SlideShare a Scribd company logo
1 of 42
Тема доклада
Тема доклада
Тема доклада
KYIV 2019
Kateryna Ovechenko
API SECURITY
QA CONFERENCE #1 IN UKRAINE
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Head of QA Department at
Co-founder of professional IT conferences
9+ years in testing Focus on test management of large programs and teams and security testing.
4+ years in security testing: from building competence in the company to coordinating projects
for external Customers
Speaker at local and international conferences (QA Fest, SQA Days, Simplicity Day, Czech Test
and several in Norway), lecturer at National Aviation University
ABOUT ME
REAL EXAMPLES
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
NISSAN
Full article: https://www.computerworld.com/article/3036964/hackers-can-access-the-nissan-leaf-
via-insecure-apis.html
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Remote control over API on other user’s
car:
• Climate control
• Battery charge management
• Car driving range
• Historic driving data (when, how far,
how efficiently)
SAMSUNG
Full article: https://www.consumerreports.org/tvs/samsung-fixes-smart-tv-security-issue/
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Unsecured API allowed access to:
• change TV channels
• turn up the volume
• play unwanted YouTube videos
• kick the TV off a WiFi connection
It will NOT allow:
• spying on a TV viewer
• stealing private information
• monitoring what was being watched
CANDY CRUSH
Full article: https://www.stavros.io/posts/winning-candy-crush/
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
By modifying legitimate APIs from
the game, the hacker was able to:
• Play without lives limitation
• Ease the levels of the game by
changing number of colors for
each level
• Finish each level automatically
with random score by calling
proper method in the API
APIS IN OUR LIFE
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Average number of APIs the
company runs is 420
83% of traffic in content-
delivery network belongs to APIs
Full report: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security-
retail-attacks-and-api-traffic-report-2019.pdf
OWASP API SECURITY
Top 10 API Security Risks current draft:
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10.Insufficient Logging & Monitoring
1. Broken Object Level Access Control
2. Broken Authentication
3. Improper Data Filtering
4. Lack of Resources & Rate Limiting
5. Missing Function/Resource Level
Access Control
API Security Cheat Sheet from OWASP
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
A1: BROKEN OBJECT LEVEL ACCESS CONTROL
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
POST api/v1/documents/download_document
{
document_id: 102
}
102
101
103
104
ok
fail
fail
fail
A1: BROKEN OBJECT LEVEL ACCESS CONTROL
Violation of horizontal access control
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Query parameters
URL parameters
Body parameters
/api/users/717
/download_file?id=111
user-id:717
A1: BROKEN OBJECT LEVEL ACCESS CONTROL
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Traffic analyzers
API testing tool
A2: BROKEN AUTHENTICATION
● Weak authentication (passwords management, brute force attacks, etc.)
Ø Can be tested both manual and with automatic scanners
● Checking sessions for APIs
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
GET /api/1.0/Channels/1270 HTTP/1.1
Host: test-site.azurewebsites.net
Accept: application/json
Accept-Encoding: gzip, deflate
Cookie: auth=60f5f03b-57b8-40b4-aa79-a73e8b6f0814;
ARRAffinity=667b68ef9998ba2095eb4fef50e58d958908a44894f5425ed9
2f2db982a28474
Connection: keep-alive
A2: BROKEN AUTHENTICATION
● API to API communication with master token or service account
Ø Cannot be found automatically, only during architecture and code
reviews
● Basic authentication vs claim-based authentication
and Single Sign On (SSO)
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
CLAIM-BASED AUTHENTICATION
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
A2: BROKEN AUTHENTICATION
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Automatic scanners
API testing tool
A3: IMPROPER DATA FILTERING
● Client-side data filtering
APIs tend to return more data than
required. This data is usually not shown to
the user, but can be easily found in API
