SlideShare a Scribd company logo

PwnSchool: Exploiting Web APIs

ThreatReel Podcast
ThreatReel Podcast

Meeting Topic: Exploiting Web APIs Speaker: Matt Scheurer https://twitter.com/c3rkah Abstract: This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10. Bio: Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.

Internet
1 of 28
Download to read offline
Exploiting Web APIsTheThePwnSchoolProject July,202020 I mean have you gotten any insight as to why a bright guy like this would exploit some vulnerable Web APIs? No sir. He says he does this sort of thing for fun. Exploiting Web APIs @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ -Matt Scheurer
I work for a big well-known organization... As an Information Security (InfoSec) Engineer, Performing Digital Forensics & Incident Response (DFIR) On a Computer Security Incident Response Team (CSIRT) About Me...About Me... I serve as Chair for the S||||
DisclaimerDisclaimer Yes, I have a day job. However… Opinions expressed are based solely on my own independent security research and do not express or reflect the views or opinions of my employer. BLAME
ObjectivesObjectives I work here: As a Sr. Systems Security Engineer ● Learn and understand – How API’s are abused by malicious threat actors – The risks associated with poorly coded API’s ● See the technical details of how exploited web API vulnerabilities may lead to a data breach – We’ve all seen how this plays out in the news
What is an API?What is an API? I work here: As a Sr. Systems Security Engineer Matt’s K.I.S.S. Definition An API is an “Application Programming Interface”. API’s allow access or interaction between systems. They often provide developers and power users with a means to access or leverage data and services on external or cloud-based systems and services. API’s may grant read, write, or modify privileges depending on design, configuration, implementation, and applied permissions.
Why is this important?Why is this important? Web API’s increase attack surfaces with the possibility of a potential avenue for compromise, data exfiltration, destruction, or manipulation in an otherwise reasonably secured system. Web API’s are purposely targeted by cyber-criminals in the event that finding an exploitable vulnerability may lead to a system compromise and / or a data breach.
What is REST?What is REST? ● REST is an acronym for REpresentational State Transfer. ● Web Services that conform to the REST architectural style, called RESTful Web Services, provide interoperability between computer systems on the Internet.
What is the Tiredful API?What is the Tiredful API? I work here: As a Sr. Systems Security Engineer The Tiredful API is an intentionally broken web app by design. The purpose of the application is to teach developers, QA testers, or security professionals about flaws present in Web Services (REST API) due to insecure coding practices.
Tiredful API VulnerabilitiesTiredful API Vulnerabilities I work here: As a Sr. Systems Security Engineer ● Information Disclosure ● Insecure Direct Object Reference (IDOR) ● Access Control ● Throttling ● SQL Injection (SQLi) ● Cross Site Scripting (XSS)
House KeepingHouse Keeping I work here: As a Sr. Systems Security Engineer ● For demo purposes, I am using the Firefox web browser with the RESTClient extension ● Some challenges require authentication under an account with appropriate access – Exercises involving access to protected data require an access key
Authentication ControlAuthentication Control ● OAuth 2.0 Access – The token credentials consist of an access token and token secret used in lieu of a username and password – The required “token_type” typically uses the string “Bearer” under most implementations
Potential access token exposurePotential access token exposure ● Some ways access tokens are stolen / exposed – Intercepting proxy / MitM / HTTP 307 attacks – Open browser sessions / browser history – Cross-Site Request Forgery (CSRF) attacks – Token stored in JavaScript – Token stored in an unencrypted session cookie
