2022 APIsecure_Hacking APIs 101 with MindAPI

•Download as PPTX, PDF•

0 likes•166 views

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Hacking APIs 101 with MindAPI David Sopas, Security Researcher at Checkmarx

Tushar Kulkarni
Breaking vAPI
roottusk.com

vAPI : Vulnerable
Adversely
Programmed Interface
GET /user/me HTTP/2.0
● Security Research Engineer at Holm Security
● OWASP Nagpur, CTFs
● Spoken at Blackhat , HITB, OWASP Appsecdays etc.

“By 2022, API abuses will be the most-frequent attack
vector resulting in data breaches for enterprise web
applications.”
- Gartner Report 2017
- Quoted again in Gartner Predicts 2021

Stuff that’ll push you to make the Best APIs
● Awareness about API Security Vulnerabilities
● Knowing How Attackers exploit API Vulnerabilities
● Checking vulnerable code and Thinking how it could’ve been avoided

vAPI : Vulnerable
Adversely
Programmed Interface
github.com/roottusk/vapi

vAPI : Vulnerable
Adversely
Programmed Interface
Project Updates
- JWT Exercise , SSRF Exercise
- Kubernetes Support (Thanks to @AndyG-0)
- Endpoint to Check if a Flag is correct (POST vapi/dashboard/flag)

vAPI : Vulnerable
Adversely
Programmed Interface OWASP API Top 10 Project
API1:2019 Broken Object Level Authorization
API2:2019 Broken User Authentication
API3:2019 Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting
API5:2019 Broken Function Level Authorization
API6:2019 Mass Assignment
API7:2019 Security Misconfiguration
API8:2019 Injection
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging & Monitoring
https://owasp.org/www-project-api-security/

vAPI : Vulnerable
Adversely
Programmed Interface
Tech Stack

vAPI : Vulnerable
Adversely
Programmed Interface Installation
Docker
- Make sure you have docker and docker-compose
- Go to the root of the project and run
docker-compose up -d
Manually
- Prerequisites include PHP, MySQL
- Configure the MySQL credentials and Server port in the .env file of the project
- You can run php artisan serve command to start the Laravel Server
Kubernetes
- helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

vAPI : Vulnerable
Adversely
Programmed Interface Tools required to Test API
- Postman
- We currently have Postman collection and Environment which store the API
calls
- OpenAPI Documentation is available in the /vapi endpoint
- MITM Proxy (OWASP ZAP/Burpsuite)
- Not entirely necessary but may help some users if they have more familiarity
with MITM tools.

vAPI : Vulnerable
Adversely
Programmed Interface
Contributors and Thanks
https://dsopas.github.io/MindAPI/
API Security Weekly: Issue #132
OWASP Vulnerable Web Applications Directory (VWAD)
arainho/awesome-api-security: A collection of awesome API Security tools and resources.

vAPI : Vulnerable
Adversely
Programmed Interface
Q & A
THANK YOU
● Twitter: @vk_tushar
● Github: @roottusk
● Mail: root.tusk@gmail.com
● Web: roottusk.com

Tushar Kulkarni will present on breaking vulnerable APIs. The presentation will introduce vAPI, an open source project for learning about API security. It will discuss modern web application architectures that rely on APIs and how APIs can be attacked. It will also cover the OWASP API Security Top 10 vulnerabilities and how to fortify APIs. The presentation will include a demonstration of vulnerabilities in vAPI and updates to the project.

Web Dev 21-01-2024.pptx

PARDHIVANNABATTULA

Security Testing with Zap

Soluto

Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology). Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)

All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...

DevOpsDays Tel Aviv

Dynamic Security Testing Zap is a free and open source security testing tool that can find vulnerabilities in web applications. It has two modes - passive and active scanning. Passive scanning inspects traffic while active scanning attacks the application by running exploits. Zap found issues like insecure cookies and missing security headers during passive scanning of Tweek. For active scanning, Zap parsed Tweek's OpenAPI specification and found additional vulnerabilities. Glue is an OWASP tool that helps integrate Zap and other security tools into continuous integration pipelines. It filters and reports findings to help prioritize issues. Adding security testing with Zap and Glue helped find and fix vulnerabilities before they affected users.

