The document discusses common API vulnerabilities, their severity, and mitigation strategies using Postman. It highlights key vulnerabilities from the OWASP API Top 10 list, including broken authentication and authorization issues, and emphasizes the importance of an API-first workflow for security teams. The presentation also introduces automation techniques for security testing through Postman's monitoring features.

1. Common API
Vulnerabilities
How to effectively use Postman for API security testing
Ronak Odhaviya
Presented by
Security Engineer

2. SECURITY ENGINEER, POSTMAN
Ronak
Odhaviya
@roanakodhaviya

3. Takeaways
1 Common API vulnerabilities, how severe they are, and how simple it is to
mitigate them using Postman
2 How you can make your security team really happy by using an API-first
workflow
3 How you can automate most of your API security tests using Postman and
make your life easy

4. History of API Security
1 OWASP included broken authentication in its “Top 10” of 2017
2 OWASP created a separate API Top 10 list in 2019
3 Gartner research: “By 2022, API abuses will be the most frequent attack
vector resulting in data breaches for enterprise web applications.”
4 Broken authentication attacks accounted for many of the worst data
breaches published in 2020.

5. owasp.org/www-project-api-security
OWASP API Top 10 (2019)
1 Broken Object Level Authorization
2 Broken User Authentication
3 Excessive Data Exposure
4 Lack of Resources & Rate Limiting
5 Broken Function Level Authorization
6 Mass Assignment
7 Security Misconfiguration
8 Injection
9 Improper Assets Management
10 Insufficient Logging & Monitoring
3 Broken Function Level Authorization

6. Broken User Authentication
● 2nd in OWASP API Top 10 2019
● Refers to vulnerabilities allowing an attacker access to other user’s
identity
● Weakness in session management or credential management
● Weak API keys or hard-coded access tokens in the code
● Vulnerability in Microsoft Outlook allowed hackers to read other users’
Outlook email messages

13. Broken Object Level Authorization
● 1st in OWASP API Top 10 2019
● Authentication vs. Authorization
● Also known as an Insecure Direct Object Reference (IDOR)
● Allows attackers to access any object given the ID of the resource
● Combined with enumeration attacks, it has the capability to retrieve
the entire object database
● BOLA in YouTube bug that allowed unlisted uploads to any channel

17. Broken Function Level Authorization
● 5th in OWASP API Top 10 2019
● Allows unprivileged users to access other privileged users’ resources
and functions
● Different access control policies for different user personas
● Incorrect implementation of Role-Based Access Controls (RBAC)
● APIs relying on client to do the permission checks for different user
roles
● Presumptive trust between microservices to do the permission check
● The bug in 1Password allowed guest users unauthorised access

20. How can we automate these tests?

21. Introducing Monitors 🤩

22. Add Your Security Tests in Tests

24. Automate Tests Using Monitor

25. Monitor Run Results

28. When an API fails your security test,
you receive an email.
You can also set-up a Slack or other
integrations.

29. Wrapping Up

30. postman.com/ronak @roanakodhaviya
Thank You