response
● Filters manipulation
The front-end usually maintains the user’s
state. The client sends more filters to the
back-end in order to reflect the user’s state
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Name: Kate
Role: superuser
Hobby:
travelling, sports
200 OK
{
“users”: [{
picture: ”profile_kate.jpg”,
userid: 220,
name: “Kate”,
last_name: “Ovechenko”,
role: “superuser”,
hobbies: {”travelling”, ”sports”}
address: “Kyiv, Test str., 35”
}
}
A3: IMPROPER DATA FILTERING
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Traffic analyzers
API testing tool
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Full article: https://devclass.com/2018/10/02/gitlab-api-flaw-security-updates/
A4: LACK OF RESOURCES & RATE LIMITING
Scenario 1
Too many requests are being to or from certain API at the same time
● Status code: 429 Too Many Requests
● Proprietary headers: X-RateLimit-*
Scenario 2
Too heavy requests are being made to an API
● /dashboard/users?page=1&size=100 à size=200000
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
A4: LACK OF RESOURCES & RATE LIMITING
Scenario 3
What data can be used for fuzzing:
● Wrong data format
● Long arrays of data
● Special characters
● Other methods or protocols than
those expected by server
● Special Functions
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
BURP SUITE: HTTP METHOD FUZZING
A4: LACK OF RESOURCES & RATE LIMITING
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Traffic analyzers
Fuzzing tool
JBROFUZZFuzzapi
A5: MISSING FUNCTION LEVEL ACCESS CONTROL
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Violation of vertical access control:
● Understand the relations between resources
● Complex user policies and roles
● Easier to predict the entry points
(GET → DELETE)(/api/v1/users → api/v1/admins)
● 20x OK vs 401/403 Unauthorized/Forbidden
A5: MISSING FUNCTION LEVEL ACCESS CONTROL
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
AUTHENTICATED USER
MANAGER
MANAGER
MANAGER
REGULAR USER
MANAGER
MANAGER
ADMIN
REGULAR USER
ADMIN
ADMIN
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Full article: https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/
A6: MASS ASSIGNMENT
● Modern frameworks encourage developers to use mass assignment techniques
(use data-transfer object with all properties)
● Easier to exploit in APIs
○ We can usually can find a GET request that returns all the properties of an
object
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
def signup @user = User.create(params[:user])
# => User<email: "john@doe.com", password: "qwerty", is_administrator: false>
end
A6: MASS ASSIGNMENT
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
<!-- INJECTED FIELD: -->
<input type="hidden" name="is_administrator" value="true">
def signup @user = User.create(params[:user])
# => User<email: "john@doe.com", password: "qwerty", is_administrator:
true>
end
def signup # Explicit assignment:
@user = User.create( email: params[:user][:email], password:
params[:user][:password] )
# or whitelisting:
@user = User.create( params.require(:user).permit(:email, :password) ) end
A7: SECURITY MISCONFIGURATION
• Unnecessary HTTP methods
• Improper Cross-Origin Resource Sharing
○ Access-Control-Allow-Origin
○ Access-Control-Allow-Credentials
○ Using XSS to make requests to cross origin sites
• Detailed Errors
○ Respond with generic error messages - avoid revealing details of the failure unnecessarily.
○ Do not pass technical details (e.g. call stacks or other internal hints) to the client
• Access to internal files/pages
• Security Headers
○ Content-Security-Policy
○ Content-Type
○ X-Frame-Options
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
READY API: SENSITIVE FILES EXPOSURE
A8: INJECTIONS
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
hacker server
users
XSS injection
XML injection
JSON injection
SQL injection
A8: INJECTIONS: HOW TO TEST
● Secure module
● Commercial tool
● Automatic scanners for:
○ SQL
○ XSS
○ JSON
○ XML
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
● Professional security tool
● Commercial tool, free
limited version
● Automatic scanners most of
common injections
● Data-driven testing (with
Collection Runner)
● Free to some extend J
● Loading dictionaries for
SQL, XSS or any other
injections