Supercomputing by API: Connecting Modern Web Apps to HPC

OpenStack

Audience Level Intermediate Synopsis The traditional user experience for High Performance Computing (HPC) centers around the command line, and the intricacies of the underlying hardware. At the same time, scientific software is moving towards the cloud, leveraging modern web-based frameworks, allowing rapid iteration, and a renewed focus on portability and reproducibility. This software still has need for the huge scale and specialist capabilities of HPC, but leveraging these resources is hampered by variation in implementation between facilities. Differences in software stack, scheduling systems and authentication all get in the way of developers who would rather focus on the research problem at hand. This presentation reviews efforts to overcome these barriers. We will cover container technologies, frameworks for programmatic HPC access, and RESTful APIs that can deliver this as a hosted solution. Speaker Bio Dr. David Perry is Compute Integration Specialist at The University of Melbourne, working to increase research productivity using cloud and HPC. David chairs Australia’s first community-owned wind farm, Hepburn Wind, and is co-founder/CTO of BoomPower, delivering simpler solar and battery purchasing decisions for consumers and NGOs.

Software Composition Analysis Deep Dive

Ulisses Albuquerque

2022 APIsecure_Securing APIs with Open Standards

APIsecure_ Official

Securing APIs with Open Standards provides tips for securing APIs from the Synack Red Team. It discusses using OpenAPI definitions to document APIs, embracing open box testing, and balancing security and adoption through developer relations. It also demonstrates how insecure user input validation can allow access to private data stored in AWS S3 buckets and how Salesforce record IDs can be brute forced to enable unauthorized access if not properly secured. The presentation emphasizes designing APIs with security in mind, adopting standards like OpenAPI, and balancing security testing with developer onboarding.

A Hitchhiker's Guide to Cloud-Native API Gateways

QAware GmbH

JavaLand, March 2021, online: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware) Abstract: Good APIs are the center piece of any successful digital product and cloud native application architecture. But for complex systems with many API consumers the proper management of these APIs is of utmost importance. The API gateway pattern is well established to handle and enforce concerns like routing, versioning, rate limiting, access control, diagnosability or service catalogs in a microservice architecture. So this session will have a closer look at the cloud native API gateway ecosystem: Ambassador, Gloo, KrakenD, Envoy, et.al. But which one of these is the right one to use in your next project? Let's find out. We will start off by briefly explaining the API gateway pattern and some basic criteria. We then continue by showcasing the most promising ones.

Re-usage of Open Source Software (OSS) has increased in commercial software development by orders of magnitude. This presentation will show how OSS vulnerabilities can be managed at large scale (about 10,000 OSS usages in our case), and how to address sins from the past. At last a concept will be shown which automates the analysis of the exploitability potential of an insecure OSS component. (Source: RSA USA 2016-San Francisco)

Node summit workshop

Shubhra Kar

The next step from Microsoft - Vnext (Srdjan Poznic)

Geekstone

The new version of the .NET Framework called vNext brings a lots of news, which are believed to be able to return to the popularity of Microsoft tools and products. Principles that guided the development team when developing new versions of frameworks are: • Speed, Runtime performance, • Modularity, • Cross-Platform, • Open-source, • Faster development cycle, • Custom code editors and tools.

Apigility – Lightning Fast API Development - OSSCamp 2014

OSSCube

The Big Cloud native FaaS Lebowski

QAware GmbH

microXchg 2019, Berlin: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware) === Please download slides if blurred! === Abstract: Only a few years ago the move towards microservice architecture was the first big disruption in software engineering: instead of running monoliths, systems were now build, composed and run as autonomous services. But this came at the price of added development and infrastructure complexity. Serverless and FaaS seem to be the next disruption, they are the logical evolution trying to address some of the inherent technology complexity we are currently faced when building cloud native apps. FaaS frameworks are currently popping up like mushrooms: Knative, Kubeless, OpenFn, Fission, OpenFaas or Open Whisk are just a few to name. But which one of these is safe to pick and use in your next project? Let's find out. This session will start off by briefly explaining the essence of Serverless application architecture. We will then define a criteria catalog for FaaS frameworks and continue by comparing and showcasing the most promising ones.

