Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

API Security - Null meet


Published on

XSS / HTML Injection
Authorization and Authentication
Sensitive information disclosure
CORS Misconfiguration
API's over HTTP
HTTP Verb tampering
Fuzzing / Boundary Checks
API Rate limiting
API Key Compromise

Published in: Education
  • Login to see the comments

API Security - Null meet

  1. 1. API Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 20/05/2017
  2. 2. # About Me Application security engineer. Blogger @ Email @
  3. 3. What is an API An API is a list of commands that one program can send to another. It is used, so that individual programs can communicate with one another directly and use each other's functions. API allows two different application ( built on two different technologies ) communicate with each other. Eg : A rails application accessing content from Java application and vice versa. Need for an API Let’s see the use cases of accessing contents of “website B” ( Using an API vs without an API ) If “website A” wants to access the content in “website B” , it will be difficult, if it fetches the content by parsing the HTML tags, since website B may have code changes after few months. However, if website B provide API’s well documented, website A can access the information without much difficulty by looking into the API documentation.
  4. 4. Using an API Using username and password combination Curl -v -u username:password -H “Content-type:application/json” -d ‘{JSON Input}’ -X HTTPMethod ‘API Endpoint’ Using API Key Curl -v -u API Key:test -H “Content-type:application/json” -d ‘{JSON Input}’ -X HTTPMethod ‘API Endpoint’
  5. 5. Security issues / Best practices in API 1. XSS / HTML Injection 2. Authorization and Authentication 3. Sensitive information disclosure 4. CORS Misconfiguration 5. API over HTTP 6. CSRF 7. HTTP Verb tampering
  6. 6. XSS and HTML Injection attacks Vulnerable API Endpoint : Vulnerable parameter : “Name” and “description” curl -v -u username:password -H “Content-type:application.json”, -X POST {'name': '<script>alert(document.cookie)</script>', 'description': '<marquee>HTML Injection</marquee>, 'privacy': 'anybody'}} Reference :
  7. 7. Authorization and Authentication Case study 1 : Vulnerable API Endpoint : /api/user/ Login into the application using your valid credentials. POST /login { credentials } The below API call fetches your profile details Actual request : GET /api/user/me Intercept the request and modify the API call. Modified request : GET /api/user/victim Fetches the victim details . Case study 2 : Update the normal user to admin user. Now, normal user will have admin level privileges. Now again downgrade back to normal user. Vulnerability : Normal user still has admin level privileges.
  8. 8. Sensitive information disclosure - H1 Reports API An attacker can disclose any user's private email by creating a sandbox program then adding that user to a report as a participant. Now if the attacker issued a request to fetch the report through the API , the response will contain the invited user private email at the activities object. Steps to reproduce: Go to any report submitted to your program. Add the victim username as a participant to your report. Generate an API token. Fetch the report through the API curl "[report_id]" -u "api_idetifier:token" The response will contain the invited user email at the activities object: "activities":{"data":[{"type":"activity-external-user-invited","id":"1406712","attributes":{"message":null,"created_at":"2017-01- 08T01:57:27.614Z","updated_at":"2017-01-08T01:57:27.614Z","internal":true,"email":"<victim'>"} Reference :
  9. 9. CORS Misconfiguration Image, in, we have the following header in the configuration Access-Control-Allow-Origin: wants to access the content in Request Blocked: The Same Origin Policy disallows reading the remote resource at This can be fixed by moving the resource to the same domain or enabling CORS. Vulnerable CORS setting. Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true If the victim is logged into the application, the attacker can send an XMLHttpRequest to fetch the details. Reference :
  10. 10. API’s over HTTP Vulnerable Request : curl -v -u username:password -H "Content-Type: application/json" -X GET '' Imaging, the above API request is returning the credit card details of vinoth in response. {“credit card” : 1111 1111 1111 1111, “expiry date”: “09/37”, “CVV”: 343 } However, if you notice the above API call, it is accepting HTTP endpoint. Hence, it is vulnerable to sniffing attacks. Remediation : All API requests should hit the secured endpoint i.e. only HTTPS curl -v -u username:password -H "Content-Type: application/json" -X GET ''
  11. 11. CSRF - Twitter Cards API POST %2Fpassthrough%2F1 HTTP/1.1 Host: Cookie: foo=bar {"twitter:string:card_uri":"card://657629230759415808","twitter:long:original_tweet_id":"657629231309041664","twitter:string:selected_choice":"2 "} POST passthrough%2F1 HTTP/1.1 Host: Cookie: foo=bar {"twitter:string:card_uri":"card://657629230759415808","twitter:long:original_tweet_id":"657629231309041664","twitter:string:selected_choice":"2 "} Reference :
  12. 12. HTTP Verb tampering HTTP Verb tampering : Trying random HTTP Methods. API’s often use GET (read), POST (create), PUT (replace/update) and DELETE (to delete a record). Not all of these are valid choices for every single resource collection, user, or action. Make sure the incoming HTTP method is valid for the session token/API key and associated resource collection, action, and record. For example, if you have an RESTful API for a library, it's not okay to allow anonymous users to DELETE book catalog entries, but it's fine for them to GET a book catalog entry. On the other hand, for the librarian, both of these are valid uses.
  13. 13. Fuzzing - Array worth $500 Generates totally random input for the specified request parameters, hoping to provoke some kind of unexpected results. Eg : If the API expects a string parameter , input an integer and vice-versa and check how the system responds. Fuzzing IRCloud API’s A security researcher discovered an API payload that would send invalid data to their own user process, which would repeatedly fail to be handled correctly. This error handling loop prevented further access to their user account. Actual request : {“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”} Modified request : {“_reqid”:1234, “cid”:5678, “to”:[“#treehouse”, “#darkscience”] , “msg”:”test”, “method”:”say”} Reference :
  14. 14. API Rate limiting X-RateLimit-Limit – The limit that you cannot surpass in a given amount of time X-RateLimit-Remaining – The number of calls you have available until a given reset time stamp, or calculated given some sort of sliding time window. X-RateLimit-Reset – The timestamp in UTC formatted to HTTP spec per RFC 1123 for when the limits will be reset. If you exceed the provided rate limit for a given API endpoint, you will receive the 429 Too Many Requests response with the following message: { "message": "Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers." }
  15. 15. API Key - Compromise It’s always better to mask your API key. If the account is compromised , the attacker can note down your API key. This is dangerous, because even if the victim changes his password realising the account compromise, the attacker can still have access to the account using his API key. Incase of account compromise, don’t just change the password, reset your API key as well.
  16. 16. API Testing tools Postman Fuzzapi [ REST API - JSON ] SOAPUI Ready API
  17. 17. Tips for API Security assessment API Documentation of the target is the main source for your assessment. OWASP API Security cheat sheets can be handy
  18. 18. Thank You