ability to enumerate account, this allowed attackers to locate valid user records and then brute force access using credential stuffing.
The /sign-in/identifier and /users/password_reset endpoints returned different results when the login existed in the system compared to when no such user existed.
The /tracks endpoint did not implement proper resources limiting. It had no validation on the number of tracks IDs in the ids list, thus it was possible to manipulate the list to retrieve an arbitrary number of tracks in a single request. Researchers could use these parameters to get back up to 689 tracks in a single request.
Th ..
Support the originator by clicking the read the rest link below.