Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hacking APIs and Web Services with
OWASP
Nicole Becher & Tanya Janca
&
About Us
• Nicole Becher: application security, red teaming,
penetration testing, malware analysis, and computer
forensics...
What you are going to need to participate today:
• Laptop with wifi (connected) and admin privileges
• Web proxy like OWAS...
Outline
• The Problem:
– The technical ecosystem is changing
– APIs and Web Services are often underprotected
• Introducin...
The technical ecosystem is changing. Right now.
There is a paradigm shift, and and many believe that
this is the beginning...
This model is rapidly changing.
The Web is getting more and more complicated.
What are Microservices?
Netflix uses microservices architecture. It
receives more than one BILLION calls everyday
from mor...
Example microservices app:
1
PROS vs. CONS
• Microservice architecture gives developers the freedom to
independently develop and deploy services
• A ...
2
PROS vs. CONS
• The code is organized around business capabilities
• Starts the web container more quickly, so the deplo...
PROS vs. CONS
• Due to distributed deployment, testing can become
complicated and tedious
Increasing number of services ca...
2
PROS vs. CONS
• In addition to several complexities of monolithic architecture,
the developers have to deal with the add...
MASSIVE COMPLEXITY
The API Economy: Explosion of API/webservices
• Microservices
• Containerization
• Front-end frameworks
• SaaS platform/3r...
What does The API Economy mean for Security?
• Security needs:
–To move faster, by automating anything and everything
–Rep...
Specific problems we are going to look at today
People are ignoring web services and APIs: just
because they don’t have pr...
OWASP Top Ten 2017 *A10*
Modern applications
often involve rich client
applications and APIs,
such as JavaScript in the
br...
http://www.computerworld.com/article/3036964/car-
tech/hackers-can-access-the-nissan-leaf-via-insecure-
apis.html
https://www.stavros.io/posts/winning-candy-crush/
Solution:
Learn how to hack a web app and an API with
Pixi, understand common vulnerabilities in web
apps & services.
Introducing: &
• Pixi is part of OWASP’s newest project, DevSlop
• Pixi is a vulnerable webapp and vulnerable API.
Introducing:
• Allows users to create accounts, upload photos,
send micropayments to others, like photos, etc.
• MEAN Stac...
The MEAN Stack:
•MongoDB - Data Store, consists of collections where are
really just flat files in JSON.
•Angular.js - Jav...
MongoDB
• There are many non-relational databases
these days. Mongo is a data store that
contains “collections” which are ...
Angular.js
• Developed by Google as a front end
framework that relies on API calls to the
middle/back end.
• Generally pre...
Node.js
• Server-side javascript framework.
• Event-Driven & Asynchronous
Why use Node?
• Fast!
• Easy to write modules/pa...
Express.js
• Web framework that sits on top of Node.js to
handle web requests.
Why use Express?
• Lets you quickly create ...
Docker - containerization
• Each specified service can be contained in separate
docker containers.
• More containers can t...
1
Docker Security Challenges
• Always make sure to start Docker containers with the -u flag so
that they run as an ordinar...
2
Docker Security Challenges
• Use namespaces in Docker to isolate containers from one another.
Namespaces help assure tha...
OpenAPI/Swagger
•OpenAPI/Swagger is just an API definition service
that allows you to define all the routes and methods
of...
JSON web tokens (JWT)
•JWT are cryptographically signed tokens that assert
claims to an authenticating service.
•Very simi...
Introducing:
• OWASP’s Newest Project!
• A collection of ‘DevOps Disasters’, made as a
learning & proving ground
• “The Ha...
Ummm, what is an OWASP Project?
• An OWASP project is an open source project related to
Application Security, releases as ...
OWASP Projects are divided into categories
• Code (Java Encoder, Java HTML Sanitizer projects)
• Tools (ZAP, Juice Shop, a...
Exercises!
Are you all on the Wifi?
Wifi name and password here, make sure everyone
is online
Let’s start with installing Docker!
Let’s make sure your web proxies are working
Settings: 127.0.0.1
Port: 8080
Not a hacker
Shall we go get Pixi?
This needs to be official OWASP GitHub
https://github.com/thedeadrobots/pixi
> git clon...
Connection test (start and connect)
> docker-compose up
http://localhost:8000
What’s to come for DevSlop? (future)
Pixi Roadmap:
- Document all the vulnerabilities
- Multi language support
- Finish CT...
Become a part of DevSlop!
Nicole Becher
Brooklyn Chapter Leader
@thedeadrobots
Nicole.Becher@OWASP.org
Tanya Janca
Ottawa ...
Questions?
Nicole Becher
Brooklyn Chapter Leader
@thedeadrobots
Nicole.Becher@OWASP.org
Tanya Janca
Ottawa Chapter Leader
...
DevSlop - Pixi Workshop from AppSec USA Developer Summit
Upcoming SlideShare
Loading in …5
×

DevSlop - Pixi Workshop from AppSec USA Developer Summit

131 views

Published on

Presented as part of the OWASP DevSlop Project, the Pixi workshop concentrated on API and Micro Service security, and taught participants how to find and exploit API vulnerabilities.
Tanya Janca & Nicole Becher!