● Manual analysis of results
OPTION 1 OPTION 3OPTION 2
READY API: SQL INJECTION SCANNING
BURP SUITE: XSS INJECTION SCANNING
POSTMAN: XSS INJECTION SCANNING
A9: IMPROPER ASSET MANAGEMENT
• Secure your CI/CD pipeline configuration
○ safely store secrets that you use in your pipelines
○ isolate sensitive files like code signing keys from repository
○ add monitoring to CI/CD pipeline
○ pull requests that come from forks of your repository
• Code and Git history analysis
○ passwords and accounts are not committed to repositories
• Sensitive information in HTTP requests
○ https://example.com/controller/123/action?apiKey=a53f43564a5 becaus
e API Key is into the URL.
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Helpful article: https://circleci.com/blog/security-best-practices-for-ci-cd/
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Full article: https://www.scmagazineuk.com/samsung-private-gitlab-tokens-exposed-including-source-code-credentials-secret-
keys/article/1584224/
A10: INSUFFICIENT LOGGING & MONITORING
● Write audit logs before and after security related events
● Consider logging token validation errors in order to detect attacks
● Take care of log injection attacks by sanitizing log data beforehand
● Auditable events, such as logins, failed logins, and high-value transactions are
logged
● Any scanning tools (like Burp) trigger alerts
● Appropriate alerting thresholds and response escalation processes are in place
Same as A10 in OWASP Top 10
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
DEVSECOPS APPROACH TO DEVELOPMENT
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
/ /
PIPELINE
Dev/Test Env Stage Env
Pre-approved
deployment
Prod
CONTINUOUS INTEGRATION (CI) CONTINUOUS DELIVERY (CD)
CONTINUOUS SECURITY (CS)
Master branch
Code is merged
Developer’
s machine
Feature is
implemented
SAST+SCA
checks
Secure
Coding
Practices
SAST+DAST
checks
Automated
Security
Testing (auto+
manual)
Security Requirements
IaC scripts for
Dev/Test env
Review
infrastructure
security
Pen testing by
3rd party
Threat modeling
There are bunch of other tools available. Use these criteria to pick the tool for you:
● Project goals(monitor level of security vs try out some new stuff vs be prepared for external pen testing)
● Regularity (one-time runs vs ongoing)
● Integrate it into all processes and CI/CD pipeline or not
● Complex multi-step authentication process
● Security testing coverage (scanning for application only vs infrastructure and configuration issues etc.)
● Environments to be used (cloud or not etc.)
● Users of the tools (test engineers, developers, devops, security guys)
● Standards to follow and comply (security standards, domain-specific standards)
HOW TO PICK THE RIGHT TOOL?
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
● Understand the data flow and relations between resources
○ Get to know the system and the API you’re testing by asking the questions
● Always sniff the traffic. Real traffic is better than documentation.
● Wean yourself of the UI
○ Don’t be afraid to generate API requests from the scratch
● Is there more than one version of the API?
● Use different clients: mobile/web/web-mobile?
● Use the old versions to generate more traffic
● Always look for more niche features
● Different protocols == different implementations
API PENTESTING: NEW MINDSET
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
To get deeper in the topic:
● Pixi as part of DevSlop project (https://www.owasp.org/index.php/OWASP_DevSlop_Project ) + video
tutorial (https://www.youtube.com/watch?v=td-2rN4PgRw)
● Juice shop - https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
● Ads manager application - https://github.com/kovechenko/VulnerableAdvertisementAPI
● REST OWASP Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
● News about API security - https://apisecurity.io
To start from:
● OWASP Testing Guide - https://www.owasp.org/images/1/19/OTGv4.pdf
● Hack Yourself First by Troy Hunt - https://www.pluralsight.com/courses/hack-yourself-first
● Hack your API First by Troy Hunt - https://www.pluralsight.com/courses/hack-your-api-first
WHAT’S NEXT?
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
Contact me
Email: kate@fest.group
FB: Kateryna Ovechenko
WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019