Getting StartedGetting Started I work here: As a Sr. Systems Security Engineer 1)Browse to the local Tiredful API home page • By default, http://127.0.0.1:8000/ 2)Click on “User Token” 3)Login to obtain a user token (i.e., ‘batman’) 4)Note the returned “access_token” value
Information DisclosureInformation Disclosure I work here: As a Sr. Systems Security Engineer ● Sensitive data examples – Financial data (i.e., PCI, account data, credit cards) – Personally Identifiable Information (PII) – System / Stacktrace Information ● Reconnaissance A3:2017 – Sensitive Data Exposure
Demo 1 / 6Demo 1 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Information Disclosure Objective: Try to get stacktrace information. A3:2017 – Sensitive Data Exposure
Insecure Direct Object ReferenceInsecure Direct Object Reference I work here: As a Sr. Systems Security Engineer ● IDOR Risks – Failure to restrict access appropriately – Threat actors exploiting flaws to gain unauthorized access to data or traversing other parts of a system A5:2017 – Broken Access Control
Demo 2 / 6Demo 2 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Insecure Direct Object Reference (IDOR) Objective: Try to access exam results of another user. A5:2017 – Broken Access Control
Access ControlAccess Control I work here: As a Sr. Systems Security Engineer ● Risks – Allowing unintended access from the way a system or application was designed – Failure to restrict protected or administrative actions to authorized users A5:2017 – Broken Access Control
Demo 3 / 6Demo 3 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Access Control Objective: Try to execute an operation which should be only allowed to admin users. A5:2017 – Broken Access Control
ThrottlingThrottling I work here: As a Sr. Systems Security Engineer ● Risks – Denial of Service (DoS) ● A way to flood system resources which effectively makes a system unavailable ● Prevents legitimate users from access to a system
Demo 4 / 6Demo 4 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Throttling (a.k.a. Rate Limit Implementation) Objective: Force server to respond with HTTP response code 429 to abuse system resources by launching a DoS attack. NOTE: A HTTP 429 response code means "Too Many Requests". A5:2017 – Broken Access Control
SQL InjectionSQL Injection I work here: As a Sr. Systems Security Engineer ● SQLi Risks – Vulnerabilities which allow unauthorized access to a back-end database – Abuses ● Data exfiltration, destruction, or manipulation A1:2017 – Injection
Demo 5 / 6Demo 5 / 6 I work here: As a Sr. Systems Security Engineer Scenario: SQL Injection (a.k.a. "SQLi") Objective: Find table names of the SQLite database. A5:2017 – Broken Access Control
Cross Site ScriptingCross Site Scripting I work here: As a Sr. Systems Security Engineer ● Cross Site Scripting (XSS) Risks – Performs automatic code execution in client browsers upon access – Stolen credentials or form data – Execution of exploit kit payloads A7:2017 – Cross-Site Scripting (XSS)
Demo 6 / 6Demo 6 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Cross Site Scripting (XSS) Objective: Find parameters accepting cross site scripting meta-characters. A5:2017 – Broken Access Control
Reducing these risksReducing these risks ● Recommendations – Adopting a secure development life cycle ● Having a security champion on each dev team ● Testing as early in the SDLC process as possible – Adhering to the Principle of Least Privilege – OWASP resources ● https://owasp.org/
QuestionsQuestions 8 1 01 010 Who? What? When? Where? Why? How?
Thank you for attending!TheThePwnSchoolProject July,202020 I mean have you gotten any insight as to why a bright guy like this would exploit some vulnerable Web APIs? No sir. He says he does this sort of thing for fun. Exploiting Web APIs @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ -Matt Scheurer