Published in: Technology
  • Be the first to comment

DevSlop - Pixi Workshop from AppSec USA Developer Summit

  1. 1. Hacking APIs and Web Services with OWASP Nicole Becher & Tanya Janca &
  2. 2. About Us • Nicole Becher: application security, red teaming, penetration testing, malware analysis, and computer forensics. OWASP Brooklyn Leader, Adjunct Instructor @ NYU, political junkie, marathoner, martial artist & animal lover. WASPY 2017 Winner!!!!! • Tanya Janca: application security evangelist, web app penetration tester, trainer, public speaker, developer, OWASP Ottawa Leader, effective altruist, paid to be nerdy since the late 90’s. WASPY 2017 Nominee! In short: Awesome-Sauce
  3. 3. What you are going to need to participate today: • Laptop with wifi (connected) and admin privileges • Web proxy like OWASP Zed Attack Proxy Zap or Burp Suite • Modern web browser like Chrome or FireFox • We are going to install Docker today • Then we are going to hack some APIs!
  4. 4. Outline • The Problem: – The technical ecosystem is changing – APIs and Web Services are often underprotected • Introducing OWASP DevSlop: Pixi • The Solution: Learn how to hack them using Pixi • Setup and workshop • Exercises • Conclusion: What’s next for DevSlop?
  5. 5. The technical ecosystem is changing. Right now. There is a paradigm shift, and and many believe that this is the beginning of the end of monolithic applications. No more excessively long release cycles. Reduction of manual efforts. No more Waterfall. Security must keep pace.
  6. 6. This model is rapidly changing.
  7. 7. The Web is getting more and more complicated.
  8. 8. What are Microservices? Netflix uses microservices architecture. It receives more than one BILLION calls everyday from more than 800 different types of devices to its streaming-video API. Each API call then prompts around 5 additional calls to the back end service.
  9. 9. Example microservices app:
  10. 10. 1 PROS vs. CONS • Microservice architecture gives developers the freedom to independently develop and deploy services • A microservice can be developed by a fairly small team • Code for different services can be written in different languages • Easy integration and automatic deployment (using open- source continuous integration tools such as Jenkins, Hudson, etc.) • The developers can make use of the latest technologies
  11. 11. 2 PROS vs. CONS • The code is organized around business capabilities • Starts the web container more quickly, so the deployment is also faster • When change is required in a certain part of the application, only the related service can be modified and redeployed—no need to modify and redeploy the entire application • Better fault isolation: if one microservice fails, the other will continue to work Easy to scale and integrate with third-party services • No long-term commitment to technology stack
  12. 12. PROS vs. CONS • Due to distributed deployment, testing can become complicated and tedious Increasing number of services can result in information barriers • The architecture brings additional complexity as the developers have to mitigate fault tolerance, network latency, and deal with a variety of message formats as well as load balancing • Being a distributed system, it can result in duplication of effort • When number of services increases, integration and managing whole products can become complicated
  13. 13. 2 PROS vs. CONS • In addition to several complexities of monolithic architecture, the developers have to deal with the additional complexity of a distributed system • Developers have to put additional effort into implementing the mechanism of communication between the services • Handling use cases that span more than one service without using distributed transactions is not only tough but also requires communication and cooperation between different teams • The architecture usually results in increased memory consumption • Partitioning an application into microservices is very much an art
  14. 14. MASSIVE COMPLEXITY
  15. 15. The API Economy: Explosion of API/webservices • Microservices • Containerization • Front-end frameworks • SaaS platform/3rd Party API’s • Open Data/Programmable Web • Serverless Computing • Cloud • DevOps / Agile • Automation • Continuous Integration • Continuous Delivery
  16. 16. What does The API Economy mean for Security? • Security needs: –To move faster, by automating anything and everything –Reproducible and accurate results –Verify/examine/test in shorter cycles, more often –More training and more tools than ever –Reduce bottlenecks and stop being “a gate” to developers • Developers need: –Security training –Security tools –Accurate and quick guidance –Agility and flexibility –AppSec Support from Sec Team
  17. 17. Specific problems we are going to look at today People are ignoring web services and APIs: just because they don’t have pretty GUIs doesn’t mean they can’t be hacked!
  18. 18. OWASP Top Ten 2017 *A10* Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.
  19. 19. http://www.computerworld.com/article/3036964/car- tech/hackers-can-access-the-nissan-leaf-via-insecure- apis.html
  20. 20. https://www.stavros.io/posts/winning-candy-crush/
  21. 21. Solution: Learn how to hack a web app and an API with Pixi, understand common vulnerabilities in web apps & services.
  22. 22. Introducing: & • Pixi is part of OWASP’s newest project, DevSlop • Pixi is a vulnerable webapp and vulnerable API.
