SlideShare a Scribd company logo

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

M
Matt Tesauro

APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.

Technology
1 of 33
Download to read offline
Black and Blue APIs Attacker's and Defender's View of API Vulnerabilities
TABLE OF CONTENTS 01 Intro Quick background and such 03 Attacking APIs How to attack and what those attacks look like 02 Why Attacking APIs? What makes APIs interesting to attackers 04 Conclusion Key takeaways and your questions
Who is this guy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
02 Why attack APIs?
It’s All About the Data “Data is the new oil” Clive Humby British Mathematician “APIs are data pipelines” Matt Tesauro Your presenter
Even if you have a solid AppSec program App Sec Tooling API Sec Tooling SAST SCA DAST API Gateway API Inventory SDLC API Management API Specs WAF Threat Modeling Rate Limiting Anti-Bot Protection Developer Training App Inventory Service to Service Auth-n Anomaly Detection JWTs OpenID Connect OAuth2
Pro Bono Pen Testing (h4x0rs)
Defining the 3 Pillars of API Security 1. API Security Posture a. Full inventory of all APIs b. Who is calling the API? What data is sent/received? Where did the call originate? 2. API Runtime Security a. Watching API traffic and understanding what is normal b. Anomaly detection and alerting 3. API Security Testing a. Assess the security state of APIs b. DAST, not SAST ideally tested early and often c. Feed results into the issue trackers used by dev teams
A better (security) definition of an API An API consists of 3 parts: (1) Hostname e.g. example.com, uat.bigcorp.com (2) Path e.g. /api/v2/users/all , /v1/cart/addItem (3) Method e.g. POST, PUT, GET, PATCH, DELETE, … GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
03 Attacking APIs
Active Attacks Getting malicious with your API target
Attacks are grouped into the API Top 10 API-1 Broken Object Level Authorization (BOLA) API-2 Broken User Authentication API-3 Excessive Data Exposure API-4 Lack of Resource & Rate Limiting API-5 Broken Function Level Authorization API-6 Mass Assignment API-7 Security Misconfiguration API-8 Injection API-9 Improper Assets Management API-10 Insufficient Logging & Monitoring
Broken Object Level Authorization Attacker ○ Look at how API resources are structured ○ Change IDs within API calls ○ Can be names (non-numeric) ○ Make calls to other IDs/resources with your Auth-N method / token ○ Create something as user 1 ○ Try to access it as user 2 ○ Response differences ○ HTTP Response code (404 vs 405) ○ Time to respond ○ Length of response (rare) Defender ○ Detection requires fairly deep inspection of the API calls ○ WAFs will generally fail ○ Shaped like legit request with IDs swapped ○ Looking for BOLA can cause increased Auth-Z errors ○ 2 similar requests from the same client with different IDs can be found by ML ○ Posture - focus on most risky APIs Runtime - detect BOLA attacks Testing - Find BOLA early / pre-prod One user can access another user’s data or take actions for them
Broken User Authentication Attacker ○ Bruteforce credentials ○ No anti-automation on password resets or MFA/CAPTCHA ○ Password Spraying ○ Base-64 “protections” ○ Low entropy tokens ○ JWT weaknesses ○ Captured JWTs ○ None algorithm, no signature ○ Key mismatch, blank password, … ○ Cracking JWT secrets ○ jwt_tool Defender ○ Bruteforce attacks are noisy ○ Password spraying is very noisy ○ Ensure crypto is used correctly and carefully ○ JWT Best Practices RFC ○ Consider removing Auth-N from the API ○ Only get tokens through web app ○ Posture - identify Auth-N APIs Runtime -detect brute force, spraying, JWT manipulation Testing - identify poor practices early Using poor practices in authentication to attack APIs
As browsers and web apps get hardened… B r o w s e r I m p r o v e m e n t s M F A , C A P T C H A APIs
Excessive Data Exposure Attacker ○ Look for API responses that provide ‘extra’ information ○ Mobile app APIs tend to trust client to filter data ○ Look for ‘interesting’ responses ○ Profile pages ○ Linked users ○ Internal meta-data ○ Is the data expected part of a larger data object or DB row? ○ Can be time consuming to check all possible responses for excessive data Defender ○ Single requests can’t be distinguished from normal traffic ○ SAST can help here to avoid “to_json” or similar ○ Don’t rely on clients filtering data ○ Separate data objects for app and API ○ Posture - Shows sensitive data, large responses Runtime - Detect multi-request data scraping Testing - Find verbose responses early Sometimes developer productivity helps attackers too!
Lack of Resource & Rate Limiting Attacker ○ Add thousands of items, ask for a list ○ Lack of pagination ○ Denial of API use (client) ○ Fuzzing and bruteforce attacks can discover these ○ Modify requests, different client, different IP to bypass limits ○ CPU / Memory intensive requests ○ robots.txt or documentation ○ Other games to play ○ Switch cAsE ○ Null and other terminators ○ Encoding data ○ Too high to make a difference Defender ○ Some requests will look normal but with large responses ○ Unusual requests ○ Headers, encoding, terminators, … ○ Observability can show usage spikes ○ Many bypass methods stand out from normal traffic ○ Posture - Determine APIs needing limits Runtime - Detect anomalous traffic and respond Testing - Fuzzing request data can find some issues early Failure to provide limits is a recipe for DOS or worse
Broken Function Level Authorization Attacker ○ Focus on APIs with multiple roles/groups ○ Potential for expose backplane ○ Most things have an ‘admin’ ○ Try undocumented HTTP methods ○ PATCH, PUT, POST, DELETE (!) ○ Create items with one group/role ○ Interact with those items as a different role ○ Bruteforce / guess potential backplane operations ○ Experiment with headers, request data to access admin functions Defender ○ Affects APIs with 2+ roles, groups, privilege levels ○ Calls to unsupported methods that fail ○ Same client, different roles within a short period of time ○ Failures for backplane/admin paths ○ Unusual requests - headers, body ○ Posture - Determine APIs with groups, roles, privilege levels Runtime - Detect unusual, failing requests or changes in role from a client Testing - Conduct Auth-Z testing early Failure to restrict access by group or role leading to compromise