More Related Content

What's hot

B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testingb4usolution .
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.Andrey Oleynik
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Postman & API Testing by Amber Race
Postman & API Testing by Amber RacePostman & API Testing by Amber Race
Postman & API Testing by Amber RacePostman
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API TestingBruno Pedro
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Perform Diagnostics on Running Instances without Affecting Availability & Rel...
Perform Diagnostics on Running Instances without Affecting Availability & Rel...Perform Diagnostics on Running Instances without Affecting Availability & Rel...
Perform Diagnostics on Running Instances without Affecting Availability & Rel...Amazon Web Services
 
API Testing Presentations.pptx
API Testing Presentations.pptxAPI Testing Presentations.pptx
API Testing Presentations.pptxManmitSalunke
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 

What's hot (20)

B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
 
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Postman & API Testing by Amber Race
Postman & API Testing by Amber RacePostman & API Testing by Amber Race
Postman & API Testing by Amber Race
 
Api Testing
Api TestingApi Testing
Api Testing
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Perform Diagnostics on Running Instances without Affecting Availability & Rel...
Perform Diagnostics on Running Instances without Affecting Availability & Rel...Perform Diagnostics on Running Instances without Affecting Availability & Rel...
Perform Diagnostics on Running Instances without Affecting Availability & Rel...
 
API Testing Presentations.pptx
API Testing Presentations.pptxAPI Testing Presentations.pptx
API Testing Presentations.pptx
 
POSTMAN.pptx
POSTMAN.pptxPOSTMAN.pptx
POSTMAN.pptx
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Postman
PostmanPostman
Postman
 
Postman.ppt
Postman.pptPostman.ppt
Postman.ppt
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 

Similar to QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

QA Fest 2019. Ирина Бондарук. Breaking into information security
QA Fest 2019. Ирина Бондарук. Breaking into information securityQA Fest 2019. Ирина Бондарук. Breaking into information security
QA Fest 2019. Ирина Бондарук. Breaking into information securityQAFest
 
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIsWSO2
 
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...QAFest
 
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузкиNETFest
 
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...CA Technologies
 
TechTalk: Extreme Automation Creating Headless Tests “Automagically”
TechTalk: Extreme Automation Creating Headless Tests “Automagically”TechTalk: Extreme Automation Creating Headless Tests “Automagically”
TechTalk: Extreme Automation Creating Headless Tests “Automagically”CA Technologies
 
Unlock Open Banking with Definition-driven API Development
Unlock Open Banking with Definition-driven API DevelopmentUnlock Open Banking with Definition-driven API Development
Unlock Open Banking with Definition-driven API DevelopmentSmartBear
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIsWSO2
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyWSO2
 
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...apidays
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia  2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia  2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
 
Delivering the Modern API: Know what it takes
Delivering the Modern API: Know what it takesDelivering the Modern API: Know what it takes
Delivering the Modern API: Know what it takesNuwan Dias
 
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...apidays
 
Optimizing API Performance Testing A Comprehensive Guide
Optimizing API Performance Testing A Comprehensive GuideOptimizing API Performance Testing A Comprehensive Guide
Optimizing API Performance Testing A Comprehensive GuideTestrig Technologies
 
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...WSO2
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory,  Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory,  Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugalapidays
 
APIs: The Gateway to Digital Transformation
APIs: The Gateway to Digital TransformationAPIs: The Gateway to Digital Transformation
APIs: The Gateway to Digital TransformationWSO2
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...Yenlo
 

Similar to QA Fest 2019. Катерина Овеченко. Тестирование безопасности API (20)

QA Fest 2019. Ирина Бондарук. Breaking into information security
QA Fest 2019. Ирина Бондарук. Breaking into information securityQA Fest 2019. Ирина Бондарук. Breaking into information security
QA Fest 2019. Ирина Бондарук. Breaking into information security
 
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs
[WSO2 Integration Summit Singapore 2019] Transforming Your Business through APIs
 
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
 
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки
.NET Fest 2019. Андрей Винда. Создание REST API с поддержкой высокой нагрузки
 
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...
Hands-On Labs: Identifying Application Delivery Performance Problems with CA ...
 