Device APIs at TakeOff Conference

dianacheng

The document discusses the W3C Device APIs working group and various device APIs they are standardizing. It provides an overview of APIs for media capture, camera/microphone access, battery status, vibration, network service discovery, and picking media. It discusses the status and support for each API as well as examples. It also covers topics like Web Intents, sensor APIs, network information, and the new SysApps working group. The goal is to standardize browser-based JavaScript APIs to access device hardware and services.

Using hapi plugins to version your API (hapiDays 2014)

Dave Stevens

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering

Umasankar Mukkara

- Litmus is a Kubernetes native chaos engineering tool that allows injecting faults into cloud-native applications running on Kubernetes to test their resilience. - Chaos engineering extends failure testing beyond CI pipelines to pre-production and production environments by intentionally breaking systems to identify weaknesses. - Litmus provides chaos libraries, an operator, and charts to make it easy to run chaos experiments on Kubernetes applications. Experiments are shared in a central ChaosHub repository. - The presenters are seeking help from the SIG in areas like coaching developers to contribute new chaos charts and generating more awareness of Litmus.

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

apidays

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs October 11 & 12, 2023 https://www.apidays.global/australia/ API Security Breach Analysis & Empowering Devs to Make Secure APIs Jeremy Snyder, Founder and CEO of FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

JCON_15FactorWorkshop.pptx

Grace Jansen

The workshop covered cloud-native Java technologies using Open Liberty and MicroProfile. It included presentations on 12-factor and 15-factor application methodologies and hands-on labs exploring OpenAPI, health checks, metrics, and JWT authentication. Leaders demonstrated how to build and deploy modular, scalable microservices using open-source tools that optimize developer productivity and application portability in cloud environments.

API Hijacking.pdf

VishwasN6

API Hijacking (1).pdf

Vishwas N

This document discusses API hijacking and provides recommendations to prevent it. It notes that API documentation should not disclose secrets and should require authentication. Developers should understand the business logic and potential adversaries before exposing APIs. The OWASP Top 10 for API security issues are listed, including broken authentication, excessive data exposure, lack of resources/rate limiting, and insecure defaults. Common issues involve authentication, authorization, input/output validation, and rate limiting. The document recommends understanding the current security landscape through reports on DDoS attacks, API keys, automation tools, and the state of API security. It concludes that APIs must be architected securely or vulnerabilities will be found.

API Hijacking.pdf

Vishwas N

This document discusses API hijacking and provides recommendations to prevent it. It notes that API documentation should not disclose secrets and should require authentication. Developers should understand the business logic and potential adversaries before exposing APIs. The OWASP Top 10 for API security issues are listed, including broken authentication, excessive data exposure, lack of resources/rate limiting, and insecure defaults. Common issues involve authentication, authorization, input/output validation, and rate limiting. The document recommends understanding the current security landscape through reports on DDoS attacks, proper use of API keys, automating Postman calls, and more. It stresses the importance of properly architecting APIs to avoid security issues that could be exploited.

SAP Kapsel Plugins For Cordova

Chris Whealy

The document provides an overview of Apache Cordova and the SAP Kapsel plugins: - Apache Cordova allows web-based applications to access hardware features on mobile devices by running the application within a container. SAP Kapsel provides additional plugins for Cordova applications to interact with SAP Mobile Platform services. - The Kapsel Logon plugin manages the onboarding and authentication process with SAP Mobile Platform/HCPms servers. It handles functions like initializing the login process, logging in users, and providing the application context after successful login. - Other Kapsel plugins allow offline data access using OData, logging, application updates, push notifications, and encrypted storage. Using Kapsel plugins, a single

RefCard API Architecture Strategy

OCTO Technology

As soon as we start working on an API, architecture issues arise. Many mistaken common beliefs turn out to be fiction in this area. A poorly designed API architecture will lead to misuse or – even worse – not be used at all by its intended clients: application developers. To facilitate and accelerate design and development of your APIs, we share our vision and beliefs with you in this Reference Card. They come from our direct experience on API projects.

Web application penetration testing lab setup guide

Sudhanshu Chauhan

This document provides guidance on setting up a basic environment for conducting web application penetration testing. It outlines both hardware and software requirements, including recommended tools. It then walks through installing a base OS, browsers, programming languages, web servers, and various security tools. It also provides an overview of the testing process, including information gathering, automated scanning, manual testing, and reporting.