Mass Assignment Attacker ○ Look for requests that appear to be partial data ○ Make guesses at unsent items ○ Look at request/response difference between roles/groups/privilege levels ○ Guess / bruteforce multiple values at once (hail mary) ○ Error messages or required field messages can provide clues ○ Fuzzing can also find issues ○ Combine with Broken Function Level Auth-Z to change data for other users ○ Change email/contact details Defender ○ Requests stand out from normal requests with deep inspection ○ Large number of failed/invalid requests ○ Increased request size ○ Increased severity for APIs with different roles/groups/privileges ○ Posture - Focus on APIs with multi-roles or sensitive data Runtime - Requests with extra data, multiple failed/invalid requests Testing - Add additional, valid fields to discover early Why not accept more data, what could go wrong?
Security Misconfiguration Attacker ○ Check the basics ○ TLS config ○ Info leaks via headers, etc ○ Default credentials, EICAR ○ Use Recon and Discovery ○ Verbose errors ○ Purposefully make bad requests ○ Misconfigured framework settings ○ Debug mode ○ Intermediate devices ○ Determine if WAF, API Gateway, etc is in line ○ Call ‘internal’ functions with origin headers e.g. X-Remote-Addr Defender ○ Basic network vuln scanners can find the basics ○ Passive traffic monitoring can show header issues, API gateway bypass, many others ○ Client with many erroring or malformed requests ○ Posture - Show weak configuration e.g. API gateway bypass Runtime - Unexpected client traffic, multiple errors, malformed or anomalous requests Testing - Good for the basics, better if fuzzing is included in tests A little misconfiguration can go a long way
Injection Attacker ○ Place injection strings into ○ Tokens / API keys ○ Headers (esp API specific ones) ○ Query data ○ Data in request body ○ Recon/Discovery can help focus what types of injection to try ○ Error messages can also help ○ Many good online resources for injections ○ Fuzzing lists ○ OWASP Testing Guide ○ 2nd order injections Defender ○ Input validation AND output encoding ○ Many failed or malformed requests ○ Large number of errors or validation failures at API ○ Overly trusting of East/West API calls ○ Posture - Focus on APIs with sensitive data, East/West APIs Runtime - Surge in errors, failed, invalid or malformed requests, control characters in requests Testing - Attempt injections early in dev cycle Treat data like code and bad things happen
Improper Assets Management Attacker ○ You find many misconfiguration issues ○ Internal APIs are publicly accessible ○ API documentation is inaccurate ○ “Hidden”/undocumented APIs ○ Dev/New APIs in production ○ Legacy APIs are not decommissioned ○ API v minus 1 or more available Basically, your pen test was productive and easy Defender ○ Need to know all APIs (host, path, method) ○ Classify all data received and sent by APIs ○ API Gateway enforced, East/West traffic ○ Public vs internal APIs ○ Posture - Solved with solid posture management Runtime - Updates posture as environment changes Testing - Not particularly useful here Know what you have if you want to protect it adequately
Insufficient Logging & Monitoring Attacker ○ Fuzzing does not cause a reaction / blocking ○ Assumes control is in scope for testing ○ Attacks, especially blatant injections go unnoticed ○ Phone numbers never look like: <script>alert(XSS)</script> ○ Mostly, external testers / attackers can only infer the level of logging and monitoring Defender ○ No attacks are seen / noticed ○ Diagnosing API issues is difficult ○ Unplanned downtime or resource consumption ○ Posture - Determine the appropriate level of logging per API Runtime - Monitoring is what this provides, also can retain traffic for analysis aka quasi-logging Testing - Validate logging is working (at best) Change guesses to decisions with data
Bonus Material Things that didn’t fit nicely into the OWASP API Top 10
Structural vs Data Attacks Structural Attacks ○ Modifying the structure of a request ○ Repeating data structures ○ Adding non-printing characters e.g. spaces, tabs, null characters between data elements ○ Removing portions of the data structure ○ Messing with the structure of the request only - data provided is legit ○ QA / HTTP testing tools generally normalize the structure so won’t work ○ Custom craft HTTP requests (Python requests library) or use a local proxy like Zap or Burpsuite Data Attacks ○ Modifying the data in a request ○ Substituting fuzzing / injection data for legit data values ○ Providing unexpected or overly large / small data values ○ Structure of the request is not modified ○ What most fuzzing and injections attacks look like - changing data without changing the structure ○ QA / HTTP testing tools can be leveraged to automate these attacks 2 fundamental ways to be naughty with APIs
GraphQL - left as an exercise for the student Googling “GraphQL”
04 Conclusion
Key Takeaways for API testers (1) Knowledge of how to test web apps prepares you for most of API testing If you need some help, look at the OWASP Testing Guide (2) Some special knowledge and tools are needed for parts of API testing More on this later (3) Gaps in AppSec controls coverage and framework shortfalls lead to security shortfalls API testing is likely to be “productive”
Key Takeaways for API testers and defenders https://owasp.org/www-community/api_security_tools
Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resource & Rate Limiting Broken Function Level Authorization weak weak weak
Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring weak
Sorry about the firehose Black and Blue APIs Audience
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, infographics & images by Freepik THANKS! Do you have any questions? mattt@nonamesecurity.com nonamesecurity.com

