Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

24 views

Published on

Тестирование API на безопасность имеет свои специфики в сравнении с веб приложениями. В своем докладе я расскажу вам про основные уязвимости, которые встречаются в API и как их найти. Я также покажу основные инструменты, с помощью которых можно автоматизаировать тестирование API на безопасность и дам советы, какой инструмент подходит для каких типов приложений. Доклад нацелен на аудиторию, обладающую базовыми знаниями о тестировании безопасности и понимающую основные иньекции.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

  1. 1. Тема доклада Тема доклада Тема доклада KYIV 2019 Kateryna Ovechenko API SECURITY QA CONFERENCE #1 IN UKRAINE
  2. 2. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Head of QA Department at Co-founder of professional IT conferences 9+ years in testing Focus on test management of large programs and teams and security testing. 4+ years in security testing: from building competence in the company to coordinating projects for external Customers Speaker at local and international conferences (QA Fest, SQA Days, Simplicity Day, Czech Test and several in Norway), lecturer at National Aviation University ABOUT ME
  3. 3. REAL EXAMPLES WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  4. 4. NISSAN Full article: https://www.computerworld.com/article/3036964/hackers-can-access-the-nissan-leaf- via-insecure-apis.html WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Remote control over API on other user’s car: • Climate control • Battery charge management • Car driving range • Historic driving data (when, how far, how efficiently)
  5. 5. SAMSUNG Full article: https://www.consumerreports.org/tvs/samsung-fixes-smart-tv-security-issue/ WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Unsecured API allowed access to: • change TV channels • turn up the volume • play unwanted YouTube videos • kick the TV off a WiFi connection It will NOT allow: • spying on a TV viewer • stealing private information • monitoring what was being watched
  6. 6. CANDY CRUSH Full article: https://www.stavros.io/posts/winning-candy-crush/ WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 By modifying legitimate APIs from the game, the hacker was able to: • Play without lives limitation • Ease the levels of the game by changing number of colors for each level • Finish each level automatically with random score by calling proper method in the API
  7. 7. APIS IN OUR LIFE WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Average number of APIs the company runs is 420 83% of traffic in content- delivery network belongs to APIs Full report: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security- retail-attacks-and-api-traffic-report-2019.pdf
  8. 8. OWASP API SECURITY Top 10 API Security Risks current draft: WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 6. Mass Assignment 7. Security Misconfiguration 8. Injection 9. Improper Assets Management 10.Insufficient Logging & Monitoring 1. Broken Object Level Access Control 2. Broken Authentication 3. Improper Data Filtering 4. Lack of Resources & Rate Limiting 5. Missing Function/Resource Level Access Control API Security Cheat Sheet from OWASP https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
  9. 9. A1: BROKEN OBJECT LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 POST api/v1/documents/download_document { document_id: 102 } 102 101 103 104 ok fail fail fail
  10. 10. A1: BROKEN OBJECT LEVEL ACCESS CONTROL Violation of horizontal access control WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Query parameters URL parameters Body parameters /api/users/717 /download_file?id=111 user-id:717
  11. 11. A1: BROKEN OBJECT LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers API testing tool
  12. 12. A2: BROKEN AUTHENTICATION ● Weak authentication (passwords management, brute force attacks, etc.) Ø Can be tested both manual and with automatic scanners ● Checking sessions for APIs WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 GET /api/1.0/Channels/1270 HTTP/1.1 Host: test-site.azurewebsites.net Accept: application/json Accept-Encoding: gzip, deflate Cookie: auth=60f5f03b-57b8-40b4-aa79-a73e8b6f0814; ARRAffinity=667b68ef9998ba2095eb4fef50e58d958908a44894f5425ed9 2f2db982a28474 Connection: keep-alive