  23. 23. Introducing: • Allows users to create accounts, upload photos, send micropayments to others, like photos, etc. • MEAN Stack: MongoDB, Angularjs, Node/Express • Docker - containerized • OpenAPI/Swagger, JSON, JSON web tokens ++ • This app is in highly vulnerable, and fun to break. • We will be creating videos, workshops, training material and making Pixi available to the public.
  24. 24. The MEAN Stack: •MongoDB - Data Store, consists of collections where are really just flat files in JSON. •Angular.js - JavaScript framework. It can be added to an HTML page with a < script> tag. •Node - Open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side •Express - Fast, unopinionated, minimalist web framework for Node.js
  25. 25. MongoDB • There are many non-relational databases these days. Mongo is a data store that contains “collections” which are really just flat files in Javascript Object Notation (JSON). • Mongo has its own security vulnerabilities that we will explore soon.
  26. 26. Angular.js • Developed by Google as a front end framework that relies on API calls to the middle/back end. • Generally pretty good about input sanitization, but we will see examples of bypassing validation.
  27. 27. Node.js • Server-side javascript framework. • Event-Driven & Asynchronous Why use Node? • Fast! • Easy to write modules/packages.
  28. 28. Express.js • Web framework that sits on top of Node.js to handle web requests. Why use Express? • Lets you quickly create web routes/API calls
  29. 29. Docker - containerization • Each specified service can be contained in separate docker containers. • More containers can then be spawned if there is an increase in traffic/load • One monolith vs Many Containers • Unique Security Challenges
  30. 30. 1 Docker Security Challenges • Always make sure to start Docker containers with the -u flag so that they run as an ordinary user instead of root. • Remove SUID flags from your container images. This makes privilege escalation attacks even harder. • Configure Docker control groups, which let you set limits on how many resources each container can use. This can help prevent preventing container-based DoS attacks.
  31. 31. 2 Docker Security Challenges • Use namespaces in Docker to isolate containers from one another. Namespaces help assure that a user or process running inside one container can’t affect those in other containers. • Don’t use images from repos you don’t trust. Avoid public repos if they’re not from an official source and you don’t know the maintainer. • Consider using a tool to validate containers from your registries.
  32. 32. OpenAPI/Swagger •OpenAPI/Swagger is just an API definition service that allows you to define all the routes and methods of an API, and all the headers and parameters needed for consumption. •Meant to allow automated consumption by external services/applications.
  33. 33. JSON web tokens (JWT) •JWT are cryptographically signed tokens that assert claims to an authenticating service. •Very similar to session cookies, but much more universal. Any service can authenticate and decode the token as long as it has the key. •Can be signed symmetrically or asymmetrically. •Security risks related to key storage and overloaded data in JWT.
  34. 34. Introducing: • OWASP’s Newest Project! • A collection of ‘DevOps Disasters’, made as a learning & proving ground • “The Hacker Jungle Gym”, for hackers and developers alike to learn and explore • Pixi is the first of what will be several installments • Modern and ‘different’ types of vulnerable web apps • More vulnerable systems means more learning
  35. 35. Ummm, what is an OWASP Project? • An OWASP project is an open source project related to Application Security, releases as part of OWASP. • OWASP projects can be documentation, code or tools. DevSlop is a code project. • OWASP currently has over 93 active projects! • Projects are popular because it’s a chance to create anything that they think will help further the goal of OWASP; better AppSec for all. • Basically, it’s a chance for you to share your awesome with the entire world, with a fantastic support network behind you.
  36. 36. OWASP Projects are divided into categories • Code (Java Encoder, Java HTML Sanitizer projects) • Tools (ZAP, Juice Shop, and DevSlop) • Documentation (Top 10, Testing Guide) Projects have maturity status • Flagship • Lab • Incubator (that’s us!)
  37. 37. Exercises!
  38. 38. Are you all on the Wifi? Wifi name and password here, make sure everyone is online
  39. 39. Let’s start with installing Docker!
  40. 40. Let’s make sure your web proxies are working Settings: 127.0.0.1 Port: 8080
  41. 41. Not a hacker Shall we go get Pixi? This needs to be official OWASP GitHub https://github.com/thedeadrobots/pixi > git clone https://github.com/thedeadrobots/pixi.git > docker-compose up
  42. 42. Connection test (start and connect) > docker-compose up http://localhost:8000
  43. 43. What’s to come for DevSlop? (future) Pixi Roadmap: - Document all the vulnerabilities - Multi language support - Finish CTF mode DevSlop Roadmap: - HTTP 2.0 app - More DevOps apps
  44. 44. Become a part of DevSlop! Nicole Becher Brooklyn Chapter Leader @thedeadrobots Nicole.Becher@OWASP.org Tanya Janca Ottawa Chapter Leader @shehackspurple Tanya.Janca@OWASP.org
  45. 45. Questions? Nicole Becher Brooklyn Chapter Leader @thedeadrobots Nicole.Becher@OWASP.org Tanya Janca Ottawa Chapter Leader @shehackspurple Tanya.Janca@OWASP.org

×