DB link security missing in the Owasp API top 10 (sub-components of API)

[abid khan]

Hi, as we know API is used for the integration between two systems where two different kind of methodologies used for the same, SOAP API and REST API, now im not gonna get into those methodologies but the point i would like to highlight is... listed below,

now there is a sub-component exist which is largely used by the developers to connect services that is called "DB-links" ( i my self seen in many large financial origination's) 

now  if we miss that area in the Owasp API stranded which is a sub-components (technically seen) its mean there is security whole we are leaving behind, despite of releasing the Owasp API top 10.

note: i have personally seen such connectivity using  DB-links and developers usually avoid using API to connect there services ( im talking about internal systems/services hosted on internal Networks),

 now please advise so i can share my findings and some core technical stuffs that how these links works and what would be the counter measures against those risk/vulnerabilities associated with DB-links.

Regards:

ABID

[Suresh Thivanka Rupasinghe]

Hi Abid,

 

Good point.

When it's come to the performance,  which on is more fast? API integration or DB-links?

Regards, 

Suresh Rupasinghe 

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.

[Paulo Silva]

Hi Abid,
The DB-links technology you're introducing is the one that allows connections to
an external/remote database from within another database?

Something like what Oracle [1] and PostgreSQL [2] offer?

Considering the broader concept of API (Application Programming Interface) I
do not doubt that DB-links establish an interface so that two databases can
communicate. Nevertheless, I am not sure DB-links are in OWASP API Security
Project scope: Web APIs [3].

How do you see DB-links in the OWASP API Top 10?
* What weakness would you remove from the actual Top 10?
* What kind of weaknesses do you usually find in DB-link interface?
* How frequent/severe are DB-links issues?

[1]: https://docs.oracle.com/cd/B28359_01/server.111/b28310/ds_concepts002.htm#ADMIN12083
[2]: https://www.postgresql.org/docs/9.3/dblink.html
[3]: https://en.wikipedia.org/wiki/Web_API

Cheers,

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

[abid khan]

DB links would be more fast than API but there is more security concern pertain to DB links because it directly interact with DB.

Regards:

ABID

On Friday, September 20, 2019 at 12:55:05 PM UTC+5, Suresh Thivanka Rupasinghe wrote:

Hi Abid,

 

Good point.

When it's come to the performance,  which on is more fast? API integration or DB-links?

Regards, 

Suresh Rupasinghe 

On Fri, 20 Sep 2019, 12:04 abid khan, <abid2...@gmail.com> wrote:

Hi, as we know API is used for the integration between two systems where two different kind of methodologies used for the same, SOAP API and REST API, now im not gonna get into those methodologies but the point i would like to highlight is... listed below,

now there is a sub-component exist which is largely used by the developers to connect services that is called "DB-links" ( i my self seen in many large financial origination's) 

now  if we miss that area in the Owasp API stranded which is a sub-components (technically seen) its mean there is security whole we are leaving behind, despite of releasing the Owasp API top 10.

note: i have personally seen such connectivity using  DB-links and developers usually avoid using API to connect there services ( im talking about internal systems/services hosted on internal Networks),

 now please advise so i can share my findings and some core technical stuffs that how these links works and what would be the counter measures against those risk/vulnerabilities associated with DB-links.

Regards:

ABID

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

[abid khan]

Hi, Please find my inline comments in "Red"

On Friday, September 20, 2019 at 2:26:15 PM UTC+5, Paulo Silva wrote:

Hi Abid,
The DB-links technology you're introducing is the one that allows connections to

an external/remote database from within another database? True but the point im trying to highlighting is the actual concept/Objective of API can be retrieve using DB-Link as well, so why not to included in Owasp API as sub components? i can do "Title fetch, granting  access to any user to any role depend on allow functions, also fetching user details etc, note: the remediation steps are as of API controls such as service authentication,Authorization, therefor i believe we cannot separately entertain the DB-link security. 

Something like what Oracle [1] and PostgreSQL [2] offer?

Considering the broader concept of API (Application Programming Interface) I
do not doubt that DB-links establish an interface so that two databases can
communicate. Nevertheless, I am not sure DB-links are in OWASP API Security

Project scope: Web APIs [3]. im not sure about Scope of OWASP API but im sure (technically specking) the interface using API or DB link are whatsoever the objective of both are the same or you can say a little bit different, as of now i can do the same job using DB links so i guess the topic should be covered with at least a slide to let the security professional/Developers know how DB-links work and how harm it is for the organizations, 

DB links or Rest API to read Data from 2 different DBs in Application

https://stackoverflow.com/questions/48121894/dblinks-or-rest-api-to-read-data-from-2-different-databases-in-an-application

How do you see DB-links in the OWASP API Top 10? im sure it can be covered in a single slide (for those who prefer to us DB-Links as compare to API) so far we (when i say "We" mean Owasp community) we dont have any suggestions so far for DB-links users. as everybody knows the objective of API and DB-links are almost the same (in few cases) so the suggestion should be something like to cover every associated sub-components that is linked with API objective.

