Notes from Salt Labs’ Analysis of LEGO APIs

Here is the report that I’m taking notes on

1. APIs are at the heart of most modern businesses, but since software is being released so quickly, it's difficult for security to keep up.
2. Shiran Yodev decided to test some APIs and choose a business that is not necessarily ‘technology’ focused, so they decided to investigate the APIs of LEGO.
3. He found that the issues with the LEGO API would have allowed for the following:

• Manipulate service users to gain complete control over their accounts.
• Leak PII and other sensitive data stored internally by the service.
• Gain access to internal production data, which could lead to full compromise of the company’s internal servers.

4. He analyzed bricklink.com; an online trading marketplace for second-hand legos.

5. He was able to find an input field that allowed for input to be rendered as HTML, which led to an XSS attack ability.

6. He was able to find a sessionID embedded in the page’s code, even though he was not able to directly read the cookie value from document.cookie (it was HTTP only).

7. He then crafted some code to read the page's code and send it to his server. Because he was able to apprehend the sessionID, he was able to achieve a full account takeover.

8. In the ‘wanted list’ section a user can input a wanted item in XML format. BUT XML brings with it ‘XML External Entities’ To test for a vulnerable condition, headded an XML External Entity that refers to /etc/passwd/ and entered its content in the Item ID field.

When he clicked ‘proceed’, he got some contents of /etc/passwd back.

9. By later using the <remarks> field, in which any text can be inputted, he issued an XML request that returned the entire contents of etc/passwd

heyooooo!

In conclusion, here are some key takeaways from the author’s perspective:

1. XSS is sometimes unjustly underestimated because it is not a direct threat to the server. However, as users are compromised, the effect and damage can escalate quickly. The most important rule of thumb with XSS is to never trust user input. Input should be properly sanitized and escaped. For more information and specific ways to prevent XSS vulnerabilities, refer to the XSS Prevention Cheat Sheet by OWASP.
2. The session ID is a common target for attackers because it can often be used for session hijacking and account takeover. It is important to be very careful when handling it and not expose or misuse it for other purposes.
3. The easiest and most effective way to stop XXE injection attacks is to completely disable External Entities in your XML parser’s configuration. For more details on preventing these exposures, refer to the XXE Prevention Cheat Sheet by OWASP.