Azure API Management flaws highlight server-side request forgery risks in API development

Microsoft recently patched three vulnerabilities in its Azure API Management service, two of which allowed server request forgery (SSRF) attacks that could have allowed hackers to access internal Azure assets. Proof-of-concept exploits serve to highlight common mistakes that developers might make when trying to implement blacklist-based restrictions for their own APIs and services.

Web APIs have become an integral part of modern application development, especially in the cloud. They allow services to communicate and exchange data, for non-browser clients such as mobile apps and IoT devices to securely access data and perform operations on behalf of users, and for businesses to abstract backends from older servers and quickly interconnect them with modern applications and services. APIs are standardized and easy to interact with instead of relying on custom, legacy protocols that weren’t built for the web.

With companies pushing APIs into production at a rapid pace in recent years, the number of attacks targeting them has increased as attackers increasingly realize that insecure APIs can provide a backdoor to databases and internal infrastructure. According to global content delivery network provider Akamai, the number of attacks targeting APIs and web applications grew 2.5 times in 2022 compared to 2021. One of the emerging attack vectors in the past two years has been SSRF. The ProxyLogon, ProxyNotShell, and OWASSRF flaws in Microsoft Exchange servers are notable examples that have seen massive exploitation.

Over the past two years, Akamai has seen a steady increase in both attack attempts and authorized vulnerability scan traffic looking for SSRF vulnerabilities in software other than Microsoft Exchange,” Akamai said in a recent report. “Also, we saw a newspaper. an average of 14 million SSRF attempts to probe the web applications and APIs of our App & API Protector customers, suggesting the growing prevalence of this vector. This growth and the potential impact that exploiting SSRF has on organizations is worth noting.”

SSRF via Azure API Management proxies

Microsoft’s Azure API Management is a service that allows companies to expose and monitor services hosted in Azure or within their private networks as APIs. It is a service aimed at API developers consisting of an API gateway, a management plan and a developer portal.

In an SSRF attack, the attacker must find a way to use the application’s proxy functionality to access internal resources, taking the server’s privileged position and accessing the internal network. In other words, if an application or API allows users to provide a URL and then crawl that URL and return the response, an SSRF attack is possible if additional security measures are not taken.

Copyright © 2023 IDG Communications, Inc.

Source link
Azure API Management is a cloud-based service that provides a layer of security and management around Azure Application Program Interfaces (APIs). However, a recent security flaw has exposed server-side request forgery (SSRF) risks in developing APIs on Azure.

To understand what the flaw is and the impact, it is important to understand the fundamentals of request forgery. All web requests sent from clients to a web applications are often sent through a round-trip process. The request is sent from the client to the server, and the response is sent back from the server. If a malicious user is able to intercept the request and fabricate a malicious request before it reaches the server, then the server can unwittingly carry out the request as if it had originated from a legitimate request.

The SSRF flaw, detailed by security researcher Benoit Ancel, means malicious users can access critical infrastructures within a company’s network, such as databases, cloud service accounts and other internal networks.

Azure API Management specifically, allows the developer to secure an API operation by specifying which caller IP Addresses are allowed or not allowed. However, malicious users are able to bypass these filters by providing an IP address that the server interprets as a request to exfiltrate data via an SSRF attack.

At Ikaroa, we provide a holistic approach to endpoint security, including auditing for potential vulnerabilities related to request forgery, as well as other security risks. We strongly recommend that businesses using Azure API Management double-check their security settings and patch their systems if necessary. As request forgery, if not properly prevented, can have a damaging effect on the availability of a company’s data, it is paramount that vulnerabilities are addressed sooner rather than later.

Working with a team of experienced specialists can help companies identify and patch such vulnerabilities, ensuring that their data remains secure. As an experienced cloud security provider, we are committed to helping our customers stay safe and secure in an ever-changing landscape.


Leave a Reply

Your email address will not be published. Required fields are marked *