APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Workshop: Detect OWASP vulnerabilities in your APIs with Postman Rahul Dhawan, Senior Security Engineer at Postman ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. Detect OWASP
vulnerabilities in your
APIs with Postman
Presented by
Rahul Dhawan
Senior Security Engineer @ Postman

2. Senior Security Engineer @ POSTMAN
Rahul
Dhawan
@rahuldhawan291

3. Agenda
API Security Top 10 Vulnerabilities
1
Detection
2
Practical Demo
3
Mitigation
4
Real World Implications
5

4. Authentication and Authorization
Authentication is the process of verifying the identity of a user , typically
through the use of login credentials such as usernames and passwords.
“
Authorization, on the other hand, is the process of determining what
actions a user is allowed to perform based on their identity and privileges.
“

6. ● The lack of proper authorization checks allows attackers to access the specified
resource.
● BOLA vulnerability can cause various attacks such as unauthorized access to
sensitive resources, known as privilege escalation.
A1: Broken Object Level Authorization
(BOLA or IDOR)

7. Practical

8. 📖 Reports!

9. ● Identify All Objects and Resources.
● Focus on user_id and Object_id in the API.
● Use automation techniques to examine user access on an API by utilizing
diverse user credentials combinations
● Manually test for Authorisation bypass
Detection

10. ● Implement a proper authorization mechanism that relies on the user
policies and hierarchy.
● Implement Role-Based Access Control (RBAC)
● Apply the Principle of Least Privilege
● Prefer to use random and unpredictable values as UUID for Object IDs.
● Add Access Control Check in the unit test coverage
Prevention

11. ● Poor Implementation of Authentication methods
● Sensitive Details like Auth token, API keys or password in the Request
parameters
● Misconfigured JWT {“Alg”:”none”}
A2: Broken User Authentication

12. Practical

13. ● Look for missing or ineffective authentication controls:
● Check for user or password enumeration:
● Test for broken session management:
● Check for weak password policies
Detection

14. ● Protect all authentication endpoint with rate-limit having strict
rate-limit policy. Also Implement lockout mechanism
● Implement MFA where ever possible
● Implement Captcha mechanism at your authentication endpoints.
Prevention

15. ● Allows unprivileged users to access other privileged users’ resources and
functions
● Different access control policies for different user personas
● Incorrect implementation of Role-Based Access Controls (RBAC)
● APIs relying on client to do the permission checks for different user roles
A5: Broken Function level Authorisation

16. Practical

17. ● Use Manual Testing to find misconfiguration in RBAC implementation.
● Write an automated script to cover every possible permutation of Role Based
Accessed on a function
● Test for common attack techniques
Detection

18. ● Use Principle of Least privilege while designing Access Control Policy.
● Use a centralized authorization mechanism
● Validate and sanitize user input
● Perform regular test on different group of APIs.
● Add complete coverage of access control check in your unit tests.
Prevention

19. ● Poor configuration of the API servers allows attackers to exploit them.
● Issues involved are:
○ Missing CORS policy
○ Misconfigured CSP policy
○ leaving debug mode enabled
○ misconfigured TLS
○ Using default or weak password
A7: Security misconfigurations

20. Practical

21. ● CORS Misconfiguration Template
● Security Header Template
● Directory Traversal Template
● CSP Evaluator Template
● TLS Version Monitor
● Open Redirect Checks
Detection using Postman

22. ● Correctly Configure CORS, CSP and Security Headers
● Apply Principle of Least privilege, avoid using wildcards.
● Use Latest version of TLS
● Add security tests in your unit test to catch misconfiguration in
preprod environment.
Prevention

23. ● Occurs when untrusted data is directly used to query database.
● Easy to detect issue but can get tricky to craft payload to query
database.
A8: Injection

24. Practical

25. ● SQL Injection Template
● employ scanners or fuzzers to evaluate the validation of user input
Detection using Postman

26. ● Sanitise every untrusted input.
● Special characters should be escaped
● Prefer a safe API that provides a parameterized interface.
● Validate the response.
● Prefer a safe API that provides a parameterized interface
Prevention

27. postman.com @getpostman
OWASP API Security Top 10
API Security Testing in Postman
Automation using Postman
Wrapping Up
Visit Postman Security Workspace

28. Reference
● OWASP API Security Top 10
● OWASP Juice Shop
● Postman Interceptor
● Postman Security Workspace
● OWASP API Security top 10 Workspace
● Postman Flows