 

  * What weakness would you remove from the actual Top 10? i dont see OWASP Top API 10 from weakness aspect, i suggest something as addition to that we need to Ad suggestion for DB-link user, so far there is no any suggestion found in current release of Owasp API TOP 10. 

 

  * What kind of weaknesses do you usually find in DB-link interface? i see 3 major security issues (listed below) using DB-links.

1. If the originating database is insecure and compromised, the database link could be used by an unauthorized user
2. If the originating database is compromised, the user name and password of the database link connection could be compromised
3. An adversary who gains access to a database link can execute queries with the privileges of the DBLink account

 

  * How frequent/severe are DB-links issues?

[1]: https://docs.oracle.com/cd/B28359_01/server.111/b28310/ds_concepts002.htm#ADMIN12083
[2]: https://www.postgresql.org/docs/9.3/dblink.html
[3]: https://en.wikipedia.org/wiki/Web_API

Cheers,

On Fri, Sep 20, 2019 at 8:55 AM Suresh Thivanka Rupasinghe
<suresht...@gmail.com> wrote:
>
> Hi Abid,
>
> Good point.
> When it's come to the performance,  which on is more fast? API integration or DB-links?
>
> Regards,
> Suresh Rupasinghe
>
>
> On Fri, 20 Sep 2019, 12:04 abid khan, <abid2...@gmail.com> wrote:
>>
>> Hi, as we know API is used for the integration between two systems where two different kind of methodologies used for the same, SOAP API and REST API, now im not gonna get into those methodologies but the point i would like to highlight is... listed below,
>>
>> now there is a sub-component exist which is largely used by the developers to connect services that is called "DB-links" ( i my self seen in many large financial origination's)
>>
>> now  if we miss that area in the Owasp API stranded which is a sub-components (technically seen) its mean there is security whole we are leaving behind, despite of releasing the Owasp API top 10.
>>
>> note: i have personally seen such connectivity using  DB-links and developers usually avoid using API to connect there services ( im talking about internal systems/services hosted on internal Networks),
>>
>>  now please advise so i can share my findings and some core technical stuffs that how these links works and what would be the counter measures against those risk/vulnerabilities associated with DB-links.
>>
>> Regards:
>> ABID
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

[Keith Casey]

I wasn't familiar with the "db link" concept before this thread but I can see how using one database as a proxy for another can simplify/eliminate replication issues. Unfortunately, that feels like an authorization issue waiting to happen.

Based on the description and the compromise pattern, I don't think this is specific or unique to APIs and more unique to a handful of database vendors.

Regardless, how are db link issues mitigated?

Would it be something in the API or the API gateway?

Would it be a matter of not mapping endpoints?

Or would it take arbitrary code/sql execution to have an impact?

keith

[abid khan]

so what im supposed to see your response as info? or do you want to add or remove something.?

Regards:

ABID

[Paulo Silva]

We're asking questions trying to understand why DB-links might be missing in OWASP API Top 10.

As I see it now, DB-links weaknesses are not API specific: any WebApp may have these same problems.

So, my opinion is that DB-links misconfiguration may lead to security problems likewise other misconfigurations.

We don' have statistical data to understand how frequently DB-links issues led to security incidents. Due to this fact I don't think we should change the Top 10 list. Instead, we should check whether DB-links deserve specific bullets on Security Misconfiguration section.

Cheers,

>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

--

You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.

[abid khan]

Thank you Paulo Silva for your valuable feedback, as i said above in my inline comments that we cannot separate or mount this with web apps, as DB-links are used (not frequently) but 

still used by the developers to do hand-shake between DB to DB using DB-links without proper security configuration, where the API service might be consider as more secure compare to DB-links,

however the same objective can be achieved by using API, 

therefor i request to the community of OWASP API project to look into that matter and try to adjust in some of session like "Security Miss-configuration" to counter the risk associated with DB-links.

as far as trend related to the DB-link security is concern please see below link that highlighted the top risk associated with the same,

plz note i have also highlighted (above) the three major security risk that is linked with miss-configure DB-links.

https://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:4018622135475

http://www.dba-oracle.com/t_oracle_net_database_links.htm

https://www.linkedin.com/pulse/top-5-major-reasons-use-oracle-db-links-erhan-turkmen/

https://stackoverflow.com/questions/39840514/why-are-database-links-bad-for-security

Regards:

ABID KHAN

>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

[Inon Shkedy]

Hi,

Thanks for your feedback!

Even though it's very tempting to cover every security issue, unfortunately, we can not do it in the boundaries of the OWASP API Project.

I know it's a bit confusing because of the term API ("Application programming interface") is very generic.

But, when people say today "APIs" and the "API economy", they usually talk about web APIs (SOAP / REST) - for more information, please check this link.

If we wanted to cover every possible existing API, we would have to address many different technologies, like Win32 APIs, Linux API, etc..

