Jie Liau gave a presentation on API security. The presentation covered how APIs have become a primary attack vector, the OWASP API Security Top 10 risks, real world API attacks on companies like Coinbase, T-Mobile, and Instagram, and tools for testing API security like Postman and Burpsuite. It also provided details on API security issues like broken authentication, authorization, inventory management, and server side request forgery. The goal was to educate attendees on the growing API attack surface and best practices for securing APIs.

1. API Security
Jie @ OWASP Taiwan 2023

2. curl -X GET https://127.0.0.1/info
https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://jieliau.medium.com/
{
"Name": "Jie Liau",
"Experiences": [
“How You API Be My API. - Session speaker in iThome CYBERSEC 2023”,
"Building Your Container Botnet in 1 Minute. - Session speaker in iThome CYBERSEC 2021",
"Container Security. - Session speaker in InfoSec 2020",
"Protecting Your Internet Route Integrity. - Session speaker in iThome CYBERSEC 2020",
"The Dark Side. - Seminar speaker in CSE, Yuan Ze University 2018",
"The Tor Network. - Session speaker in TDOH Conference 2017",
"What Does Network Operation Looks Like. - Seminar speaker in CSE, Yuan Ze University 2016"
],
"Certi
fi
cations": [
"CCIE",
"OSCP",
"CEH"
]
}

3. According to Akamai, 83% of all internet tra
ffi
c is
from API, while HTML tra
ffi
c has fallen to just 17%
https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-retail-attacks-and-api-traf
fi
c

4. According to Gartner, by 2022 APIs would
become the #1 most frequent attack vector
https://www.infosecurity-magazine.com/next-gen-infosec/api-attacks-threat-vector-2022/
https://www.gartner.com/en/webinars/4002323/api-security-protect-your-apis-from-attacks-and-data-breaches

5. OWASP API Security Project
The unique vulnerabilities and security risks of API
First release of API Security Top 10 in 2019
https://owasp.org/www-project-api-security/
https://github.com/OWASP/API-Security

6. 2019 OWASP API Security Top 10
API1 Broken Object Level Authorization API6 Mass Assignment
API2 Broken User Authentication API7 Security Miscon
fi
guration
API3 Excessive Data Exposure API8 Injection
API4 Lack of Resources & Rate Limiting API9 Improper Assets Management
API5 Broken Function Level Authorization API10 Insuf
fi
cient Logging & Monitoring

7. 2023 OWASP API Security Top 10
API1 Broken Object Level Authorisation API6
Unrestricted Access to Sensitive Business
Flows
API2 Broken Authentication API7 Server Side Request Forgery
API3 Broken Object Property Level Authorisation API8 Security Miscon
fi
guration
API4 Unrestricted Resource Consumption API9 Improper Inventory Management
API5 Broken Function Level Authorisation API10 Unsafe Consumption Of APIs

8. What is API

9. Application Programming Interface
Public API, Private API, Partner API…
REST API, SOAP API, RPC API
RESTful API
Web Services
URIs
HTTP protocol/method
Problems
Directly access to sensitive data
Over-permissioned
Vulnerable to logic
fl
aws
API
Web App
Mobile App
Micro Services

10. Class Cyber Kill Chain vs. API Attack

11. Reconnaissance Weaponise Delivery Exploit
Lateral
Movement
Privilege
Escalation
Breach
Classic Cyber Kill Chain
Find
Vulnerability
Breach
Reconnaissance
API Attack Cyber Kill Chain

12. Tools
Postman
Burpsuite
Practices
crAPI
https://github.com/OWASP/crAPI
vAPI
https://github.com/roottusk/vapi

13. BOLA / BFLA

14. Broken Object Level Authorisation
User A is able to request User B’s resources, and vice versa
A-B testing
Broken Function Level Authorisation
Perform un-authorized actions, PUT, DELETE, etc…
Escalated action
A-B-A testing

15. Improper Inventory Management

16. Version number
URI
Header
Parameter
Request body
Non-production API
test.example.com
uat.example.com
beta.example.cm
…

17. Server Side Request Forgery

18. Types
In-Band SSRF
Blind SSRF
Look for any URL
POST body
Parameter
Header, for example Referrer
Any user input
Tools
https://webhook.site
https://pingb.in

19. https://www.youtube.com/watch?
v=5tFYvNJPiyQ&list=PLqLRNszh0EC3hQdA3g0nVi6LeKh06AGOQ

20. Real World Cases

21. https://apisecurity.io/issue-173-coinbase-vulnerability-authn-authz-best-practices-bad-bots-hack-elgato-key-light/
https://twitter.com/Tree_of_Alpha/status/1495014907028422662

22. Broken Authentication
https://www.bleepingcomputer.com/news/security/t-mobile-hacked-to-steal-data-of-37-million-accounts-in-api-data-breach/
https://www.akto.io/blog/t-mobile-api-attack

23. https://time.com/4922700/instagram-security-breach-veri
fi
ed-users/#:~:text=%E2%80%9CWe%20recently%20discovered%20that%20one,in%20a%20statement%20to%20TIME.
Broken Object Level Auth
Broken Authentication

24. https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
Improper Inventory Management

25. https://www.apisecuniversity.com/
https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-retail-attacks-and-api-traf
fi
c
https://www.infosecurity-magazine.com/next-gen-infosec/api-attacks-threat-vector-2022/
https://www.upwork.com/resources/soap-vs-rest-a-look-at-two-different-api-styles
https://www.redhat.com/en/topics/api/what-are-application-programming-interfaces
https://archive.org/web/
https://venturebeat.com/security/twitter-breach-api-attack/
https://thenewstack.io/twitter-leak-shows-how-important-api-security-remains-in-2023/
https://apisecurity.io/issue-173-coinbase-vulnerability-authn-authz-best-practices-bad-bots-hack-elgato-key-light/
https://apimike.com/coinbase-api-vulnerability-bug
https://salt.security/blog/understanding-the-coinbase-api-vulnerability
https://twitter.com/Tree_of_Alpha/status/1495014907028422662

26. Thank You !!!