TechTalk: Extreme Automation Creating Headless Tests “Automagically”
TechTalk: Extreme Automation Creating Headless Tests “Automagically”TechTalk: Extreme Automation Creating Headless Tests “Automagically”
TechTalk: Extreme Automation Creating Headless Tests “Automagically”
 
Unlock Open Banking with Definition-driven API Development
Unlock Open Banking with Definition-driven API DevelopmentUnlock Open Banking with Definition-driven API Development
Unlock Open Banking with Definition-driven API Development
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital Economy
 
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia  2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia  2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
 
Delivering the Modern API: Know what it takes
Delivering the Modern API: Know what it takesDelivering the Modern API: Know what it takes
Delivering the Modern API: Know what it takes
 
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...
APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...
 
Optimizing API Performance Testing A Comprehensive Guide
Optimizing API Performance Testing A Comprehensive GuideOptimizing API Performance Testing A Comprehensive Guide
Optimizing API Performance Testing A Comprehensive Guide
 
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...
[WSO2 Integration Summit Stuttgart 2019] Decentralizing APIs for Agile Busine...
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory,  Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory,  Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
 
APIs: The Gateway to Digital Transformation
APIs: The Gateway to Digital TransformationAPIs: The Gateway to Digital Transformation
APIs: The Gateway to Digital Transformation
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...
WSO2 - Yenlo Integration Summit Stuttgart 15 May 2019 - Decentralizing APIs f...
 

More from QAFest

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQAFest
 
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQAFest
 
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QAFest
 
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QAFest
 
QA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать большеQA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать большеQAFest
 
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQAFest
 
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QA Fest 2019. Сергей Новик. Между мотивацией и выгораниемQA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QA Fest 2019. Сергей Новик. Между мотивацией и выгораниемQAFest
 
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...QAFest
 
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...QAFest
 
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QA Fest 2019. Иван Крутов. Bulletproof Selenium ClusterQA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QA Fest 2019. Иван Крутов. Bulletproof Selenium ClusterQAFest
 
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...QAFest
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automationQA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automationQAFest
 
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...QAFest
 
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...QAFest
 
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях ITQA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях ITQAFest
 
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложенииQA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложенииQAFest
 
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...QAFest
 
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22QAFest
 
QA Fest 2019. Евгений Рудев. QA 3.0. New generation
QA Fest 2019. Евгений Рудев. QA 3.0. New generationQA Fest 2019. Евгений Рудев. QA 3.0. New generation
QA Fest 2019. Евгений Рудев. QA 3.0. New generationQAFest
 

More from QAFest (20)

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
 
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
 
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
 
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
 
QA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать большеQA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать больше
 
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
 
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QA Fest 2019. Сергей Новик. Между мотивацией и выгораниемQA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
 
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
 
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
 
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QA Fest 2019. Иван Крутов. Bulletproof Selenium ClusterQA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
 
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
 
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automationQA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
 
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
 
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
 
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях ITQA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
 
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложенииQA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
 
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
 
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
 
QA Fest 2019. Евгений Рудев. QA 3.0. New generation
QA Fest 2019. Евгений Рудев. QA 3.0. New generationQA Fest 2019. Евгений Рудев. QA 3.0. New generation
QA Fest 2019. Евгений Рудев. QA 3.0. New generation
 

Recently uploaded

BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesVijayaLaxmi84
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD  GAS ANALYSIS........pptxARTERIAL BLOOD  GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxAneriPatwari
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 

Recently uploaded (20)

BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their uses
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD  GAS ANALYSIS........pptxARTERIAL BLOOD  GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Project
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 

QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

  • 1. Тема доклада Тема доклада Тема доклада KYIV 2019 Kateryna Ovechenko API SECURITY QA CONFERENCE #1 IN UKRAINE
  • 2. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Head of QA Department at Co-founder of professional IT conferences 9+ years in testing Focus on test management of large programs and teams and security testing. 4+ years in security testing: from building competence in the company to coordinating projects for external Customers Speaker at local and international conferences (QA Fest, SQA Days, Simplicity Day, Czech Test and several in Norway), lecturer at National Aviation University ABOUT ME
  • 3. REAL EXAMPLES WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 4. NISSAN Full article: https://www.computerworld.com/article/3036964/hackers-can-access-the-nissan-leaf- via-insecure-apis.html WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Remote control over API on other user’s car: • Climate control • Battery charge management • Car driving range • Historic driving data (when, how far, how efficiently)
  • 5. SAMSUNG Full article: https://www.consumerreports.org/tvs/samsung-fixes-smart-tv-security-issue/ WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Unsecured API allowed access to: • change TV channels • turn up the volume • play unwanted YouTube videos • kick the TV off a WiFi connection It will NOT allow: • spying on a TV viewer • stealing private information • monitoring what was being watched
  • 6. CANDY CRUSH Full article: https://www.stavros.io/posts/winning-candy-crush/ WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 By modifying legitimate APIs from the game, the hacker was able to: • Play without lives limitation • Ease the levels of the game by changing number of colors for each level • Finish each level automatically with random score by calling proper method in the API
  • 7. APIS IN OUR LIFE WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Average number of APIs the company runs is 420 83% of traffic in content- delivery network belongs to APIs Full report: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security- retail-attacks-and-api-traffic-report-2019.pdf
  • 8. OWASP API SECURITY Top 10 API Security Risks current draft: WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 6. Mass Assignment 7. Security Misconfiguration 8. Injection 9. Improper Assets Management 10.Insufficient Logging & Monitoring 1. Broken Object Level Access Control 2. Broken Authentication 3. Improper Data Filtering 4. Lack of Resources & Rate Limiting 5. Missing Function/Resource Level Access Control API Security Cheat Sheet from OWASP https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
  • 9. A1: BROKEN OBJECT LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 POST api/v1/documents/download_document { document_id: 102 } 102 101 103 104 ok fail fail fail
  • 10. A1: BROKEN OBJECT LEVEL ACCESS CONTROL Violation of horizontal access control WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Query parameters URL parameters Body parameters /api/users/717 /download_file?id=111 user-id:717
  • 11. A1: BROKEN OBJECT LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers API testing tool
  • 12. A2: BROKEN AUTHENTICATION ● Weak authentication (passwords management, brute force attacks, etc.) Ø Can be tested both manual and with automatic scanners ● Checking sessions for APIs WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 GET /api/1.0/Channels/1270 HTTP/1.1 Host: test-site.azurewebsites.net Accept: application/json Accept-Encoding: gzip, deflate Cookie: auth=60f5f03b-57b8-40b4-aa79-a73e8b6f0814; ARRAffinity=667b68ef9998ba2095eb4fef50e58d958908a44894f5425ed9 2f2db982a28474 Connection: keep-alive
  • 13. A2: BROKEN AUTHENTICATION ● API to API communication with master token or service account Ø Cannot be found automatically, only during architecture and code reviews ● Basic authentication vs claim-based authentication and Single Sign On (SSO) WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 14. CLAIM-BASED AUTHENTICATION WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 15. A2: BROKEN AUTHENTICATION WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Automatic scanners API testing tool
