2. curl -X GET https://127.0.0.1/info
https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://jieliau.medium.com/
{
"Name": "Jie Liau",
"Experiences": [
“How You API Be My API. - Session speaker in iThome CYBERSEC 2023”,
"Building Your Container Botnet in 1 Minute. - Session speaker in iThome CYBERSEC 2021",
"Container Security. - Session speaker in InfoSec 2020",
"Protecting Your Internet Route Integrity. - Session speaker in iThome CYBERSEC 2020",
"The Dark Side. - Seminar speaker in CSE, Yuan Ze University 2018",
"The Tor Network. - Session speaker in TDOH Conference 2017",
"What Does Network Operation Looks Like. - Seminar speaker in CSE, Yuan Ze University 2016"
],
"Certi
fi
cations": [
"CCIE",
"OSCP",
"CEH"
]
}
3. According to Akamai, 83% of all internet tra
ffi
c is
from API, while HTML tra
ffi
c has fallen to just 17%
https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-retail-attacks-and-api-traf
fi
c
4. According to Gartner, by 2022 APIs would
become the #1 most frequent attack vector
https://www.infosecurity-magazine.com/next-gen-infosec/api-attacks-threat-vector-2022/
https://www.gartner.com/en/webinars/4002323/api-security-protect-your-apis-from-attacks-and-data-breaches
5. OWASP API Security Project
The unique vulnerabilities and security risks of API
First release of API Security Top 10 in 2019
https://owasp.org/www-project-api-security/
https://github.com/OWASP/API-Security
6. 2019 OWASP API Security Top 10
API1 Broken Object Level Authorization API6 Mass Assignment
API2 Broken User Authentication API7 Security Miscon
fi
guration
API3 Excessive Data Exposure API8 Injection
API4 Lack of Resources & Rate Limiting API9 Improper Assets Management
API5 Broken Function Level Authorization API10 Insuf
fi
cient Logging & Monitoring
7. 2023 OWASP API Security Top 10
API1 Broken Object Level Authorisation API6
Unrestricted Access to Sensitive Business
Flows
API2 Broken Authentication API7 Server Side Request Forgery
API3 Broken Object Property Level Authorisation API8 Security Miscon
fi
guration
API4 Unrestricted Resource Consumption API9 Improper Inventory Management
API5 Broken Function Level Authorisation API10 Unsafe Consumption Of APIs
9. Application Programming Interface
Public API, Private API, Partner API…
REST API, SOAP API, RPC API
RESTful API
Web Services
URIs
HTTP protocol/method
Problems
Directly access to sensitive data
Over-permissioned
Vulnerable to logic
fl
aws
API
Web App
Mobile App
Micro Services
14. Broken Object Level Authorisation
User A is able to request User B’s resources, and vice versa
A-B testing
Broken Function Level Authorisation
Perform un-authorized actions, PUT, DELETE, etc…
Escalated action
A-B-A testing
18. Types
In-Band SSRF
Blind SSRF
Look for any URL
POST body
Parameter
Header, for example Referrer
Any user input
Tools
https://webhook.site
https://pingb.in