Flutter for web

rihannakedy

RESTful web APIs (build, document, manage)

Cisco DevNet

- RESTful Web APIs are the fuel of the web. The class will cover building, documenting, and managing RESTful web APIs. - There are different approaches to designing web APIs, from a basic design with no distinction between app and backend, to more advanced "API-centric" designs that move business logic and security to the API. - Web APIs can be built using frameworks like Sails.js or platforms like APISpark. They also need to be documented, monitored, and managed over their lifecycle. Tools like Swagger, Runscope, and API management platforms can help with these tasks.

Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...

HostedbyConfluent

With Apache Kafka’s rise for event-driven architectures, developers require a specification to design effective event-driven APIs. AsyncAPI has been developed based on OpenAPI to define the endpoints and schemas of brokers and topics. For Kafka applications, the broker’s design to handle high throughput serialized payloads brings challenges for consumers and producers managing the structure of the message. For this reason, a registry becomes critical to achieve schema governance. Apicurio Registry is an end-to-end solution to store API definitions and schemas for Kafka applications. The project includes serializers, deserializers, and additional tooling. The registry supports several types of artifacts including OpenAPI, AsyncAPI, GraphQL, Apache Avro, Google protocol buffers, JSON Schema, Kafka Connect schema, WSDL, and XML Schema (XSD). It also checks them for validity and compatibility. In this session, we will be covering the following topics: ● The importance of having a contract-first approach to event-driven APIs ● What is AsyncAPI, and how it helps to define Kafka endpoints and schemas ● The Kafka challenges on message structure when serializing and deserializing ● Introduction to Apicurio Registry and schema management for Kafka ● Examples of how to use Apicurio Registry with popular Java frameworks like Spring and Quarkus

2022 APIsecure_The Real World, API Security Edition

APIsecure_ Official

2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...

APIsecure_ Official

Similar to 2022 APIsecure_Hacking APIs 101 with MindAPI

Containerizing your Security Operations Center

Jimmy Mesta

Open-Source Security Management and Vulnerability Impact Assessment

Priyanka Aash

Node summit workshop

Shubhra Kar

The next step from Microsoft - Vnext (Srdjan Poznic)

Geekstone

Apigility – Lightning Fast API Development - OSSCamp 2014

OSSCube

The Big Cloud native FaaS Lebowski

QAware GmbH

Device APIs at TakeOff Conference

dianacheng

Using hapi plugins to version your API (hapiDays 2014)

Dave Stevens

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering

Umasankar Mukkara

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

apidays

JCON_15FactorWorkshop.pptx

Grace Jansen

API Hijacking.pdf

VishwasN6

API Hijacking (1).pdf

Vishwas N

API Hijacking.pdf

Vishwas N

This document discusses API hijacking and provides recommendations to prevent it. It notes that API documentation should not disclose secrets and should require authentication. Developers should understand the business logic and potential adversaries before exposing APIs. The OWASP Top 10 for API security issues are listed, including broken authentication, excessive data exposure, lack of resources/rate limiting, and insecure defaults. Common issues involve authentication, authorization, input/output validation, and rate limiting. The document recommends understanding the current security landscape through reports on DDoS attacks, proper use of API keys, automating Postman calls, and more. It stresses the importance of properly architecting APIs to avoid security issues that could be exploited.

SAP Kapsel Plugins For Cordova

Chris Whealy

RefCard API Architecture Strategy

OCTO Technology

Web application penetration testing lab setup guide

Sudhanshu Chauhan

Flutter for web

rihannakedy

RESTful web APIs (build, document, manage)

Cisco DevNet

Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...

HostedbyConfluent

Similar to 2022 APIsecure_Hacking APIs 101 with MindAPI (20)

Containerizing your Security Operations Center

Open-Source Security Management and Vulnerability Impact Assessment

Node summit workshop

The next step from Microsoft - Vnext (Srdjan Poznic)

Apigility – Lightning Fast API Development - OSSCamp 2014

The Big Cloud native FaaS Lebowski

Device APIs at TakeOff Conference

Using hapi plugins to version your API (hapiDays 2014)

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

JCON_15FactorWorkshop.pptx

API Hijacking.pdf

API Hijacking (1).pdf

API Hijacking.pdf

SAP Kapsel Plugins For Cordova

RefCard API Architecture Strategy

Web application penetration testing lab setup guide

Flutter for web

RESTful web APIs (build, document, manage)

Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...

