SlideShare a Scribd company logo

2022 APIsecure_Go Hack Yourself: API Hacking for Beginners

Download as PPTX, PDF
APIsecure_ Official
APIsecure_ Official

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Go Hack Yourself: API Hacking for Beginners Dr. Katie Paxton-Fear, Lecturer in Cyber Security, Speaker & Ethical Hacker

Technology
1 of 26
About Me • PhD in Cyber Security + Machine Learning • Security researcher • Ethical hacker with a specialism in Mobile APIs • YouTuber and educator in web and API security @InsiderPhD
About this talk • Designed for developers • I’m going to assume you are familiar with RESTful APIs • How to hack your own APIs to test for security flaws • Common API security flaws to watch out for • Tools you can use to test your security
Hacking
The cycle Try exploit Doesn't work Work out why Change exploit
Interesting => Vulnerable • Try to perform a test for the bug I’m looking for • IDOR = change ID • XSS = simple XSS payload • Did it work? • Write a full exploit to show as a PoC • Did it fail? • Why did it fail? Eg filtered • Retest with a change I’ve got a good feeling about this XSS Watson
The Cycle Try exploit Doesn't work Work out why Change exploit Exploit it
RESTful reminder • RESTful APIs are really easy to spot • They have a defined structure which relates to CRUD functionality • You can easy predict new endpoints simply by knowing an application • Eg: If YouTube’s API has something like GET /video/1 • You can assume DELETE /video/1 also exists • And that if YouTube has videos maybe GET /comment/1 exists for comments • They are widely used, however some of the endpoints may be more custom • Eg DELETE /posts/1 vs POST /posts/1/delete • They usually return JSON
We need to see requests
Hacking is about fiddling with things • We make small changes to a request and see if that changes the response • Asking ourselves ‘what could an attacker do this this?’ • The hard part is knowing what change to make! • For that info we need to look at specific vulnerabilities
OWASP API Security top 10 • API1:2019 Broken Object Level Authorization • API2:2019 Broken User Authentication • API3:2019 Excessive Data Exposure • API4:2019 Lack of Resources & Rate Limiting • API5:2019 Broken Function Level Authorization • API6:2019 Mass Assignment • API7:2019 Security Misconfiguration • API8:2019 Injection • API9:2019 Improper Assets Management • API10:2019 Insufficient Logging & Monitoring
Excessive Data Exposure
What is it? • When an API returns too much information • For example if you are booking a hotel room, should the API be returning the names of all other guests at the hotel? Or just the number of rooms • Extreme example but this happens 13
The recipe for an information disclosure • Call the API • Look at the response • Is it disclosing too much info? • Bonus points: • Enumerating through the API to find hidden endpoints • Enumerating through the parameters to find hidden parameters 14
Clues • For information disclosure we are looking for an API that returns back too much info • Sometimes an API might return a ton of info but never display it • Or only display some of it • Or has a lot of parameters – suggests some querying is being done that we can change • These are clues that an API might be vulnerable 15
Skills you need • Keep an eye out • Think about the security risk of what information is returned • Make a judgement call • Is it a security risk? • Could it be used to help a larger attack? • Does the target really want this public? • Does it return a large amount of data? • Just because it’s working as intended doesn’t mean that there are no security risks 16
Broken Object Level Authorisation Broken Function Level Authorisation AKA IDORs
What’s an IDOR? • IDOR stands for Insecure Direct Object Reference • Fancy term which means it doesn’t check if you can actually access or modify something • Example: your account is ID 4 • Delete account ID 4 – Should work, it’s your account • Delete account ID 3 – Shouldn’t work, it’s not your account • Another example: You are a guest • View post ID 4 – Should work, you only have view permissions • Edit post ID 4 – Shouldn’t work, you don’t have permission 18
The types of IDORs
Admin functionality
The recipe for an IDOR • Find endpoints with IDs in the request • Change the ID (to another account you own – don’t test on accounts you don’t own) • If it works it’s an IDOR • Find endpoints that require admin permissions • Login to an account that has guest permissions • Repeat the requests to the admin endpoints, changing the cookies • If it works it’s an IDOR 21
[IDOR] Deleting other people's tasks 22
IDOR bug to See hidden slowvote of any user even when you dont have access right 23
Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts 24
A story of a vuln
Impact, impact, impact • Giggle Drama: https://research.digitalinterrupti on.com/2020/09/10/giggle- laughable-security/ • Technically simple IDOR • BUT • Had consequences due to the nature of some of the categories on the app • Eg partners fleeing abuse could have been located

Recommended

Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
Apigee | Google Cloud
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Hacker vs AI
Hacker vs AI Hacker vs AI
Hacker vs AI
Nordic APIs
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
Pricilla Bilavendran
 

Recommended

Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
Apigee | Google Cloud
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Hacker vs AI
Hacker vs AI Hacker vs AI
Hacker vs AI
Nordic APIs
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
Pricilla Bilavendran
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
Apigee | Google Cloud
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
Joel Cardella
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
WSO2
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Andi Rustandi Djunaedi
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
apidays
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
DevDay.org
 
Combining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIsCombining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIs
Brad Genereaux
 
Building a REST API for Longevity
Building a REST API for LongevityBuilding a REST API for Longevity
Building a REST API for Longevity
MuleSoft
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Building with linked_in_api
Building with linked_in_apiBuilding with linked_in_api
Building with linked_in_api
MatchFWD
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
APIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside OutAPIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside Out
3scale
 
