Presented as part of the OWASP DevSlop Project, the Pixi workshop concentrated on API and Micro Service security, and taught participants how to find and exploit API vulnerabilities.
Tanya Janca & Nicole Becher!
DevSlop - Pixi Workshop from AppSec USA Developer Summit
Hacking APIs and Web Services with
Nicole Becher & Tanya Janca
• Nicole Becher: application security, red teaming,
penetration testing, malware analysis, and computer
forensics. OWASP Brooklyn Leader, Adjunct
Instructor @ NYU, political junkie, marathoner,
martial artist & animal lover. WASPY 2017
• Tanya Janca: application security evangelist, web app
penetration tester, trainer, public speaker, developer,
OWASP Ottawa Leader, effective altruist, paid to be
nerdy since the late 90’s. WASPY 2017 Nominee!
In short: Awesome-Sauce
What you are going to need to participate today:
• Laptop with wifi (connected) and admin privileges
• Web proxy like OWASP Zed Attack Proxy Zap or Burp Suite
• Modern web browser like Chrome or FireFox
• We are going to install Docker today
• Then we are going to hack some APIs!
• The Problem:
– The technical ecosystem is changing
– APIs and Web Services are often underprotected
• Introducing OWASP DevSlop: Pixi
• The Solution: Learn how to hack them using Pixi
• Setup and workshop
• Conclusion: What’s next for DevSlop?
The technical ecosystem is changing. Right now.
There is a paradigm shift, and and many believe that
this is the beginning of the end of monolithic
No more excessively long release cycles. Reduction
of manual efforts. No more Waterfall.
Security must keep pace.
What are Microservices?
Netflix uses microservices architecture. It
receives more than one BILLION calls everyday
from more than 800 different types of devices
to its streaming-video API. Each API call then
prompts around 5 additional calls to the back
PROS vs. CONS
• Microservice architecture gives developers the freedom to
independently develop and deploy services
• A microservice can be developed by a fairly small team
• Code for different services can be written in different
• Easy integration and automatic deployment (using open-
source continuous integration tools such as Jenkins, Hudson,
• The developers can make use of the latest technologies
PROS vs. CONS
• The code is organized around business capabilities
• Starts the web container more quickly, so the deployment is
• When change is required in a certain part of the application,
only the related service can be modified and redeployed—no
need to modify and redeploy the entire application
• Better fault isolation: if one microservice fails, the other will
continue to work Easy to scale and integrate with third-party
• No long-term commitment to technology stack
PROS vs. CONS
• Due to distributed deployment, testing can become
complicated and tedious
Increasing number of services can result in information
• The architecture brings additional complexity as the
developers have to mitigate fault tolerance, network latency,
and deal with a variety of message formats as well as load
• Being a distributed system, it can result in duplication of effort
• When number of services increases, integration and managing
whole products can become complicated
PROS vs. CONS
• In addition to several complexities of monolithic architecture,
the developers have to deal with the additional complexity of a
• Developers have to put additional effort into implementing the
mechanism of communication between the services
• Handling use cases that span more than one service without
using distributed transactions is not only tough but also requires
communication and cooperation between different teams
• The architecture usually results in increased memory
• Partitioning an application into microservices is very much an art
The API Economy: Explosion of API/webservices
• Front-end frameworks
• SaaS platform/3rd Party API’s
• Open Data/Programmable Web
• Serverless Computing
• DevOps / Agile
• Continuous Integration
• Continuous Delivery
What does The API Economy mean for Security?
• Security needs:
–To move faster, by automating anything and everything
–Reproducible and accurate results
–Verify/examine/test in shorter cycles, more often
–More training and more tools than ever
–Reduce bottlenecks and stop being “a gate” to developers
• Developers need:
–Accurate and quick guidance
–Agility and flexibility
–AppSec Support from Sec Team
Specific problems we are going to look at today
People are ignoring web services and APIs: just
because they don’t have pretty GUIs doesn’t
mean they can’t be hacked!
