APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Workshop: Detect OWASP vulnerabilities in your APIs with Postman
Rahul Dhawan, Senior Security Engineer at Postman
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
3. Agenda
API Security Top 10 Vulnerabilities
1
Detection
2
Practical Demo
3
Mitigation
4
Real World Implications
5
4. Authentication and Authorization
Authentication is the process of verifying the identity of a user , typically
through the use of login credentials such as usernames and passwords.
“
Authorization, on the other hand, is the process of determining what
actions a user is allowed to perform based on their identity and privileges.
“
5.
6. ● The lack of proper authorization checks allows attackers to access the specified
resource.
● BOLA vulnerability can cause various attacks such as unauthorized access to
sensitive resources, known as privilege escalation.
A1: Broken Object Level Authorization
(BOLA or IDOR)
9. ● Identify All Objects and Resources.
● Focus on user_id and Object_id in the API.
● Use automation techniques to examine user access on an API by utilizing
diverse user credentials combinations
● Manually test for Authorisation bypass
Detection
10. ● Implement a proper authorization mechanism that relies on the user
policies and hierarchy.
● Implement Role-Based Access Control (RBAC)
● Apply the Principle of Least Privilege
● Prefer to use random and unpredictable values as UUID for Object IDs.
● Add Access Control Check in the unit test coverage
Prevention
11. ● Poor Implementation of Authentication methods
● Sensitive Details like Auth token, API keys or password in the Request
parameters
● Misconfigured JWT {“Alg”:”none”}
A2: Broken User Authentication
13. ● Look for missing or ineffective authentication controls:
● Check for user or password enumeration:
● Test for broken session management:
● Check for weak password policies
Detection
14. ● Protect all authentication endpoint with rate-limit having strict
rate-limit policy. Also Implement lockout mechanism
● Implement MFA where ever possible
● Implement Captcha mechanism at your authentication endpoints.
Prevention
15. ● Allows unprivileged users to access other privileged users’ resources and
functions
● Different access control policies for different user personas
● Incorrect implementation of Role-Based Access Controls (RBAC)
● APIs relying on client to do the permission checks for different user roles
A5: Broken Function level Authorisation
17. ● Use Manual Testing to find misconfiguration in RBAC implementation.
● Write an automated script to cover every possible permutation of Role Based
Accessed on a function
● Test for common attack techniques
Detection
18. ● Use Principle of Least privilege while designing Access Control Policy.
● Use a centralized authorization mechanism
● Validate and sanitize user input
● Perform regular test on different group of APIs.
● Add complete coverage of access control check in your unit tests.
Prevention
19. ● Poor configuration of the API servers allows attackers to exploit them.
● Issues involved are:
○ Missing CORS policy
○ Misconfigured CSP policy
○ leaving debug mode enabled
○ misconfigured TLS
○ Using default or weak password
A7: Security misconfigurations
21. ● CORS Misconfiguration Template
● Security Header Template
● Directory Traversal Template
● CSP Evaluator Template
● TLS Version Monitor
● Open Redirect Checks
Detection using Postman
22. ● Correctly Configure CORS, CSP and Security Headers
● Apply Principle of Least privilege, avoid using wildcards.
● Use Latest version of TLS
● Add security tests in your unit test to catch misconfiguration in
preprod environment.
Prevention
23. ● Occurs when untrusted data is directly used to query database.
● Easy to detect issue but can get tricky to craft payload to query
database.
A8: Injection
25. ● SQL Injection Template
● employ scanners or fuzzers to evaluate the validation of user input
Detection using Postman
26. ● Sanitise every untrusted input.
● Special characters should be escaped
● Prefer a safe API that provides a parameterized interface.
● Validate the response.
● Prefer a safe API that provides a parameterized interface
Prevention
27. postman.com @getpostman
OWASP API Security Top 10
API Security Testing in Postman
Automation using Postman
Wrapping Up
Visit Postman Security Workspace
28. Reference
● OWASP API Security Top 10
● OWASP Juice Shop
● Postman Interceptor
● Postman Security Workspace
● OWASP API Security top 10 Workspace
● Postman Flows