BREAKING
VULNERABLE APIS
Tushar Kulkarni

AGENDA
Introduction
Modern WebApp Architectures
API as an Attack Vector in 2023
Fortifying APIs
Breaking Vulnerable API (vAPI)
Demo
2023 Breaking Vulnerable APIs 2

GET /INTRODUCTION HTTP/2.0
• Creator of vAPI
• Graduate Student, Indiana University Bloomington
• Presented at BlackHat Arsenal, OWASP, HITB etc.
• Making and Playing CTFs
2023 Breaking Vulnerable APIs 3
roottusk.com
Tushar Kulkarni

The total amount of venture capital raised with
companies describing themselves as an API security
solution was $578 Million according to the Crunchbase
database.
- API Secure 2023 Report

MODERN WEB APPLICATION ARCHITECTURES
2023 Breaking Vulnerable APIs 5
Source: https://www.mongodb.com/mean-stack

API AS AN ATTACK VECTOR IN WEB APPLICATIONS
2023 Breaking Vulnerable APIs 6
Source: https://outpost24.com/blog/what-is-api-security-and-how-to-protect-them

SOME OF MY FAVORITE VULNERABILITIES❤️ FROM OWASP
API TOP 10 2019
2023 Breaking Vulnerable APIs 7
• Mass Assignment
• Broken Function Level Authorization
• Excessive Data Exposure

FORTIFYING APIS
2023 Breaking Vulnerable APIs 8
• Use Random and Unpredictable GUIDs/UUIDs for storing Objects in Database
• Never rely on Client side to Filter Sensitive Data
• Enforcing a Limit on How often the Client can Call the API endpoint
• Make sure all administrative endpoints validate the user’s role and privileges before performing the action
• Avoid functions binding Client-Side data into Code Variables and later into an Object in Database
• Enforce a Strong CORS Policy with Custom Unguessable Authorization Headers
• Treat every input like it’s DANGEROUS

GUESS WHAT?????
2023 Breaking Vulnerable APIs 9

2023 Breaking Vulnerable APIs 7
Github.com/roottusk/vapi
Bug Icon Source : https://www.flaticon.com/free-icon/bug_190835

PROJECT UPDATES
2023 Breaking Vulnerable APIs 11
• New XSS Vulnerability?????
• Minor Bug Fixes
• Kubernetes Support (Thanks to @AndyG-0)

TECH STACK
2023 Breaking Vulnerable APIs 12

INSTALLATION
2023 Breaking Vulnerable APIs 13
Docker
- Make sure you have docker and docker-compose
- Go to the root of the project and run
docker-compose up -d
Manually
- Prerequisites include PHP, MySQL
- Configure the MySQL credentials and Server port in the .env file of the project
- You can run php artisan serve command to start the Laravel Server
Kubernetes
- helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

TOOLS REQUIRED TO TEST
2023 Breaking Vulnerable APIs 14
• Postman
• Burpsuite / OWASP ZAP

DEMO

REFERENCES AND CONTRIBUTORS
2023 Breaking Vulnerable APIs 16
https://dsopas.github.io/MindAPI/
API Security Weekly: Issue #132
https://APISecurity.io
OWASP Vulnerable Web Applications Directory (VWAD)
arainho/awesome-api-security: A collection of awesome API Security tools and resources.
https://hakin9.org/vapi-vulnerable-adversely-programmed-interface/
https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security
https://securedelivery.io/articles/api-top-ten-walkthrough/
https://university.apisec.ai/api-tools-and-resources
https://www.opensourceforu.com/2022/01/open-source-vapi-to-learn-about-api-security-is-now-available/
https://tryhackme.com/jr/vulnapi

THANK YOU , Q&A
Tushar Kulkarni
@vk_tushar
roottusk.com
Email: root.tusk@gmail.com
2023 Breaking Vulnerable APIs 17