Recommended

Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
PromQL Deep Dive - The Prometheus Query Language
PromQL Deep Dive - The Prometheus Query Language PromQL Deep Dive - The Prometheus Query Language
PromQL Deep Dive - The Prometheus Query Language Weaveworks
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Api Gateway
Api GatewayApi Gateway
Api GatewayKhaqanAshraf
 

Recommended

Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
PromQL Deep Dive - The Prometheus Query Language
PromQL Deep Dive - The Prometheus Query Language PromQL Deep Dive - The Prometheus Query Language
PromQL Deep Dive - The Prometheus Query Language Weaveworks
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Api Gateway
Api GatewayApi Gateway
Api GatewayKhaqanAshraf
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and AlertingKhairul Zebua
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee | Google Cloud
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!New Relic
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxClavis Segurança da Informação
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Prometheus 101
Prometheus 101Prometheus 101
Prometheus 101Paul Podolny
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfNITHIN S.S
 

More Related Content

What's hot

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and AlertingKhairul Zebua
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!New Relic
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 

What's hot (20)

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Prometheus 101
Prometheus 101Prometheus 101
Prometheus 101
 

Similar to Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfNITHIN S.S
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2VivekKrishna34
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Fail safe modeling for cloud services and applications
Fail safe modeling for cloud services and applicationsFail safe modeling for cloud services and applications
Fail safe modeling for cloud services and applicationsMarc Mercuri
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGSiddharth Sharma
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and TricksMaksym Bruner
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfAparna Sharma
 
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, CriteoParis Open Source Summit
 

Similar to Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities (20)

Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdf
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Fail safe modeling for cloud services and applications
Fail safe modeling for cloud services and applicationsFail safe modeling for cloud services and applications
Fail safe modeling for cloud services and applications
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNG
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
POSTMAN.pptx
POSTMAN.pptxPOSTMAN.pptx
POSTMAN.pptx
 
ReSTful API Final
ReSTful API FinalReSTful API Final
ReSTful API Final
 
SOAP vs REST
SOAP vs RESTSOAP vs REST
SOAP vs REST
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
 
API
APIAPI
API
 
REST APIs
REST APIsREST APIs
REST APIs
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
 