More from APIsecure_ Official

2022 APIsecure_The Real World, API Security Edition

APIsecure_ Official

2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...

APIsecure_ Official

2022 APIsecure_Shift Left API Security - The Right Way

APIsecure_ Official

2022 APIsecure_A day in the life of an API; Fighting the odds

APIsecure_ Official

2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity

APIsecure_ Official

2022 APIsecure_Securing Large API Ecosystems

APIsecure_ Official

2022 APIsecure_Quarterly Review of API Vulnerabilities

APIsecure_ Official

2022 APIsecure_Top Ten Security Tips for APIs

APIsecure_ Official

2022 APIsecure_Are your APIs Rugged Enough?

APIsecure_ Official

This document discusses how to design APIs to be rugged and resilient against threats. It recommends threat modeling to understand vulnerabilities and abuse cases. It also suggests implementing authorization for every endpoint, explicit anonymous access, and pinning certificates for mobile apps. Runtime protections like rate limiting, JWT validation, and security headers are also advised. Monitoring APIs in a SIEM and leveraging cloud platform protections can help detect and block attacks.

2022 APIsecure_Making webhook APIs secure for enterprise

APIsecure_ Official

Making webhook APIs secure for enterprise involves securing both the API provider and consumer. For API providers, this involves grouping events into APIs and only exposing them to approved developers, enforcing TLS, guaranteeing delivery, and keeping logs. For API consumers, it means knowing API providers, securing callback URLs, and using an API gateway to avoid overload. Checklists are provided to help API providers and consumers implement these security best practices.

2022 APIsecure_API Security & Fraud Detection - Are you ready?

APIsecure_ Official

2022 APIsecure_Monitoring and Responding to API Breaches

APIsecure_ Official

The document discusses monitoring and responding to API breaches. It notes a large increase in API traffic and attacks in recent years as companies increasingly leverage APIs. Responsibility for API security is often unclear as it involves multiple teams. Many companies secure APIs the same way they secure web applications, which can be insufficient. The document recommends establishing API discovery, threat monitoring, integration with security platforms, and log retention to aid in prevention, detection during incidents, and post-incident forensics. Tools like WAFs, API gateways, and testing can help, but a holistic approach across the development lifecycle is needed to properly secure APIs.

2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs

APIsecure_ Official

2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec

APIsecure_ Official

2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...

APIsecure_ Official

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...

APIsecure_ Official

2022 APIsecure_Hackers with Valid Credentials

APIsecure_ Official

Hackers are exploiting APIs to steal data and access accounts by using valid credentials obtained through phishing, purchase, or partnerships. This poses a challenge as hackers can blend in with real users while maliciously accessing API services. To protect APIs, organizations need visibility into activity across all API gateways and clouds on a per user identity basis. They should also implement authentication, authorization, monitoring for abnormal behavior using machine learning, and automated remediation when risks are detected. Applying a zero trust model with these strategies can help secure APIs.

2022 APIsecure_API Abuse - How data breaches now and in the future will use A...

APIsecure_ Official

2022 APIsecure_Understanding API Abuse With Behavioral Analytics

APIsecure_ Official

2022 APIsecure_Harnessing the Speed of Innovation

APIsecure_ Official

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition

2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...

2022 APIsecure_Shift Left API Security - The Right Way

2022 APIsecure_A day in the life of an API; Fighting the odds

2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity

2022 APIsecure_Securing Large API Ecosystems

2022 APIsecure_Quarterly Review of API Vulnerabilities

2022 APIsecure_Top Ten Security Tips for APIs

2022 APIsecure_Are your APIs Rugged Enough?

2022 APIsecure_Making webhook APIs secure for enterprise

2022 APIsecure_API Security & Fraud Detection - Are you ready?

2022 APIsecure_Monitoring and Responding to API Breaches

2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs

2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec

2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...

