Salt Security released new API threat research from Salt Labs detailing Elastic Injection attacks. The research highlights a widespread API vulnerability that results from the misimplementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search and analytics capabilities. Salt Labs found that nearly every organization using Elastic Stack is affected by this vulnerability, which makes users susceptible to injection attacks. Bad actors can use injection attacks to exfiltrate data and launch denial of service (DoS) events. 

According to the Salt Security State of API Security Report, Q3 2021, API attacks have surged 348% in the last six months. The emergence of exploitable vulnerabilities alongside the proliferation of business-critical APIs exposes the significant security gaps that arise from integrating third-party applications and services. Exploiting the Elastic Stack vulnerability enables users to extract sensitive customer and system data or create a DoS condition that could render a system unavailable. Salt Labs first identified the exploitable flaws in a large online business-to-consumer (B2C) platform that provides API-based mobile applications and software as a service to millions of global users. Exploits that take advantage of this design weakness can create a cascade of API threats that correspond to common API security problems described in the OWASP API Security Top 10, including: 

  • excessive data exposure
  • lack of resources and rate limits
  • security misconfiguration
  • susceptibility to injection attacks due to lack of input filtering

Salt Labs researchers were able to show how the impact of the Elastic Stack design implementation flaws worsens significantly when an attacker chains together multiple exploits. To exfiltrate sensitive user and system data, attackers can abuse the lack of authorization between front-end and back-end services to obtain a working user account with basic permission levels, then make educated guesses about the schema of back-end data stores and query for data they aren’t authorized to access. Salt Labs was also able to show how lack of resource limitations can leave an organizations’ integrated back-end services vulnerable to a DoS attack that could render a service entirely unavailable or divert attention away from the malicious activity against other applications. 

“While not a vulnerability with Elastic Stack itself, the design implementation flaws that Salt Labs observed introduce just as much risk. The specific queries submitted to the Elastic back-end services used to exploit this vulnerability are difficult to test for,” said Michael Isbitski, Technical Evangelist, Salt Security. “This case shows why architecture matters for any API security solution you put in place – you need the ability to capture substantial context about API usage over time. It also shows how critical it is to architect application environments correctly. Every organization should evaluate the API integrations between its systems and applications, since they directly impact the company’s security posture.”

In its research efforts, Salt Labs could access extensive sensitive data, including account numbers and transaction confirmation numbers. Some of the sensitive data were also private and subject to regulation as defined by GDPR. Attackers could use this data to exercise other functionality available via APIs, including booking new services or canceling existing ones. This information could also be used to perpetrate other types of fraud, including the extortion of funds, identity theft, account takeover (ATO) fraud, and nefarious acts that could result in revenue loss in addition to substantial regulatory penalties and fines.

Jon Gaines, Senior Application Security Consultant at nVisium, a Falls Church, Va.-based application security provider, explains, “The Elastic Stack is notorious for excessive data exposure. A few years ago — and by default — data was exposed publicly. Since then, as mentioned by Salt Security, the defaults have changed. Keep in mind, this doesn’t mean that older versions aren’t grandfathered in or that minor configuration changes can’t lead to both of these newly unearthed vulnerabilities. There are — and have been — multiple open source tools that lead to the discovery of these vulnerabilities that I’ve used previously and continue to use. Unfortunately, the technical barrier of these vulnerabilities is extremely low. As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high. The severity depends on what the organizations themselves have exposed or allow in terms of permissions. From the outside looking in, these vulnerabilities are common sense for security professionals, authorization, rate limitations, invalidation, parameterized queries, and so forth. However, as a data custodian, administrator, or even developer, oftentimes you aren’t taught to develop or maintain with security in mind.”

Securing APIs and understanding how they’re being used, or abused, is a key part of keeping data safe in cloud-based apps and infrastructure, says Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company. “Just like any other integrated or connected technology, IT and Security teams need to have visibility into how data flows through APIs, whether they’re properly configured, and how they behave. Advanced cloud access security broker (CASB) solutions can help mitigate the risk of misconfigured or abused APIs. Cloud security posture management (CSPM) and SaaS security posture management (SSPM) are aspects of many CASB solutions that help admins understand whether a SaaS or IaaS app’s APIs are configured correctly. This is often done according to known best practices and industry benchmarks such as those from the CIS. It’s just as important to understand the behavior of the API and the data it helps move, which user and entity behavior analytics (UEBA) can help grant visibility into. 

“Understanding the risks posed by APIs in your infrastructure is key in the journey to minimizing your risk surface by implementing zero trust across your infrastructure. While there’s no silver bullet to solving the challenges of zero trust, which is a constantly evolving battle, this type of visibility is a small but very important part of that journey that organizations need to be sure they’re solving for.”

For more information, the Salt Labs report, API Threat Research: Elastic Injection, provides complete details of the Elastic Injection attack pattern, steps to propagate the attack, and suggested mitigation techniques.