Recommended

CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
Mikhail Shcherbakov
 

Recommended

CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
Mikhail Shcherbakov
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferences
macanazon
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
OWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meetingOWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meetingOWASP Khartoum
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 

More Related Content

What's hot

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferences
macanazon
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
OWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meetingOWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meetingOWASP Khartoum
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 

What's hot (20)

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferences
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meetingOWASP Khartoum Top 10 A4 - 7th meeting
OWASP Khartoum Top 10 A4 - 7th meeting
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
 

Similar to PwnSchool: Exploiting Web APIs

For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdf
CecilSu
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
6502programmer
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
IRJET Journal
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
Mike Tetreault
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
Paul Gilzow
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 

Similar to PwnSchool: Exploiting Web APIs (20)

For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdf
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
C01461422
C01461422C01461422
C01461422
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 

More from ThreatReel Podcast

BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
ThreatReel Podcast
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
ThreatReel Podcast
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
ThreatReel Podcast
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
ThreatReel Podcast
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
ThreatReel Podcast
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
ThreatReel Podcast
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
ThreatReel Podcast
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
ThreatReel Podcast
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
ThreatReel Podcast
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 

More from ThreatReel Podcast (20)

BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 

Recently uploaded

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 

Recently uploaded (20)

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 

PwnSchool: Exploiting Web APIs

  • 1. Exploiting Web APIsTheThePwnSchoolProject July,202020 I mean have you gotten any insight as to why a bright guy like this would exploit some vulnerable Web APIs? No sir. He says he does this sort of thing for fun. Exploiting Web APIs @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ -Matt Scheurer
  • 2. I work for a big well-known organization... As an Information Security (InfoSec) Engineer, Performing Digital Forensics & Incident Response (DFIR) On a Computer Security Incident Response Team (CSIRT) About Me...About Me... I serve as Chair for the S||||
  • 3. DisclaimerDisclaimer Yes, I have a day job. However… Opinions expressed are based solely on my own independent security research and do not express or reflect the views or opinions of my employer. BLAME
  • 4. ObjectivesObjectives I work here: As a Sr. Systems Security Engineer ● Learn and understand – How API’s are abused by malicious threat actors – The risks associated with poorly coded API’s ● See the technical details of how exploited web API vulnerabilities may lead to a data breach – We’ve all seen how this plays out in the news
  • 5. What is an API?What is an API? I work here: As a Sr. Systems Security Engineer Matt’s K.I.S.S. Definition An API is an “Application Programming Interface”. API’s allow access or interaction between systems. They often provide developers and power users with a means to access or leverage data and services on external or cloud-based systems and services. API’s may grant read, write, or modify privileges depending on design, configuration, implementation, and applied permissions.
  • 6. Why is this important?Why is this important? Web API’s increase attack surfaces with the possibility of a potential avenue for compromise, data exfiltration, destruction, or manipulation in an otherwise reasonably secured system. Web API’s are purposely targeted by cyber-criminals in the event that finding an exploitable vulnerability may lead to a system compromise and / or a data breach.
  • 7. What is REST?What is REST? ● REST is an acronym for REpresentational State Transfer. ● Web Services that conform to the REST architectural style, called RESTful Web Services, provide interoperability between computer systems on the Internet.
  • 8. What is the Tiredful API?What is the Tiredful API? I work here: As a Sr. Systems Security Engineer The Tiredful API is an intentionally broken web app by design. The purpose of the application is to teach developers, QA testers, or security professionals about flaws present in Web Services (REST API) due to insecure coding practices.
