Technical data

Salt Security Discovers Widespread Elastic Stack API Security Vulnerability Exposing Client and System Data


PALO ALTO, California September 29, 2021 Salt Security, the leading API security company, today released new API threat research from Salt Labs detailing elastic injection attacks. The research highlights a widespread API vulnerability that results from the poor implementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search, and analytics capabilities. Salt Labs has discovered that almost all organizations using Elastic Stack are affected by this vulnerability, which leaves users vulnerable to injection attacks. Bad actors can use injection attacks to exfiltrate data and initiate denial of service (DoS) events.

“Our latest API security research highlights just how widespread and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs has observed the same architectural design errors in almost any environment that uses it, ”said Roey Eliyahu, Co-Founder and CEO of Salt Security. “The vulnerability of the Elastic Stack API can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk. “

According to the Salt Security State of API Security Report, Q3 2021, API attacks have increased by 348% in the past six months. The emergence of exploitable vulnerabilities as well as the proliferation of business-critical APIs expose the significant security gaps that arise from the integration of third-party applications and services. Exploitation of the Elastic Suite vulnerability allows any user to extract sensitive client and system data or create a DoS condition that could render a system unavailable. Salt Labs first identified exploitable flaws in a large business-to-consumer (B2C) online platform that delivers mobile apps and API-based software as a service to millions of users in the world. world. Exploits that take advantage of this design weakness can create a cascade of API threats that correspond to common API security issues described in OWASP API Security Top 10, including:

  • excessive data exposure
  • lack of resources and speed limits
  • poor security configuration
  • susceptibility to injection attacks due to lack of input filtering

Salt Labs researchers were able to show how the impact of implementation flaws in the Elastic Suite design worsens dramatically when an attacker strings together multiple exploits. To exfiltrate sensitive user and system data, attackers can abuse the lack of authorization between front-end and back-end services to gain a working user account with basic authorization levels, and then make educated guesses about the schema of the stores. back-end data and query for data they are not authorized to access. Salt Labs was also able to show how lack of limited resources can make an organization’s integrated back-end services vulnerable to a DoS attack that could render a service completely unavailable or distract from malicious activity against other applications.

“While not a vulnerability with Elastic Stack itself, the design implementation flaws observed by Salt Labs introduce just as much risk. The specific queries made to the Elastic back-end services used to exploit this vulnerability are difficult to test, ”said Michael Isbitski, Technical Evangelist, Salt Security. “This case shows why architecture is important to any API security solution you put in place: you need to be able to grasp substantial context about API usage over time. It also shows how critical it is to properly design application environments. Every organization should assess API integrations between its systems and applications, as they have a direct impact on the security posture of the business.

In its research efforts, Salt Labs was able to access a lot of sensitive data, including account numbers and transaction confirmation numbers. Some of the sensitive data was also private and subject to regulation as defined by the GDPR. Attackers could use this data to exercise other functionality available through APIs, including the ability to book new services or cancel existing services. This information could also be used to perpetuate other types of fraud, including extortion, identity theft, account takeover fraud (ATO) and nefarious acts that can lead to loss of income. in addition to significant regulatory penalties and fines.

For more information, the report from Salt Labs, API Threat Research: Elastic Injection, provides full details on the elastic injection attack model, attack propagation steps, and suggested mitigation techniques.

To learn more about Salt Security or to request a demo, please visit

About Salt Labs

Salt Labs continues Salt Security’s broader mission to enable innovation through APIs. A public forum for publishing API vulnerability research, Salt Labs is dedicated to educating the market about the latest API security threats and incidents. The Salt Labs security research team is focused on uncovering API vulnerabilities in the wild, documenting threat actor tactics, and helping organizations avoid or correct the risk. For more information, please visit:

About Salt Security

Salt Security protects the APIs that are the heart of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform learns the granular behavior of an organization’s APIs and requires no configuration or customization to identify and block API attackers. Salt Security was founded in 2016 by Israel Defense Forces (IDF) alumni and executives of serial cybersecurity entrepreneurs and is based in Silicon Valley and Israel. For more information, please visit:


Leave a Reply

Your email address will not be published.