  13. 13. A2: BROKEN AUTHENTICATION ● API to API communication with master token or service account Ø Cannot be found automatically, only during architecture and code reviews ● Basic authentication vs claim-based authentication and Single Sign On (SSO) WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  14. 14. CLAIM-BASED AUTHENTICATION WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  15. 15. A2: BROKEN AUTHENTICATION WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Automatic scanners API testing tool
  16. 16. A3: IMPROPER DATA FILTERING ● Client-side data filtering APIs tend to return more data than required. This data is usually not shown to the user, but can be easily found in API response ● Filters manipulation The front-end usually maintains the user’s state. The client sends more filters to the back-end in order to reflect the user’s state WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Name: Kate Role: superuser Hobby: travelling, sports 200 OK { “users”: [{ picture: ”profile_kate.jpg”, userid: 220, name: “Kate”, last_name: “Ovechenko”, role: “superuser”, hobbies: {”travelling”, ”sports”} address: “Kyiv, Test str., 35” } }
  17. 17. A3: IMPROPER DATA FILTERING WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers API testing tool
  18. 18. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://devclass.com/2018/10/02/gitlab-api-flaw-security-updates/
  19. 19. A4: LACK OF RESOURCES & RATE LIMITING Scenario 1 Too many requests are being to or from certain API at the same time ● Status code: 429 Too Many Requests ● Proprietary headers: X-RateLimit-* Scenario 2 Too heavy requests are being made to an API ● /dashboard/users?page=1&size=100 à size=200000 WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  20. 20. A4: LACK OF RESOURCES & RATE LIMITING Scenario 3 What data can be used for fuzzing: ● Wrong data format ● Long arrays of data ● Special characters ● Other methods or protocols than those expected by server ● Special Functions WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  21. 21. BURP SUITE: HTTP METHOD FUZZING
  22. 22. A4: LACK OF RESOURCES & RATE LIMITING WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers Fuzzing tool JBROFUZZFuzzapi
  23. 23. A5: MISSING FUNCTION LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Violation of vertical access control: ● Understand the relations between resources ● Complex user policies and roles ● Easier to predict the entry points (GET → DELETE)(/api/v1/users → api/v1/admins) ● 20x OK vs 401/403 Unauthorized/Forbidden
  24. 24. A5: MISSING FUNCTION LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 AUTHENTICATED USER MANAGER MANAGER MANAGER REGULAR USER MANAGER MANAGER ADMIN REGULAR USER ADMIN ADMIN
  25. 25. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/
  26. 26. A6: MASS ASSIGNMENT ● Modern frameworks encourage developers to use mass assignment techniques (use data-transfer object with all properties) ● Easier to exploit in APIs ○ We can usually can find a GET request that returns all the properties of an object WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 def signup @user = User.create(params[:user]) # => User<email: "john@doe.com", password: "qwerty", is_administrator: false> end
  27. 27. A6: MASS ASSIGNMENT WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 <!-- INJECTED FIELD: --> <input type="hidden" name="is_administrator" value="true"> def signup @user = User.create(params[:user]) # => User<email: "john@doe.com", password: "qwerty", is_administrator: true> end def signup # Explicit assignment: @user = User.create( email: params[:user][:email], password: params[:user][:password] ) # or whitelisting: @user = User.create( params.require(:user).permit(:email, :password) ) end
  28. 28. A7: SECURITY MISCONFIGURATION • Unnecessary HTTP methods • Improper Cross-Origin Resource Sharing ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Using XSS to make requests to cross origin sites • Detailed Errors ○ Respond with generic error messages - avoid revealing details of the failure unnecessarily. ○ Do not pass technical details (e.g. call stacks or other internal hints) to the client • Access to internal files/pages • Security Headers ○ Content-Security-Policy ○ Content-Type ○ X-Frame-Options WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  29. 29. READY API: SENSITIVE FILES EXPOSURE
  30. 30. A8: INJECTIONS WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 hacker server users XSS injection XML injection JSON injection SQL injection
  31. 31. A8: INJECTIONS: HOW TO TEST ● Secure module ● Commercial tool ● Automatic scanners for: ○ SQL ○ XSS ○ JSON ○ XML WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● Professional security tool ● Commercial tool, free limited version ● Automatic scanners most of common injections ● Data-driven testing (with Collection Runner) ● Free to some extend J ● Loading dictionaries for SQL, XSS or any other injections ● Manual analysis of results OPTION 1 OPTION 3OPTION 2
