APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Closing Keynote: API First Hacking Corey Ball, Chief Hacking Officer APIsec University| Author of Hacking APIs ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. API First Hacking
#whoami
Corey Ball
@hAPI_hacker
• 13+ years in IT & Cyber
• Senior Manager Pentest Consulting, Moss Adams
• Author of Hacking APIs (No Starch Press, 2022)
• Founder and Chief Hacking Officer, APIsec University
- APIsecU (https://apisecu.com/)

2. • OWASP API Security Project Contributor
Free API Penetration Testing Course + Book Giveaway

3. Overview
Today I will explain why the following are true.
• APIs are a leading attack vector
• Organizations are confident in their insecure APIs

4. • Web app scanning tools are insufficient for API testing
• Specific testing is required to earn confidence in API Security
Classic Hacking Process
1. Call me lazy, but the classic kill chain is a lot of work
2. Gain access
3. Pivot through the network to find data
4. Exfiltrate data

5. The Hacking Process with APIs
1. Use Vulnerable API
2. Find Weakness
3. Exploit

6. 4. The path of least resistance
1 - Thanks Dan Barahona, APIsec University
APIs are a leading Attack Vector
• Examples!

7. Optus Quotes
• "Some experts say [Optus] may be the worst data breach in Australia's history"
• "Optus chief executive ... called it a "sophisticated attack", saying the company has very
strong cybersecurity."

8. • The Australian Cyber Security Minister ...
• Optus chief executive responded, "We have multiple layers of protection. So it is not the case
of having some sort of completely exposed APIs [software interfaces] sitting out there".
Source: https://www.bbc.com/news/world-australia-63056838

9. Confidently inSecure APIs

11. Noname 2022 Survey Results
• 71% of respondents report confidence in their API protection
• 67% of respondents are confident that their DAST and SAST tools are capable of testing APIs
Meanwhile...
• 76% experienced an API security incident in the last 12 months
Credit: https://nonamesecurity.com/press/new-research-reveals-disconnect-between-api-protection-
and-api-security-incidents
Common Web App Tools Techniques are Ineffective Against APIs
1. Definition of False-Negative

12. Automated Scans At Worst

13. Automated Scans At Best

14. Test the Gaps!
Authorized API Testing
- Create resources as UserA and attempt to Create, Read, Update, Delete as UserB
- Create resources as GroupA and attempt to Create, Read, Update, Delete as GroupB

15. - Make sure that users are only able to alter object properties that belong to them
Test API Authentication
- Weak Passwords
- Authentication Bypass or Missing Auth Altogether
- Authentication Attempt Lockout
- Rate Limiting

16. Test API Tokens
- Are the tokens predictable?
- Does the JWT Payload leak sensitive information?
- Can the JWT Algorithm be altered or the secret guessed?
Excessive Data Exposure
- Use the API as it was intended and analyze the response
- Does the API return too much information?
- Can that information be used in additional attacks?

17. Improper Assets Management
- What version is the API? ( /v1, /v2, /v3 )
- How is that version designated? (Path, Header, POST body)
- Can you request unsupported versions?
- Is the unsupported version vulnerable to additional attacks? Do all of the supported
versions support a business purpose?

18. Fuzz Everything!
- Inputs = POST Body, query parameters, and headers
- Test inputs for Injection
- Test inputs for Mass Assignment
- Test for SSRF

19. Test File Upload Functionality
- Can malicious files be uploaded?
- Can arbitrary filetypes be manipulated?
- Can uploaded files be executed with web app functionality?
API-First Security Testing
• API requests make up over 80% of all web traffic
• APIs are the path of least resistance for adversaries
• The data that APIs interact with are often the most valuable to attackers
• "API Traffic increased 681% in 2022"
• "US companies faced $12-23 billion in losses as a result of compromises linked to web APIs"
Source: Bill Doerrfeld https://blog.treblle.com/why-api-security-is-a-top-concern/

20. Earn Confidence in Your API Security
1. Use baseline scanning tools for security misconfiguration
2. Cover the gaps with penetration testing, bug bounty hunting, and by using tools and
techniques that are designed for APIs.
3. Remediate and Retest

21. hAPI Hacking!
APIsec University (Free Course)
• Completely free course that teaches hands-on API security testing
• Course is 12 CPEs
• Certification Exam Q1 2023

22. - - - - - -
corey.ball@mossadams.com | @hAPI_hacker