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 

More from Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

  • 1. Black and Blue APIs Attacker's and Defender's View of API Vulnerabilities
  • 2. TABLE OF CONTENTS 01 Intro Quick background and such 03 Attacking APIs How to attack and what those attacks look like 02 Why Attacking APIs? What makes APIs interesting to attackers 04 Conclusion Key takeaways and your questions
  • 3. Who is this guy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 5. It’s All About the Data “Data is the new oil” Clive Humby British Mathematician “APIs are data pipelines” Matt Tesauro Your presenter
  • 6. Even if you have a solid AppSec program App Sec Tooling API Sec Tooling SAST SCA DAST API Gateway API Inventory SDLC API Management API Specs WAF Threat Modeling Rate Limiting Anti-Bot Protection Developer Training App Inventory Service to Service Auth-n Anomaly Detection JWTs OpenID Connect OAuth2
  • 8. Defining the 3 Pillars of API Security 1. API Security Posture a. Full inventory of all APIs b. Who is calling the API? What data is sent/received? Where did the call originate? 2. API Runtime Security a. Watching API traffic and understanding what is normal b. Anomaly detection and alerting 3. API Security Testing a. Assess the security state of APIs b. DAST, not SAST ideally tested early and often c. Feed results into the issue trackers used by dev teams
  • 9. A better (security) definition of an API An API consists of 3 parts: (1) Hostname e.g. example.com, uat.bigcorp.com (2) Path e.g. /api/v2/users/all , /v1/cart/addItem (3) Method e.g. POST, PUT, GET, PATCH, DELETE, … GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
  • 12. Attacks are grouped into the API Top 10 API-1 Broken Object Level Authorization (BOLA) API-2 Broken User Authentication API-3 Excessive Data Exposure API-4 Lack of Resource & Rate Limiting API-5 Broken Function Level Authorization API-6 Mass Assignment API-7 Security Misconfiguration API-8 Injection API-9 Improper Assets Management API-10 Insufficient Logging & Monitoring
  • 13. Broken Object Level Authorization Attacker ○ Look at how API resources are structured ○ Change IDs within API calls ○ Can be names (non-numeric) ○ Make calls to other IDs/resources with your Auth-N method / token ○ Create something as user 1 ○ Try to access it as user 2 ○ Response differences ○ HTTP Response code (404 vs 405) ○ Time to respond ○ Length of response (rare) Defender ○ Detection requires fairly deep inspection of the API calls ○ WAFs will generally fail ○ Shaped like legit request with IDs swapped ○ Looking for BOLA can cause increased Auth-Z errors ○ 2 similar requests from the same client with different IDs can be found by ML ○ Posture - focus on most risky APIs Runtime - detect BOLA attacks Testing - Find BOLA early / pre-prod One user can access another user’s data or take actions for them
  • 14. Broken User Authentication Attacker ○ Bruteforce credentials ○ No anti-automation on password resets or MFA/CAPTCHA ○ Password Spraying ○ Base-64 “protections” ○ Low entropy tokens ○ JWT weaknesses ○ Captured JWTs ○ None algorithm, no signature ○ Key mismatch, blank password, … ○ Cracking JWT secrets ○ jwt_tool Defender ○ Bruteforce attacks are noisy ○ Password spraying is very noisy ○ Ensure crypto is used correctly and carefully ○ JWT Best Practices RFC ○ Consider removing Auth-N from the API ○ Only get tokens through web app ○ Posture - identify Auth-N APIs Runtime -detect brute force, spraying, JWT manipulation Testing - identify poor practices early Using poor practices in authentication to attack APIs
  • 15. As browsers and web apps get hardened… B r o w s e r I m p r o v e m e n t s M F A , C A P T C H A APIs