  • 9. Tiredful API VulnerabilitiesTiredful API Vulnerabilities I work here: As a Sr. Systems Security Engineer ● Information Disclosure ● Insecure Direct Object Reference (IDOR) ● Access Control ● Throttling ● SQL Injection (SQLi) ● Cross Site Scripting (XSS)
  • 10. House KeepingHouse Keeping I work here: As a Sr. Systems Security Engineer ● For demo purposes, I am using the Firefox web browser with the RESTClient extension ● Some challenges require authentication under an account with appropriate access – Exercises involving access to protected data require an access key
  • 11. Authentication ControlAuthentication Control ● OAuth 2.0 Access – The token credentials consist of an access token and token secret used in lieu of a username and password – The required “token_type” typically uses the string “Bearer” under most implementations
  • 12. Potential access token exposurePotential access token exposure ● Some ways access tokens are stolen / exposed – Intercepting proxy / MitM / HTTP 307 attacks – Open browser sessions / browser history – Cross-Site Request Forgery (CSRF) attacks – Token stored in JavaScript – Token stored in an unencrypted session cookie
  • 13. Getting StartedGetting Started I work here: As a Sr. Systems Security Engineer 1)Browse to the local Tiredful API home page • By default, http://127.0.0.1:8000/ 2)Click on “User Token” 3)Login to obtain a user token (i.e., ‘batman’) 4)Note the returned “access_token” value
  • 14. Information DisclosureInformation Disclosure I work here: As a Sr. Systems Security Engineer ● Sensitive data examples – Financial data (i.e., PCI, account data, credit cards) – Personally Identifiable Information (PII) – System / Stacktrace Information ● Reconnaissance A3:2017 – Sensitive Data Exposure
  • 15. Demo 1 / 6Demo 1 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Information Disclosure Objective: Try to get stacktrace information. A3:2017 – Sensitive Data Exposure
  • 16. Insecure Direct Object ReferenceInsecure Direct Object Reference I work here: As a Sr. Systems Security Engineer ● IDOR Risks – Failure to restrict access appropriately – Threat actors exploiting flaws to gain unauthorized access to data or traversing other parts of a system A5:2017 – Broken Access Control
  • 17. Demo 2 / 6Demo 2 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Insecure Direct Object Reference (IDOR) Objective: Try to access exam results of another user. A5:2017 – Broken Access Control
  • 18. Access ControlAccess Control I work here: As a Sr. Systems Security Engineer ● Risks – Allowing unintended access from the way a system or application was designed – Failure to restrict protected or administrative actions to authorized users A5:2017 – Broken Access Control
  • 19. Demo 3 / 6Demo 3 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Access Control Objective: Try to execute an operation which should be only allowed to admin users. A5:2017 – Broken Access Control
  • 20. ThrottlingThrottling I work here: As a Sr. Systems Security Engineer ● Risks – Denial of Service (DoS) ● A way to flood system resources which effectively makes a system unavailable ● Prevents legitimate users from access to a system
  • 21. Demo 4 / 6Demo 4 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Throttling (a.k.a. Rate Limit Implementation) Objective: Force server to respond with HTTP response code 429 to abuse system resources by launching a DoS attack. NOTE: A HTTP 429 response code means "Too Many Requests". A5:2017 – Broken Access Control
  • 22. SQL InjectionSQL Injection I work here: As a Sr. Systems Security Engineer ● SQLi Risks – Vulnerabilities which allow unauthorized access to a back-end database – Abuses ● Data exfiltration, destruction, or manipulation A1:2017 – Injection
  • 23. Demo 5 / 6Demo 5 / 6 I work here: As a Sr. Systems Security Engineer Scenario: SQL Injection (a.k.a. "SQLi") Objective: Find table names of the SQLite database. A5:2017 – Broken Access Control
  • 24. Cross Site ScriptingCross Site Scripting I work here: As a Sr. Systems Security Engineer ● Cross Site Scripting (XSS) Risks – Performs automatic code execution in client browsers upon access – Stolen credentials or form data – Execution of exploit kit payloads A7:2017 – Cross-Site Scripting (XSS)
  • 25. Demo 6 / 6Demo 6 / 6 I work here: As a Sr. Systems Security Engineer Scenario: Cross Site Scripting (XSS) Objective: Find parameters accepting cross site scripting meta-characters. A5:2017 – Broken Access Control
  • 26. Reducing these risksReducing these risks ● Recommendations – Adopting a secure development life cycle ● Having a security champion on each dev team ● Testing as early in the SDLC process as possible – Adhering to the Principle of Least Privilege – OWASP resources ● https://owasp.org/
  • 28. Thank you for attending!TheThePwnSchoolProject July,202020 I mean have you gotten any insight as to why a bright guy like this would exploit some vulnerable Web APIs? No sir. He says he does this sort of thing for fun. Exploiting Web APIs @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ -Matt Scheurer