OWASP Top Ten 2017 *A10*
often involve rich client
applications and APIs,
browser and mobile apps,
that connect to an API of
some kind (SOAP/XML,
REST/JSON, RPC, GWT,
etc.). These APIs are often
unprotected and contain
Learn how to hack a web app and an API with
Pixi, understand common vulnerabilities in web
apps & services.
• Pixi is part of OWASP’s newest project, DevSlop
• Pixi is a vulnerable webapp and vulnerable API.
• Allows users to create accounts, upload photos,
send micropayments to others, like photos, etc.
• MEAN Stack: MongoDB, Angularjs, Node/Express
• Docker - containerized
• OpenAPI/Swagger, JSON, JSON web tokens ++
• This app is in highly vulnerable, and fun to break.
• We will be creating videos, workshops, training
material and making Pixi available to the public.
The MEAN Stack:
•MongoDB - Data Store, consists of collections where are
really just flat files in JSON.
HTML page with a < script> tag.
•Express - Fast, unopinionated, minimalist web framework
• There are many non-relational databases
these days. Mongo is a data store that
contains “collections” which are really just
• Mongo has its own security vulnerabilities
that we will explore soon.
• Developed by Google as a front end
framework that relies on API calls to the
• Generally pretty good about input
sanitization, but we will see examples of
• Event-Driven & Asynchronous
Why use Node?
• Easy to write modules/packages.
• Web framework that sits on top of Node.js to
handle web requests.
Why use Express?
• Lets you quickly create web routes/API calls
Docker - containerization
• Each specified service can be contained in separate
• More containers can then be spawned if there is an
increase in traffic/load
• One monolith vs Many Containers
• Unique Security Challenges
Docker Security Challenges
• Always make sure to start Docker containers with the -u flag so
that they run as an ordinary user instead of root.
• Remove SUID flags from your container images. This makes
privilege escalation attacks even harder.
• Configure Docker control groups, which let you set limits on how
many resources each container can use. This can help prevent
preventing container-based DoS attacks.
Docker Security Challenges
• Use namespaces in Docker to isolate containers from one another.
Namespaces help assure that a user or process running inside one
container can’t affect those in other containers.
• Don’t use images from repos you don’t trust. Avoid public repos if
they’re not from an official source and you don’t know the
• Consider using a tool to validate containers from your registries.
•OpenAPI/Swagger is just an API definition service
that allows you to define all the routes and methods
of an API, and all the headers and parameters
needed for consumption.
•Meant to allow automated consumption by
JSON web tokens (JWT)
•JWT are cryptographically signed tokens that assert
claims to an authenticating service.
•Very similar to session cookies, but much more
universal. Any service can authenticate and decode
the token as long as it has the key.
•Can be signed symmetrically or asymmetrically.
•Security risks related to key storage and overloaded
data in JWT.
• OWASP’s Newest Project!
• A collection of ‘DevOps Disasters’, made as a
learning & proving ground
• “The Hacker Jungle Gym”, for hackers and
developers alike to learn and explore
• Pixi is the first of what will be several installments
• Modern and ‘different’ types of vulnerable web
• More vulnerable systems means more learning
Ummm, what is an OWASP Project?
• An OWASP project is an open source project related to
Application Security, releases as part of OWASP.
• OWASP projects can be documentation, code
or tools. DevSlop is a code project.
• OWASP currently has over 93 active projects!
• Projects are popular because it’s a chance to
create anything that they think will help
further the goal of OWASP; better AppSec for
• Basically, it’s a chance for you to share your
awesome with the entire world, with a
fantastic support network behind you.
OWASP Projects are divided into categories
• Code (Java Encoder, Java HTML Sanitizer projects)
• Tools (ZAP, Juice Shop, and DevSlop)
• Documentation (Top 10, Testing Guide)
Projects have maturity status
• Incubator (that’s us!)