  • 16. Excessive Data Exposure Attacker ○ Look for API responses that provide ‘extra’ information ○ Mobile app APIs tend to trust client to filter data ○ Look for ‘interesting’ responses ○ Profile pages ○ Linked users ○ Internal meta-data ○ Is the data expected part of a larger data object or DB row? ○ Can be time consuming to check all possible responses for excessive data Defender ○ Single requests can’t be distinguished from normal traffic ○ SAST can help here to avoid “to_json” or similar ○ Don’t rely on clients filtering data ○ Separate data objects for app and API ○ Posture - Shows sensitive data, large responses Runtime - Detect multi-request data scraping Testing - Find verbose responses early Sometimes developer productivity helps attackers too!
  • 17. Lack of Resource & Rate Limiting Attacker ○ Add thousands of items, ask for a list ○ Lack of pagination ○ Denial of API use (client) ○ Fuzzing and bruteforce attacks can discover these ○ Modify requests, different client, different IP to bypass limits ○ CPU / Memory intensive requests ○ robots.txt or documentation ○ Other games to play ○ Switch cAsE ○ Null and other terminators ○ Encoding data ○ Too high to make a difference Defender ○ Some requests will look normal but with large responses ○ Unusual requests ○ Headers, encoding, terminators, … ○ Observability can show usage spikes ○ Many bypass methods stand out from normal traffic ○ Posture - Determine APIs needing limits Runtime - Detect anomalous traffic and respond Testing - Fuzzing request data can find some issues early Failure to provide limits is a recipe for DOS or worse
  • 18. Broken Function Level Authorization Attacker ○ Focus on APIs with multiple roles/groups ○ Potential for expose backplane ○ Most things have an ‘admin’ ○ Try undocumented HTTP methods ○ PATCH, PUT, POST, DELETE (!) ○ Create items with one group/role ○ Interact with those items as a different role ○ Bruteforce / guess potential backplane operations ○ Experiment with headers, request data to access admin functions Defender ○ Affects APIs with 2+ roles, groups, privilege levels ○ Calls to unsupported methods that fail ○ Same client, different roles within a short period of time ○ Failures for backplane/admin paths ○ Unusual requests - headers, body ○ Posture - Determine APIs with groups, roles, privilege levels Runtime - Detect unusual, failing requests or changes in role from a client Testing - Conduct Auth-Z testing early Failure to restrict access by group or role leading to compromise
  • 19. Mass Assignment Attacker ○ Look for requests that appear to be partial data ○ Make guesses at unsent items ○ Look at request/response difference between roles/groups/privilege levels ○ Guess / bruteforce multiple values at once (hail mary) ○ Error messages or required field messages can provide clues ○ Fuzzing can also find issues ○ Combine with Broken Function Level Auth-Z to change data for other users ○ Change email/contact details Defender ○ Requests stand out from normal requests with deep inspection ○ Large number of failed/invalid requests ○ Increased request size ○ Increased severity for APIs with different roles/groups/privileges ○ Posture - Focus on APIs with multi-roles or sensitive data Runtime - Requests with extra data, multiple failed/invalid requests Testing - Add additional, valid fields to discover early Why not accept more data, what could go wrong?
  • 20. Security Misconfiguration Attacker ○ Check the basics ○ TLS config ○ Info leaks via headers, etc ○ Default credentials, EICAR ○ Use Recon and Discovery ○ Verbose errors ○ Purposefully make bad requests ○ Misconfigured framework settings ○ Debug mode ○ Intermediate devices ○ Determine if WAF, API Gateway, etc is in line ○ Call ‘internal’ functions with origin headers e.g. X-Remote-Addr Defender ○ Basic network vuln scanners can find the basics ○ Passive traffic monitoring can show header issues, API gateway bypass, many others ○ Client with many erroring or malformed requests ○ Posture - Show weak configuration e.g. API gateway bypass Runtime - Unexpected client traffic, multiple errors, malformed or anomalous requests Testing - Good for the basics, better if fuzzing is included in tests A little misconfiguration can go a long way