  • 16. A3: IMPROPER DATA FILTERING ● Client-side data filtering APIs tend to return more data than required. This data is usually not shown to the user, but can be easily found in API response ● Filters manipulation The front-end usually maintains the user’s state. The client sends more filters to the back-end in order to reflect the user’s state WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Name: Kate Role: superuser Hobby: travelling, sports 200 OK { “users”: [{ picture: ”profile_kate.jpg”, userid: 220, name: “Kate”, last_name: “Ovechenko”, role: “superuser”, hobbies: {”travelling”, ”sports”} address: “Kyiv, Test str., 35” } }
  • 17. A3: IMPROPER DATA FILTERING WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers API testing tool
  • 18. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://devclass.com/2018/10/02/gitlab-api-flaw-security-updates/
  • 19. A4: LACK OF RESOURCES & RATE LIMITING Scenario 1 Too many requests are being to or from certain API at the same time ● Status code: 429 Too Many Requests ● Proprietary headers: X-RateLimit-* Scenario 2 Too heavy requests are being made to an API ● /dashboard/users?page=1&size=100 à size=200000 WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 20. A4: LACK OF RESOURCES & RATE LIMITING Scenario 3 What data can be used for fuzzing: ● Wrong data format ● Long arrays of data ● Special characters ● Other methods or protocols than those expected by server ● Special Functions WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 21. BURP SUITE: HTTP METHOD FUZZING
  • 22. A4: LACK OF RESOURCES & RATE LIMITING WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Traffic analyzers Fuzzing tool JBROFUZZFuzzapi
  • 23. A5: MISSING FUNCTION LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Violation of vertical access control: ● Understand the relations between resources ● Complex user policies and roles ● Easier to predict the entry points (GET → DELETE)(/api/v1/users → api/v1/admins) ● 20x OK vs 401/403 Unauthorized/Forbidden
  • 24. A5: MISSING FUNCTION LEVEL ACCESS CONTROL WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 AUTHENTICATED USER MANAGER MANAGER MANAGER REGULAR USER MANAGER MANAGER ADMIN REGULAR USER ADMIN ADMIN
  • 25. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/
  • 26. A6: MASS ASSIGNMENT ● Modern frameworks encourage developers to use mass assignment techniques (use data-transfer object with all properties) ● Easier to exploit in APIs ○ We can usually can find a GET request that returns all the properties of an object WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 def signup @user = User.create(params[:user]) # => User<email: "john@doe.com", password: "qwerty", is_administrator: false> end
  • 27. A6: MASS ASSIGNMENT WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 <!-- INJECTED FIELD: --> <input type="hidden" name="is_administrator" value="true"> def signup @user = User.create(params[:user]) # => User<email: "john@doe.com", password: "qwerty", is_administrator: true> end def signup # Explicit assignment: @user = User.create( email: params[:user][:email], password: params[:user][:password] ) # or whitelisting: @user = User.create( params.require(:user).permit(:email, :password) ) end
  • 28. A7: SECURITY MISCONFIGURATION • Unnecessary HTTP methods • Improper Cross-Origin Resource Sharing ○ Access-Control-Allow-Origin ○ Access-Control-Allow-Credentials ○ Using XSS to make requests to cross origin sites • Detailed Errors ○ Respond with generic error messages - avoid revealing details of the failure unnecessarily. ○ Do not pass technical details (e.g. call stacks or other internal hints) to the client • Access to internal files/pages • Security Headers ○ Content-Security-Policy ○ Content-Type ○ X-Frame-Options WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 29. READY API: SENSITIVE FILES EXPOSURE
  • 30. A8: INJECTIONS WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 hacker server users XSS injection XML injection JSON injection SQL injection
  • 31. A8: INJECTIONS: HOW TO TEST ● Secure module ● Commercial tool ● Automatic scanners for: ○ SQL ○ XSS ○ JSON ○ XML WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 ● Professional security tool ● Commercial tool, free limited version ● Automatic scanners most of common injections ● Data-driven testing (with Collection Runner) ● Free to some extend J ● Loading dictionaries for SQL, XSS or any other injections ● Manual analysis of results OPTION 1 OPTION 3OPTION 2
