Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
API Hijacking.pdf
1. API Hijacking
By : Vishwas Narayan
API Security Practitioner,Community Advocate Opstree
Business
Logic
Easy
Attack
Vector
2. Know your Resources
● Don't Open Secrets in the API documentation
● Keep the API Docs in Email Authentication not
open
● Documents that say what is the API is until you
feel there is a new security patch that has to be
done
● Fix the API as soon as possible
4. Know your Adversary/Enemy
“Hack your API’s before hacker knows
how hack it”
● You need to know the next move
● You need to make moves before a
stranger makes it
5. OWASP Top 10 in API Security
1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring
OWASP API Security Project | OWASP
Foundation
6. Summarising issues in API
➔ Authentication/Session Management
➔ Authorization/Access Control/IDOR
➔ Inputs and Output Validation/Error Handling
➔ Rate Limiting/Throttling
7. Let's worship this
● Global state of the internet security DDoS attack reports | Akamai
● How to send API key in the header of python request? - Stack Overflow
● Postman Sending Request onto the API
● Postman Sending AUTH token
● Automating the postman Calls
● Akamai State of the Internet Report
● Salt Security releases Salt Labs State of API Security Report, Q3 2022
10. ALL report says one thing
you architect the api wrong way guess what world will show you how it can be
11. Common API’s
1. API’s
2. Open API
3. Public API
4. External API
5. Internal API
6. Swaggers
7. Rest API
8. SOAP
9. Graphql
10. Machine to Machine API
11. BETA ,Pre Production,Production API
12. Third Party
13. Composite API
25. MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is
an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing,
malware analysis and security assessment framework capable of performing static
and dynamic analysis. (github.com)