Salt Security has released new API threat research from Salt Labs detailing Elastic Injection attacks. The research highlights a widespread API vulnerability that results from the misimplementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search, and analytics capabilities. Salt Labs found that nearly every organization using Elastic Stack is affected by this vulnerability, which makes users susceptible to injection attacks. Bad actors can use injection attacks to exfiltrate data and launch denial of service (DoS) events.
“The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk,” said Roey Eliyahu, co-founder and CEO, Salt Security.
According to the Salt Security State of API Security Report, Q3 2021, API attacks have surged 348% in the last six months. The emergence of exploitable vulnerabilities alongside the proliferation of business-critical APIs expose the significant security gaps that arise from the integration of third-party applications and services.
Exploiting the Elastic Stack vulnerability enables any user to extract sensitive customer and system data or create a DoS condition that could render a system unavailable. Salt Labs first identified the exploitable flaws in a large online business-to-consumer (B2C) platform that provides API-based mobile applications and software as a service to millions of global users.
Exploits that take advantage of this design weakness can create a cascade of API threats that correspond to common API security problems described in the OWASP API Security Top 10, including: excessive data exposure, lack of resources and rate limits, security misconfiguration and susceptibility to injection attacks due to lack of input filtering.
Salt Labs researchers were able to show how the impact of the Elastic Stack design implementation flaws worsens significantly when an attacker chains together multiple exploits.