  • 32. READY API: SQL INJECTION SCANNING
  • 33. BURP SUITE: XSS INJECTION SCANNING
  • 35. A9: IMPROPER ASSET MANAGEMENT • Secure your CI/CD pipeline configuration ○ safely store secrets that you use in your pipelines ○ isolate sensitive files like code signing keys from repository ○ add monitoring to CI/CD pipeline ○ pull requests that come from forks of your repository • Code and Git history analysis ○ passwords and accounts are not committed to repositories • Sensitive information in HTTP requests ○ https://example.com/controller/123/action?apiKey=a53f43564a5 becaus e API Key is into the URL. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Helpful article: https://circleci.com/blog/security-best-practices-for-ci-cd/
  • 36. WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 Full article: https://www.scmagazineuk.com/samsung-private-gitlab-tokens-exposed-including-source-code-credentials-secret- keys/article/1584224/
  • 37. A10: INSUFFICIENT LOGGING & MONITORING ● Write audit logs before and after security related events ● Consider logging token validation errors in order to detect attacks ● Take care of log injection attacks by sanitizing log data beforehand ● Auditable events, such as logins, failed logins, and high-value transactions are logged ● Any scanning tools (like Burp) trigger alerts ● Appropriate alerting thresholds and response escalation processes are in place Same as A10 in OWASP Top 10 WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 38. DEVSECOPS APPROACH TO DEVELOPMENT WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019 / / PIPELINE Dev/Test Env Stage Env Pre-approved deployment Prod CONTINUOUS INTEGRATION (CI) CONTINUOUS DELIVERY (CD) CONTINUOUS SECURITY (CS) Master branch Code is merged Developer’ s machine Feature is implemented SAST+SCA checks Secure Coding Practices SAST+DAST checks Automated Security Testing (auto+ manual) Security Requirements IaC scripts for Dev/Test env Review infrastructure security Pen testing by 3rd party Threat modeling
  • 39. There are bunch of other tools available. Use these criteria to pick the tool for you: ● Project goals(monitor level of security vs try out some new stuff vs be prepared for external pen testing) ● Regularity (one-time runs vs ongoing) ● Integrate it into all processes and CI/CD pipeline or not ● Complex multi-step authentication process ● Security testing coverage (scanning for application only vs infrastructure and configuration issues etc.) ● Environments to be used (cloud or not etc.) ● Users of the tools (test engineers, developers, devops, security guys) ● Standards to follow and comply (security standards, domain-specific standards) HOW TO PICK THE RIGHT TOOL? WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 40. ● Understand the data flow and relations between resources ○ Get to know the system and the API you’re testing by asking the questions ● Always sniff the traffic. Real traffic is better than documentation. ● Wean yourself of the UI ○ Don’t be afraid to generate API requests from the scratch ● Is there more than one version of the API? ● Use different clients: mobile/web/web-mobile? ● Use the old versions to generate more traffic ● Always look for more niche features ● Different protocols == different implementations API PENTESTING: NEW MINDSET WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 41. To get deeper in the topic: ● Pixi as part of DevSlop project (https://www.owasp.org/index.php/OWASP_DevSlop_Project ) + video tutorial (https://www.youtube.com/watch?v=td-2rN4PgRw) ● Juice shop - https://www.owasp.org/index.php/OWASP_Juice_Shop_Project ● Ads manager application - https://github.com/kovechenko/VulnerableAdvertisementAPI ● REST OWASP Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html ● News about API security - https://apisecurity.io To start from: ● OWASP Testing Guide - https://www.owasp.org/images/1/19/OTGv4.pdf ● Hack Yourself First by Troy Hunt - https://www.pluralsight.com/courses/hack-yourself-first ● Hack your API First by Troy Hunt - https://www.pluralsight.com/courses/hack-your-api-first WHAT’S NEXT? WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019
  • 42. Contact me Email: kate@fest.group FB: Kateryna Ovechenko WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE KYIV 2019