This document summarizes an introduction to API security presentation. It includes: - An agenda that covers what API security is, the OWASP Top 10 risks, identifying vulnerabilities using Postman, automating security tests with Postman, and a Q&A. - Discussions of key OWASP updates including broken object property authorization and server-side request forgery. - An overview of GraphQL including common attack vectors and using Postman to exploit vulnerabilities in a vulnerable GraphQL app. - Additional resources mentioned include the Postman YouTube channel, upcoming events, the OWASP API Top 10 documentation, and the Postman community forum.

1. Attendees are muted
Ask questions under Q&A
A recording of this session will be shared
Post-event feedback survey
To do this work yourself after the session, log into your
Postman account (go.postman.co)
1
2
3
4
5
Housekeeping
@getpostman

2. All rights reserved by Postman Inc
Introduction to
API Security
Yash Mehta
Security Engineer II
Harshit Kochar
Application Security Engineer

3. APPLICATION SECURITY ENGINEER,
POSTMAN
Harshit
Kochar
SECURITY ENGINEER II, POSTMAN
Yash
Mehta
linkedin.com/in/harshit-kochar/
twitter.com/yashcmehta

4. ● How long have you been using
Postman?
○ I am new to Postman
○ Less than 6 months
○ 6 months to 1 year
○ 1 year to 3 years
○ 3 years or more
@getpostman
A little about you

5. ● How long have you been using and
building APIs?
○ I have not built or used an API
before
○ Less than 6 months
○ 6 months to 1 year
○ 1 year to 3 years
○ 3 years or more
@getpostman
A little about you

6. ● How long have you been working in a
security role?
○ I am not in a security role right now
○ Less than 6 months
○ 6 months to 1 year
○ 1 year to 3 years
○ 3 years or more
@getpostman
A little about you

7. @getpostman
What is API Security?
OWASP Top 10 2023
Identify and understand vulnerabilities using Postman
Leverage Postman for automating API security tests
Q & A
1
2
3
4
5
Agenda

8. @getpostman
What is API Security
● APIs are everywhere
● Security is one of the most important factor
when it comes to integrating an API
● Increased API adoption significantly expands
the Attack Surface

9. @getpostman
OWASP Top 10 API Security Risks – 2023
image from nonamesecurity.com

10. @getpostman
Key OWASP update #1 -
Broken Object Property Level Authorization
● Authorization issues remain the biggest risk for API security
● Implementing authorization in APIs is becoming more challenging
○ Increase in complexity of authorization
○ Decentralized mechanism of implementation
● BOPLA extends unrestricted access to object properties that should have been
restricted

11. @getpostman
Key OWASP update #1 -
Broken Object Property Level Authorization
image from nonamesecurity.com

12. @getpostman
Key OWASP update #2 -
Server-Side Request Forgery (SSRF)
Occurs when APIs process requests from user-controlled URLs and fetch internal/ remote
server resources without validating the user request first
image from portswigger.net

13. @getpostman
Key OWASP update #3 -
Unrestricted Access to Sensitive Business Flows
● Drastic rise in automated threats
● An API is vulnerable if sensitive functionality is exposed in such a way that harm
could occur if excessive automated use occurs

14. @getpostman
Key OWASP update #4 -
Unsafe Consumption of APIs
● Developers tend to trust data received from third-party APIs more than user input,
and so tend to adopt weaker security standards
● In order to compromise APIs, attackers go after integrated third-party services
instead of trying to compromise the target API directly

15. @getpostman
Introduction to GraphQL
● Open Source Query Language
● Server-side runtime (typically served over
HTTP)

16. 1. Design your GraphQL schema
2. Connect your resolvers to data sources
3. Ask for exactly what you want
@getpostman
How does GraphQL work?
“GraphQL makes it easier
for developers to get the
data they need without
needing to know which
sources it’s coming from”

17. ● Performance
○ Prevents over-fetching
○ Prevents under-fetching
● Developer experience
○ Hierarchical & Declarative
○ Strongly typed
○ Versioning
● Architecture
○ Decouples the client from the server
○ Single source of truth
○ Scalable with federation
○ Introspection
@getpostman
Advantages of GraphQL

18. @getpostman
Common GraphQL attack vectors
● Introspection
● Information Disclosure
● Missing Access Controls
● Bypass Rate-limiting
● Denial of Service

19. @getpostman
Identify and understand GraphQL vulnerabilities using Postman
We’re going to be using a version of GraphQL that was made (on purpose) with
vulnerabilities
● github.com/dolevf/Damn-Vulnerable-GraphQL-Application
Postman Collection we’re going to use to send these vulnerabilities:
● postman.com/devrel/workspace/graphql-security-101/collection/645d1d3
3d3f0b63ec09ffb98

20. @getpostman
Exploit a vulnerable GraphQL application

21. @getpostman
Leverage Postman for automating API security tests

22. Postman’s YouTube channel for lots of content about APIs
youtube.com/@postman
Upcoming Intergalactic Sessions
postman.com/events/intergalactic
OWASP API Top Ten, 2023
owasp.org/API-Security/editions/2023/en/0x00-header
Postman Community Forum for additional questions / feedback
community.postman.com
@getpostman
Additional Resources

23. Please tell us about
your experience!
FEEDBACK SURVEY
go.pstmn.io/intro-to-api-security
@getpostman

24. Q&A
@getpostman
go.pstmn.io/intro-to-api-security
linkedin.com/in/harshit-kochar
twitter.com/yashcmehta

25. Thank You
@getpostman

27. Icons
hotspot
Cloud API Money Trophy Optimize Company Company
Arrow 1
Adoption Support Video Bootcamp Experiment Rocket Bug Repository Newman
Arrow 2 Learning Interceptor Postman API Roadmap Intelligence Workspaces CS Control
API Key Token Scanning Solution Security SCIM Report Marketing Log Alien
Governance Engineering Domain
Capture
Design Data
Product

28. 1 What is API-First?
2 Intro to API schemas
3 Generating API elements from schemas
5 Q&A
4 Resources
@getpostman
Agenda