• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Using & Abusing APIs: An Examination of the API Attack Surface
 

Using & Abusing APIs: An Examination of the API Attack Surface

on

  • 1,210 views

Web APIs offer organizations new channels to reach customers and extend their businesses, but they also offer new opportunities for abuse. In this presentation we identify the identities, attack ...

Web APIs offer organizations new channels to reach customers and extend their businesses, but they also offer new opportunities for abuse. In this presentation we identify the identities, attack surfaces and threats (both new and old) that security professionals need to be aware of in the new world of Web APIs.

Statistics

Views

Total Views
1,210
Views on SlideShare
1,208
Embed Views
2

Actions

Likes
2
Downloads
0
Comments
0

2 Embeds 2

https://twitter.com 1
http://www.spundge.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • By our definition, a Web API includes SOAP, REST, HTTP, CSV… just about any type of interface deployed over the web.
  • Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
  • Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
  • Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
  • Make a slide with an example
  • Make a slide with an example
  • In many ways the web API space has become synonymous with a culture of modernity and hipness.
  • Often times when speaking about APIs to architects who’ve “been around the block” you get a response that there is nothing new in this web API stuff.Maybe you felt that way? I know that in the early days, when I first heard the term I dismissed it as an attempt at rebranding existing technologies.
  • The developer is the new king.The rise of the developerThe importance of the dev. has grownGood Devs have the power to build the applications that will drive popularity of a service.Influential devs have the power to drive adoption of your service.Attracting talented developers has become a design goal
  • Different identities
  • Different identities
  • A major form of attack is the injection attack.
  • Just like websites, APIs expose parameters and fields that can be manipulated. As long as there is an SQL based database somewhere in the integration chain you need to mitigate this risk.
  • A major form of attack is the injection attack.
  • A major form of attack is the injection attack.
  • A major form of attack is the injection attack.
  • Similar to the SQL injection attack, this attack allows an attacker to execute malicious code on the target system. In this example an exposed redirect parameter has been used to force the server’s PHP interpreter to retrieve and execute the attacker’s code.
  • Similar to the SQL injection attack, this attack allows an attacker to execute malicious code on the target system. In this example an exposed redirect parameter has been used to force the server’s PHP interpreter to retrieve and execute the attacker’s code.
  • Different identities
  • Different identities

Using & Abusing APIs: An Examination of the API Attack Surface Using & Abusing APIs: An Examination of the API Attack Surface Presentation Transcript

  • Using and Abusing APIsAn Examination of the API Attack SurfaceRonnie MitraPrincipal API Architect - EuropeLayer 7 API Academy
  • API Managementvirtual cloudon-premise
  • API AcademyMike Amundsen Ronnie Mitra
  • Web APIs
  • Web APIsHTTP
  • Architectural Styles
  • Tunnel StyleURI StyleHypermedia StyleEvent Driven Style
  • Tunnel StyleExample: SOAP• transport agnostic• operation based• binding documents (WSDL)
  • Tunnel Style<RetrieveStudentRecords><StudentId>1213</StudentId></RetrieveStudentRecords>
  • URI StyleGETPUTPOSTDELETE+ URI
  • URI StyleGET /students/1232
  • Hypermedia Style
  • Hypermedia Style• links• templated input (forms)• task based
  • {links: [link {href: ‘…’ rel: ‘list’},link {href: ‘…’ rel: ‘add’}]collection: [{link: {rel:complete,href:‘…},id:42,text:‘Record 42}]}
  • Event Driven StyleExample: WebSockets• event based communication• server initiated events• full-duplex (websocket)
  • Private or Closed APIs
  • Acme Corp.APIAcme Corp.App
  • Public or Open APIs
  • Acme Corp.APIThird PartyApp
  • Priority:Lower CostPriority:Increased Adoption
  • Tunnel URI Hypermedia Event-DrivenPrivatePublic
  • Web APIs: New and Exciting!http://www.flickr.com/photos/every1knows/4191971139
  • “Web APIs? I’ve been doing that for years.”Image courtesy of http://www.flickr.com/photos/en321/3902138429/
  • Web APIs offer us a new perspectivehttp://www.flickr.com/photos/mugley/4407790613
  • The Modern Philosophy of the Web API:• self service• lower barriers and lower costs• developer-centric
  • All hail the developer king
  • Controlled versus Organic
  • Primary Challenge:How do we control usage without impacting usability?
  • Attack Surfaces
  • PortalAPIDeveloperEnd UserAdministrator
  • PortalAPIDeveloperEnd UserAdministrator
  • APIEnd User
  • Injection AttacksUtilizing input parameters to inject data that compromisesthe security of the targeted system. Examples:- SQL Injection- Command Injection- Code Injection- Argument Injection
  • API Attack Example:SQL Injection Attacks: APIsGET http://host.com/aresource?token=%E2%80%98or%20%E2%80%981%3D1GET http://host.com/aresource?token=‘ or ‘1=1select * from tokens where token = ‘’ or ‘1=1’;
  • APIs May Be A Direct Conduit40HTTPServerAppServerDatabaseAppObjectsOften:• Self-documenting• Closely mapped to object space
  • Denial Of Service AttacksAn attack which has the objective of making a serviceunavailable to all usersExamples:- XML/JSON parser attacks- Jumbo messages- Server overload
  • Overflow AttackIntentionally sending too much data in order to exploit atarget systems by exceeding expected boundaries.Examples: Buffer Overflow Cash Overflow
  • Cross Site Scripting (XSS) AttackEmbedding code within a server that will betransmitted to users.
  • XSS API Example44AttackerWeb App Server(browser+APIs)Victim: WebBrowserClient<SCRIPT …>1. API injectsscript in3. Browser loadscontent withembedded script2. Server fails toperform FIEO: FilterInput, Escape OutputAPI
  • Interception of communication between two systems.Man in the Middle Attack
  • TLSOAuth 2Open ID Connect
  •  Impersonating a registered application in order to accessan API resource. Examples:- Guessing application ID by brute force- Retrieving application ID by sniffing traffic- Cracking application to retrieve application IDApp Spoofing
  • New platforms, new languages:• Ruby on Rails• Node.js• Scala• Nginx• Squid/Varnish/Traffic Manager
  • Portal
  • Who is using the API?How are they using it?
  • What would happen if the portal was exploited?
  • PortalAPIDeveloperEnd UserAPI
  • PortalAPIAdministrator
  • Where are the components deployed?Who owns the identity store?
  • PortalAPI
  • The Hypermedia Surface
  • APIAPIAPI
  • Summary:Challenge: Balancing Usability and SecurityOld Threats Still ExistNew Styles and Access Models create new surfaces
  • www.apiacademy.co