.NET executable requirements
.NET executable requirements.NET executable requirements
.NET executable requirements
Godfrey Nolan
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
Matthew R. Barrett
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
Liam Cleary [MVP]
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 

More Related Content

Similar to 2022 APIsecure_Go Hack Yourself: API Hacking for Beginners

Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Building with linked_in_api
Building with linked_in_apiBuilding with linked_in_api
Building with linked_in_api
MatchFWD
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 

Similar to 2022 APIsecure_Go Hack Yourself: API Hacking for Beginners (20)

APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
 
Combining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIsCombining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIs
 
Building a REST API for Longevity
Building a REST API for LongevityBuilding a REST API for Longevity
Building a REST API for Longevity
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
 
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Building with linked_in_api
Building with linked_in_apiBuilding with linked_in_api
Building with linked_in_api
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
 
APIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside OutAPIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside Out
 
.NET executable requirements
.NET executable requirements.NET executable requirements
.NET executable requirements
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 

More from APIsecure_ Official

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
 
2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

2022 APIsecure_Go Hack Yourself: API Hacking for Beginners

  • 1.
  • 2. About Me • PhD in Cyber Security + Machine Learning • Security researcher • Ethical hacker with a specialism in Mobile APIs • YouTuber and educator in web and API security @InsiderPhD
  • 3. About this talk • Designed for developers • I’m going to assume you are familiar with RESTful APIs • How to hack your own APIs to test for security flaws • Common API security flaws to watch out for • Tools you can use to test your security
  • 6. Interesting => Vulnerable • Try to perform a test for the bug I’m looking for • IDOR = change ID • XSS = simple XSS payload • Did it work? • Write a full exploit to show as a PoC • Did it fail? • Why did it fail? Eg filtered • Retest with a change I’ve got a good feeling about this XSS Watson
  • 8. RESTful reminder • RESTful APIs are really easy to spot • They have a defined structure which relates to CRUD functionality • You can easy predict new endpoints simply by knowing an application • Eg: If YouTube’s API has something like GET /video/1 • You can assume DELETE /video/1 also exists • And that if YouTube has videos maybe GET /comment/1 exists for comments • They are widely used, however some of the endpoints may be more custom • Eg DELETE /posts/1 vs POST /posts/1/delete • They usually return JSON
  • 9. We need to see requests
  • 10. Hacking is about fiddling with things • We make small changes to a request and see if that changes the response • Asking ourselves ‘what could an attacker do this this?’ • The hard part is knowing what change to make! • For that info we need to look at specific vulnerabilities
  • 11. OWASP API Security top 10 • API1:2019 Broken Object Level Authorization • API2:2019 Broken User Authentication • API3:2019 Excessive Data Exposure • API4:2019 Lack of Resources & Rate Limiting • API5:2019 Broken Function Level Authorization • API6:2019 Mass Assignment • API7:2019 Security Misconfiguration • API8:2019 Injection • API9:2019 Improper Assets Management • API10:2019 Insufficient Logging & Monitoring
  • 13. What is it? • When an API returns too much information • For example if you are booking a hotel room, should the API be returning the names of all other guests at the hotel? Or just the number of rooms • Extreme example but this happens 13
  • 14. The recipe for an information disclosure • Call the API • Look at the response • Is it disclosing too much info? • Bonus points: • Enumerating through the API to find hidden endpoints • Enumerating through the parameters to find hidden parameters 14
  • 15. Clues • For information disclosure we are looking for an API that returns back too much info • Sometimes an API might return a ton of info but never display it • Or only display some of it • Or has a lot of parameters – suggests some querying is being done that we can change • These are clues that an API might be vulnerable 15
  • 16. Skills you need • Keep an eye out • Think about the security risk of what information is returned • Make a judgement call • Is it a security risk? • Could it be used to help a larger attack? • Does the target really want this public? • Does it return a large amount of data? • Just because it’s working as intended doesn’t mean that there are no security risks 16
  • 17. Broken Object Level Authorisation Broken Function Level Authorisation AKA IDORs
  • 18. What’s an IDOR? • IDOR stands for Insecure Direct Object Reference • Fancy term which means it doesn’t check if you can actually access or modify something • Example: your account is ID 4 • Delete account ID 4 – Should work, it’s your account • Delete account ID 3 – Shouldn’t work, it’s not your account • Another example: You are a guest • View post ID 4 – Should work, you only have view permissions • Edit post ID 4 – Shouldn’t work, you don’t have permission 18
  • 19. The types of IDORs
  • 21. The recipe for an IDOR • Find endpoints with IDs in the request • Change the ID (to another account you own – don’t test on accounts you don’t own) • If it works it’s an IDOR • Find endpoints that require admin permissions • Login to an account that has guest permissions • Repeat the requests to the admin endpoints, changing the cookies • If it works it’s an IDOR 21
  • 22. [IDOR] Deleting other people's tasks 22
  • 23. IDOR bug to See hidden slowvote of any user even when you dont have access right 23
  • 24. Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts 24
  • 25. A story of a vuln
  • 26. Impact, impact, impact • Giggle Drama: https://research.digitalinterrupti on.com/2020/09/10/giggle- laughable-security/ • Technically simple IDOR • BUT • Had consequences due to the nature of some of the categories on the app • Eg partners fleeing abuse could have been located