Those technologies, together with DB Link, deserve their own projects and cheat sheets. 

We can not address all of them as part of the OWASP API project, because it's not the goal of the project.

On top of that, I had a chance to work with DB Links, and I believe that only specific types of companies/organizations use them (big enterprises, financial companies, etc)

On the other hand, APIs are used almost by every company that has developed a client-facing app in the last 5 years (basic comparison)

[r00ter]

hi all, this is dyan (having 6 years of experience in development and code review)  as per my research and understanding of DB-link there is no doubt that the DB-links could be the subset of API security but specific to the project (API top 10) it doesn't deserve to be listed as top 10 in API project, (considering many observations, like trend of compromise using DB-links etc)  so because of no direct link with API doesn't mean to completely discard the DB-link security  from the API project, it might be harmful for those who still believing into use DB-link instead of APIs?  im also agreed with the guy "paulo Silva" to check how we can add this in the "security missconfig" area.
regds
dyan

[Paulo Silva]

Hi All,
I think this thread should be closed since we agree that DB-Links are
out-of-scope. Moreover, I don't think DB-Links even deserve a special
reference on Security Misconfigurations otherwise, we would also have
to cover other more relevant database security weaknesses.

I was looking at the OWASP Cheat Sheet Series project [1] and I didn't
find any Database Security Cheat Sheet. Since there is, for example, a
Docker Security Cheat Sheet [2], the door is open to other web application
components cheat sheets. To me, it looks to be the right way to cover
database security in general and DB-Links.

Please consider opening an issue there [3].

[1]: https://github.com/OWASP/CheatSheetSeries
[2]: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md
[3]: https://github.com/OWASP/CheatSheetSeries/issues

Cheers,

>>>>>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>>>>>>>> >> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > You received this message because you are subscribed to the Google Groups "API Security Project" group.

>>>>>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>>>>>>>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paulo Silva
>>>>>>>>
>>>>>>>> OWASP API Security Project - Project Main Maintainer
>>>>>>>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups "API Security Project" group.

>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>>>>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.
>

> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/f80b549e-2e10-44eb-b803-a698dfd72581%40owasp.org.

[ABID KHAN]

thank you everyone for the participation, as suggested by Paulo silva please open an issues on below cheat sheet in [3] so people can contribute more, 

Dear Paulo i would appropriate if you can open an thread there in [3]] (on behalf of me) for more evaluation, as i dont have github credentials to do so..!

thanx nd regards

ABID KHAN

>>>>>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

>>>>>>>> >> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > You received this message because you are subscribed to the Google Groups "API Security Project" group.

>>>>>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

>>>>>>>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paulo Silva
>>>>>>>>
>>>>>>>> OWASP API Security Project - Project Main Maintainer
>>>>>>>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups "API Security Project" group.

>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

>>>>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

[Paulo Silva]

Hi Abid,

On Thu, Oct 10, 2019 at 1:00 PM ABID KHAN <abid2...@gmail.com> wrote:
>
> thank you everyone for the participation, as suggested by Paulo silva please open an issues on below cheat sheet in [3] so people can contribute more,
>
> Dear Paulo i would appropriate if you can open an thread there in [3]] (on behalf of me) for more evaluation, as i dont have github credentials to do so..!
>

Since you can get a *free* GitHub account, I think it would be better to
open the thread yourself, otherwise you won't be able to follow and
share your ideas on this matter.

1. You can join here: https://github.com/join
2. Then, to open an issue for a new Cheat Sheet proposal, as discussed
earlier in this thread, go here [1].
3. Fill the form answering the questions and press "Submit new Issue"

This way you'll be able to follow the discussion and provide the required
information you may be asked for.

With your brand new GitHub account, you'll also be able to star the API
Security Project [2] ;)

[1]: https://github.com/OWASP/CheatSheetSeries/issues/new?assignees=&labels=ACK_WAITING%2C+HELP_WANTED%2C+NEW_CS&template=new_cheatsheet_proposal.md&title=New+cheat+sheet+proposal
[2]: https://github.com/OWASP/API-Security

Cheers,

>> >>>>>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>> >>>>>>>> >> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>> >>>>>>>> >
>> >>>>>>>> > --
>> >>>>>>>> > You received this message because you are subscribed to the Google Groups "API Security Project" group.

>> >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>> >>>>>>>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> Paulo Silva
>> >>>>>>>>
>> >>>>>>>> OWASP API Security Project - Project Main Maintainer
>> >>>>>>>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>> >>>>>
>> >>>>> --
>> >>>>> You received this message because you are subscribed to the Google Groups "API Security Project" group.

>> >>>>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>> >>>>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "API Security Project" group.

>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/f80b549e-2e10-44eb-b803-a698dfd72581%40owasp.org.
>>
>>
>>
>> --
>> Paulo Silva
>>
>> OWASP API Security Project - Project Main Maintainer
>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>

> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/77ca52c7-aada-430f-93ac-0ba8a34b9f02%40owasp.org.