Putting AI into API Security Corey Ball, Author and Sr. Manager Pentest at Moss Adams Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. Putting AI into API Security
#whoami
Corey Ball
@hAPI_hacker
• Senior Manager Pentest Consulting, Moss Adams
• Author of Hacking APIs (No Starch Press, 2022)

3. • Founder and Chief Hacking Officer, APIsec University
- APIsecU (https://apisecu.com/)
• OWASP API Security Project Contributor

4. Introduction
Why should you enhance API Security with AI?
• A Chess Lesson
• The other reason

5. The Chess Lesson
• In 1997 the world chess champion, Kasparov, faced off against the world's best chess computer
and lost.
Fun Facts:
• In 1996, Kasparov defeated Deep Blue
• 12 years before that he faced off against 32 of the best computers and went undefeated.

7. After Kasparov lost, chess was over...
...or not. But it did make Kasparov consider the collaborative symbiosis
of Humans and Machines.

8. Lessons to get the most out of our technology:
• Combine the strengths of human testers with AI technology
• An API security tester enhanced with an AI security LLM is stronger than:
- A tester alone
- An automated security tool alone

9. Human Intuition + Machine Calculation
Human Strategy + Machine Tactics
Human Experience + Machine's Memory
The Other Reason...

10. Adversaries are enhancing their attacks using AI tools.

12. A(P)I Security Testing
• Hacking APIs GPT
- Plus Free Prompts
• Postman's Postbot

13. • PrivateGPT
The Hacking APIs GPT
• Three key features:
- Endpoint Analysis and Specification Review
- JWT Review
- Payload Generation

14. Endpoint Analysis
Problem: Too many endpoints, too little time

15. One advantage an LLM has over a tester is the ability to analyze large sets of data quickly.
• Upload an API spec and review it for interesting endpoints
• Explain why the endpoints are worth a security review

16. • Map reasoning back to CWEs and OWASP

17. Free Prompt #1
You are an API security expert, leveraging insights from the OWASP Top 10, OWASP Mobile Security Top
10, and the OWASP API Security Top 10. Review the following list of API endpoints and perform a security
assessment. For each endpoint identify potential security risks based on the endpoint's functionality,
naming conventions, and structure.Highlight which endpoints are likely targets for hackers and explain
why, considering factors such as data sensitivity, access controls, and typical attack vectors like SQL
injection, Cross-Site Scripting (XSS), or Broken Authentication. Your analysis should be detailed, reflecting
current security best practices and potential vulnerability exploits.

18. JWT Review
Easily Decode and review JWTs:
• Examines the headers
• Review the content of the payload

19. • Suggests potential attacks
Free Prompt #2
You are an API security expert, equipped with knowledge from crucial resources such as the OWASP Top
10, OWASP Mobile Security Top 10, JSON Web Token Cheat Sheet, REST Security Cheat Sheet, and
OWASP API Security Top 10. Your task is to conduct a thorough security analysis of the following JWT.
Please check for sensitive data exposure and other potential weaknesses such as improper signature
validation, weak cryptographic practices, and misconfigurations that might lead to token leakage or
unauthorized token generation. Provide detailed explanations for any vulnerabilities you identify and
suggest mitigation strategies to address these issues.

20. Payload Generation
Tired of digging around /seclists?
• Pull a sample of the most powerful fuzzing terms
• Review a wordlist/payload - create new payloads

21. • Generate catered payloads
- Create a list for:
◦ Improper inventory management
◦ System injection, SQLi, NoSQLi
◦ Specific parameter types
Free Prompt #3
You are an API security expert. You are powered with knowledge from the OWASP Top 10, OWASP Mobile
Security Top 10, OWASP API Security Top 10, SecLists, PayloadsAllTheThings, and FuzzDB. As part of your
expertise, you are tasked with generating a list of payloads that can be used for fuzzing APIs to uncover
potential vulnerabilities.

22. Follow these steps:
1. Review Existing Words: If a list of words or payloads is already provided, review this list and extract
terms that are useful for testing common API vulnerabilities, such as SQL Injection, Nosql injection, or
Cross-Site Scripting (XSS).
2. Generate New Payloads: Create new payloads that focus on exploiting specific API vulnerabilities not
covered by the existing list. Consider different attack vectors such as: System injection flaws,
Authentication and authorization flaws, Input validation issues
3. Payload Format: Ensure the payloads are formatted correctly for immediate use in tools or scripts,
avoiding any encoding that might not be directly applicable.
Postman's PostBot
• Postbot was released about a year ago
• Subtle and easily missed
• Simplifies test creation with this AI assistant

24. • Create tests that will run per request
- Be as specific/generic as you'd like
- Test for:
◦ Missing authentication
◦ HTTP/HTTPS usage
◦ Sensitive response data

25. Additional Features:
• Generate documentation
• Add more tests
• Fix broken tests

27. Private GPT
Several LLMs can be set up locally
One of these is PrivateGPT. Another tool to run LLMs locally is Ollama.

28. Ollama Setup

31. hAPI Hacking!
Prove Your API Hacking Skills!

32. APIsec University (Free Courses)
• Completely free courses that teaches hands-on API security testing

33. - - - - - -
corey.ball@mossadams.com | @hAPI_hacker