Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
API and Web Service Hacking
with
Nicole Becher & Tanya Janca
About Us
• Nicole Becher: application security, red teaming,
penetration testing, malware analysis, and computer
forensics...
Outline
• The Problem:
– APIs and Web Services are underprotected
– We need more places to learn!
• The Solution:
– Learn ...
The problem
People are ignoring web services and APIs: just
because they don’t have pretty GUIs doesn’t
mean they can’t be...
The API Economy: Explosion of API/webservices
• Paradigm shift?
• End of monolithic applications?
• Microservices
• Contai...
OWASP Top Ten 2017 *A10*
Modern applications
often involve rich client
applications and APIs,
such as JavaScript in the
br...
Facts and Proof!
• IRS, Facebook, Twitter, Buffer and Snapchat have had
their APIs attacked.
• CASED found 56 million sets...
http://www.computerworld.com/article/3036964/car-
tech/hackers-can-access-the-nissan-leaf-via-insecure-
apis.html
https://www.stavros.io/posts/winning-candy-crush/
It’s such a big deal that Zap has released a new
module for testing them, and we plan to show it
to you!
The solution:
Learn how to hack your own APIs with Pixi + Zap!
Get comfortable with common API vulnerabilities
Introducing:
• Soon to be part of OWASP’s newest project,
DevSlop
• A vulnerable web app with a vulnerable API.
Introducing:
• Allows users to create accounts, upload photos,
send micropayments to others, like photos, etc.
• MongoDB, ...
Ummm, what is an OWASP Project?
• An OWASP project is a collection of related tasks that
have a defined roadmap and team m...
OWASP Projects are divided into categories
• Code (Pixi)
• Tools (ZAP)
• Documentation (Top 10)
Projects have maturity sta...
Why use Zap?
• OWASP Zed Attack Proxy (Zap) is open-
source/FREE
• Easy to use, built for beginners to advanced users
• OW...
The Disclaimer - Be careful!
• OWASP Zed Attack Proxy (Zap) can be a hacking tool,
it can cause serious damage. Never use ...
Demonstration!
Not a hacker
Where can you find Pixi
https://github.com/thedeadrobots/pixi
> git clone https://github.com/thedeadrobots/pi...
Become a part of DevSlop!
Nicole Becher
Brooklyn Chapter Leader
@thedeadrobots
Nicole.Becher@OWASP.org
Tanya Janca
Ottawa ...
Questions?
Nicole Becher
Brooklyn Chapter Leader
@thedeadrobots
Nicole.Becher@OWASP.org
Tanya Janca
Ottawa Chapter Leader
...
Upcoming SlideShare
Loading in …5
×

API and Web Service Hacking with Pixi, part of OWASP DevSlop

2,073 views

Published on

Nicole Becher and Tanya Janca present Pixi, a highly vulnerable web application with services and APIs that are very hackable. Pixi the first part of what will become a collection of "DevOps Disasters" and other modern web deployments. It will be publicly available as a learning resource as part of OWASP.

Published in: Technology

API and Web Service Hacking with Pixi, part of OWASP DevSlop

  1. 1. API and Web Service Hacking with Nicole Becher & Tanya Janca
  2. 2. About Us • Nicole Becher: application security, red teaming, penetration testing, malware analysis, and computer forensics. OWASP Brooklyn Leader, Adjunct Instructor @ NYU, political junkie, marathoner, martial artist & animal lover. • Tanya Janca: application security evangelist, web app penetration tester, trainer, public speaker, developer, OWASP Ottawa Leader, effective altruist, paid to be nerdy since the late 90’s. •Both members of WIA (Women in AppSec) • Both WASPY 2017 Nominees (vote for us!)
  3. 3. Outline • The Problem: – APIs and Web Services are underprotected – We need more places to learn! • The Solution: – Learn how to hack them using Zap and Pixi • Introducing Pixi, a vulnerable web app & API • Part of a new OWASP Project called DevSlop • Demo/Workshop! • Questions
  4. 4. The problem People are ignoring web services and APIs: just because they don’t have pretty GUIs doesn’t mean they can’t be hacked!
  5. 5. The API Economy: Explosion of API/webservices • Paradigm shift? • End of monolithic applications? • Microservices • Containerization • Front-end frameworks • SaaS platform/3rd Party API’s • Open Data/Programmable Web • Serverless Computing • Cloud • DevOps / Agile • Automation • Continuous Integration • Continuous Delivery
  6. 6. OWASP Top Ten 2017 *A10* Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.
  7. 7. Facts and Proof! • IRS, Facebook, Twitter, Buffer and Snapchat have had their APIs attacked. • CASED found 56 million sets of unprotected user data from Facebook’s Parse, Amazon, and other cloud data sources
  8. 8. http://www.computerworld.com/article/3036964/car- tech/hackers-can-access-the-nissan-leaf-via-insecure- apis.html
  9. 9. https://www.stavros.io/posts/winning-candy-crush/
  10. 10. It’s such a big deal that Zap has released a new module for testing them, and we plan to show it to you!
  11. 11. The solution: Learn how to hack your own APIs with Pixi + Zap! Get comfortable with common API vulnerabilities
  12. 12. Introducing: • Soon to be part of OWASP’s newest project, DevSlop • A vulnerable web app with a vulnerable API.
  13. 13. Introducing: • Allows users to create accounts, upload photos, send micropayments to others, like photos, etc. • MongoDB, Docker, JSON, OpenAPI/Swagger, Angularjs, Node/Express, JSON web tokens ++ • This app is in highly vulnerable, and fun to break. • We will be creating videos, workshops, training material and making Pixi available to the public. • DevSlop will include Pixi and eventually other vulnerable modern applications.
  14. 14. Ummm, what is an OWASP Project? • An OWASP project is a collection of related tasks that have a defined roadmap and team members. • OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. • OWASP currently has over 93 active projects! • Projects are popular because it gives members an opportunity to freely test theories and ideas with the support of the OWASP community. • Basically, it’s a chance for you to share your awesome.
  15. 15. OWASP Projects are divided into categories • Code (Pixi) • Tools (ZAP) • Documentation (Top 10) Projects have maturity status • Flagship • Lab • Incubator
  16. 16. Why use Zap? • OWASP Zed Attack Proxy (Zap) is open- source/FREE • Easy to use, built for beginners to advanced users • OWASP (Open Web Application Security Project) is an international non-profit, and considered industry leaders in security • Zap can become an automated part of your SDLC by adding it to your build server • They just added WSDL and JSON support!
  17. 17. The Disclaimer - Be careful! • OWASP Zed Attack Proxy (Zap) can be a hacking tool, it can cause serious damage. Never use Zap to attack websites unless you have consent. This tool and this lesson are to help you create better and more secure apps, not to help you become a 'script kiddie'. • You *always* need permission. • Using Zap or any other hacker tool on anything besides your own application can have very severe consequences, both legally and professionally.
  18. 18. Demonstration!
  19. 19. Not a hacker Where can you find Pixi https://github.com/thedeadrobots/pixi > git clone https://github.com/thedeadrobots/pixi.git > docker-compose up
  20. 20. Become a part of DevSlop! Nicole Becher Brooklyn Chapter Leader @thedeadrobots Nicole.Becher@OWASP.org Tanya Janca Ottawa Chapter Leader @shehackspurple Tanya.Janca@OWASP.org
  21. 21. Questions? Nicole Becher Brooklyn Chapter Leader @thedeadrobots Nicole.Becher@OWASP.org Tanya Janca Ottawa Chapter Leader @shehackspurple Tanya.Janca@OWASP.org

×