  32. 32. READY API: SQL INJECTION SCANNING
  33. 33. BURP SUITE: XSS INJECTION SCANNING
  34. 34. POSTMAN: XSS INJECTION SCANNING
  35. 35. A9: IMPROPER ASSET MANAGEMENT • Secure your CI/CD pipeline configuration ○ safely store secrets that you use in your pipelines ○ isolate sensitive files like code signing keys from repository ○ add monitoring to CI/CD pipeline ○ pull requests that come from forks of your repository • Code and Git history analysis ○ passwords and accounts are not committed to repositories • Sensitive information in HTTP requests ○ https://example.com/controller/123/action?apiKey=a53f43564a5 becaus e API Key is into the URL. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Helpful article: https://circleci.com/blog/security-best-practices-for-ci-cd/
  36. 36. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://www.scmagazineuk.com/samsung-private-gitlab-tokens-exposed-including-source-code-credentials-secret- keys/article/1584224/
  37. 37. A10: INSUFFICIENT LOGGING & MONITORING ● Write audit logs before and after security related events ● Consider logging token validation errors in order to detect attacks ● Take care of log injection attacks by sanitizing log data beforehand ● Auditable events, such as logins, failed logins, and high-value transactions are logged ● Any scanning tools (like Burp) trigger alerts ● Appropriate alerting thresholds and response escalation processes are in place Same as A10 in OWASP Top 10 WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  38. 38. DEVSECOPS APPROACH TO DEVELOPMENT WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 / / PIPELINE Dev/Test Env Stage Env Pre-approved deployment Prod CONTINUOUS INTEGRATION (CI) CONTINUOUS DELIVERY (CD) CONTINUOUS SECURITY (CS) Master branch Code is merged Developer’ s machine Feature is implemented SAST+SCA checks Secure Coding Practices SAST+DAST checks Automated Security Testing (auto+ manual) Security Requirements IaC scripts for Dev/Test env Review infrastructure security Pen testing by 3rd party Threat modeling
  39. 39. There are bunch of other tools available. Use these criteria to pick the tool for you: ● Project goals(monitor level of security vs try out some new stuff vs be prepared for external pen testing) ● Regularity (one-time runs vs ongoing) ● Integrate it into all processes and CI/CD pipeline or not ● Complex multi-step authentication process ● Security testing coverage (scanning for application only vs infrastructure and configuration issues etc.) ● Environments to be used (cloud or not etc.) ● Users of the tools (test engineers, developers, devops, security guys) ● Standards to follow and comply (security standards, domain-specific standards) HOW TO PICK THE RIGHT TOOL? WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  40. 40. ● Understand the data flow and relations between resources ○ Get to know the system and the API you’re testing by asking the questions ● Always sniff the traffic. Real traffic is better than documentation. ● Wean yourself of the UI ○ Don’t be afraid to generate API requests from the scratch ● Is there more than one version of the API? ● Use different clients: mobile/web/web-mobile? ● Use the old versions to generate more traffic ● Always look for more niche features ● Different protocols == different implementations API PENTESTING: NEW MINDSET WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  41. 41. To get deeper in the topic: ● Pixi as part of DevSlop project (https://www.owasp.org/index.php/OWASP_DevSlop_Project ) + video tutorial (https://www.youtube.com/watch?v=td-2rN4PgRw) ● Juice shop - https://www.owasp.org/index.php/OWASP_Juice_Shop_Project ● Ads manager application - https://github.com/kovechenko/VulnerableAdvertisementAPI ● REST OWASP Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html ● News about API security - https://apisecurity.io To start from: ● OWASP Testing Guide - https://www.owasp.org/images/1/19/OTGv4.pdf ● Hack Yourself First by Troy Hunt - https://www.pluralsight.com/courses/hack-yourself-first ● Hack your API First by Troy Hunt - https://www.pluralsight.com/courses/hack-your-api-first WHAT’S NEXT? WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  42. 42. Contact me Email: kate@fest.group FB: Kateryna Ovechenko WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019

×