  • 21. Injection Attacker ○ Place injection strings into ○ Tokens / API keys ○ Headers (esp API specific ones) ○ Query data ○ Data in request body ○ Recon/Discovery can help focus what types of injection to try ○ Error messages can also help ○ Many good online resources for injections ○ Fuzzing lists ○ OWASP Testing Guide ○ 2nd order injections Defender ○ Input validation AND output encoding ○ Many failed or malformed requests ○ Large number of errors or validation failures at API ○ Overly trusting of East/West API calls ○ Posture - Focus on APIs with sensitive data, East/West APIs Runtime - Surge in errors, failed, invalid or malformed requests, control characters in requests Testing - Attempt injections early in dev cycle Treat data like code and bad things happen
  • 22. Improper Assets Management Attacker ○ You find many misconfiguration issues ○ Internal APIs are publicly accessible ○ API documentation is inaccurate ○ “Hidden”/undocumented APIs ○ Dev/New APIs in production ○ Legacy APIs are not decommissioned ○ API v minus 1 or more available Basically, your pen test was productive and easy Defender ○ Need to know all APIs (host, path, method) ○ Classify all data received and sent by APIs ○ API Gateway enforced, East/West traffic ○ Public vs internal APIs ○ Posture - Solved with solid posture management Runtime - Updates posture as environment changes Testing - Not particularly useful here Know what you have if you want to protect it adequately
  • 23. Insufficient Logging & Monitoring Attacker ○ Fuzzing does not cause a reaction / blocking ○ Assumes control is in scope for testing ○ Attacks, especially blatant injections go unnoticed ○ Phone numbers never look like: <script>alert(XSS)</script> ○ Mostly, external testers / attackers can only infer the level of logging and monitoring Defender ○ No attacks are seen / noticed ○ Diagnosing API issues is difficult ○ Unplanned downtime or resource consumption ○ Posture - Determine the appropriate level of logging per API Runtime - Monitoring is what this provides, also can retain traffic for analysis aka quasi-logging Testing - Validate logging is working (at best) Change guesses to decisions with data
  • 24. Bonus Material Things that didn’t fit nicely into the OWASP API Top 10
  • 25. Structural vs Data Attacks Structural Attacks ○ Modifying the structure of a request ○ Repeating data structures ○ Adding non-printing characters e.g. spaces, tabs, null characters between data elements ○ Removing portions of the data structure ○ Messing with the structure of the request only - data provided is legit ○ QA / HTTP testing tools generally normalize the structure so won’t work ○ Custom craft HTTP requests (Python requests library) or use a local proxy like Zap or Burpsuite Data Attacks ○ Modifying the data in a request ○ Substituting fuzzing / injection data for legit data values ○ Providing unexpected or overly large / small data values ○ Structure of the request is not modified ○ What most fuzzing and injections attacks look like - changing data without changing the structure ○ QA / HTTP testing tools can be leveraged to automate these attacks 2 fundamental ways to be naughty with APIs
  • 26. GraphQL - left as an exercise for the student Googling “GraphQL”
  • 28. Key Takeaways for API testers (1) Knowledge of how to test web apps prepares you for most of API testing If you need some help, look at the OWASP Testing Guide (2) Some special knowledge and tools are needed for parts of API testing More on this later (3) Gaps in AppSec controls coverage and framework shortfalls lead to security shortfalls API testing is likely to be “productive”
  • 29. Key Takeaways for API testers and defenders https://owasp.org/www-community/api_security_tools
  • 30. Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resource & Rate Limiting Broken Function Level Authorization weak weak weak
  • 31. Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring weak
  • 32. Sorry about the firehose Black and Blue APIs Audience
  • 33. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, infographics & images by Freepik THANKS! Do you have any questions? mattt@nonamesecurity.com nonamesecurity.com