2022 APIsecure_Hackers with Valid Credentials

2022 APIsecure_API Abuse - How data breaches now and in the future will use A...

2022 APIsecure_Understanding API Abuse With Behavioral Analytics

2022 APIsecure_Harnessing the Speed of Innovation

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

Mind map of terminologies used in context of Generative AI

Kumud Singh

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

shyamraj55

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing

Video Streaming: Then, Now, and in the Future

Monitoring Java Application Security with JDK Tools and JFR Events

UiPath Test Automation using UiPath Test Suite series, part 6

Introduction to CHERI technology - Cybersecurity

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Mind map of terminologies used in context of Generative AI

Generative AI Deep Dive: Advancing from Proof of Concept to Production

20240607 QFM018 Elixir Reading List May 2024

20240605 QFM017 Machine Intelligence Reading List May 2024

RESUME BUILDER APPLICATION Project for students

Microsoft - Power Platform_G.Aspiotis.pdf

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Essentials of Automations: The Art of Triggers and Actions in FME

Securing your Kubernetes cluster_ a step-by-step guide to success !

“I’m still / I’m still / Chaining from the Block”

Pushing the limits of ePRTC: 100ns holdover for 100 days

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

2022 APIsecure_Hacking APIs 101 with MindAPI

1. Tushar Kulkarni Breaking vAPI roottusk.com

2. vAPI : Vulnerable Adversely Programmed Interface GET /user/me HTTP/2.0 ● Security Research Engineer at Holm Security ● OWASP Nagpur, CTFs ● Spoken at Blackhat , HITB, OWASP Appsecdays etc.

3. “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” - Gartner Report 2017 - Quoted again in Gartner Predicts 2021

4. Stuff that’ll push you to make the Best APIs ● Awareness about API Security Vulnerabilities ● Knowing How Attackers exploit API Vulnerabilities ● Checking vulnerable code and Thinking how it could’ve been avoided

5. vAPI : Vulnerable Adversely Programmed Interface github.com/roottusk/vapi

6. vAPI : Vulnerable Adversely Programmed Interface Project Updates - JWT Exercise , SSRF Exercise - Kubernetes Support (Thanks to @AndyG-0) - Endpoint to Check if a Flag is correct (POST vapi/dashboard/flag)

7. vAPI : Vulnerable Adversely Programmed Interface OWASP API Top 10 Project API1:2019 Broken Object Level Authorization API2:2019 Broken User Authentication API3:2019 Excessive Data Exposure API4:2019 Lack of Resources & Rate Limiting API5:2019 Broken Function Level Authorization API6:2019 Mass Assignment API7:2019 Security Misconfiguration API8:2019 Injection API9:2019 Improper Assets Management API10:2019 Insufficient Logging & Monitoring https://owasp.org/www-project-api-security/

8. vAPI : Vulnerable Adversely Programmed Interface Tech Stack

9. vAPI : Vulnerable Adversely Programmed Interface Installation Docker - Make sure you have docker and docker-compose - Go to the root of the project and run docker-compose up -d Manually - Prerequisites include PHP, MySQL - Configure the MySQL credentials and Server port in the .env file of the project - You can run php artisan serve command to start the Laravel Server Kubernetes - helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

10. vAPI : Vulnerable Adversely Programmed Interface Tools required to Test API - Postman - We currently have Postman collection and Environment which store the API calls - OpenAPI Documentation is available in the /vapi endpoint - MITM Proxy (OWASP ZAP/Burpsuite) - Not entirely necessary but may help some users if they have more familiarity with MITM tools.

11. Demo

12. vAPI : Vulnerable Adversely Programmed Interface Contributors and Thanks https://dsopas.github.io/MindAPI/ API Security Weekly: Issue #132 OWASP Vulnerable Web Applications Directory (VWAD) arainho/awesome-api-security: A collection of awesome API Security tools and resources.

13. vAPI : Vulnerable Adversely Programmed Interface Q & A THANK YOU ● Twitter: @vk_tushar ● Github: @roottusk ● Mail: root.tusk@gmail.com ● Web: roottusk.com

2022 APIsecure_Hacking APIs 101 with MindAPI

Recommended

Recommended

More Related Content

Similar to 2022 APIsecure_Hacking APIs 101 with MindAPI

Similar to 2022 APIsecure_Hacking APIs 101 with MindAPI (20)

More from APIsecure_ Official

More from APIsecure_ Official (20)

Recently uploaded

Recently uploaded (20)

2022 APIsecure_Hacking APIs 101 with MindAPI