SlideShare ist ein Scribd-Unternehmen logo

API Security - OWASP top 10 for APIs + tips for pentesters

I
Inon Shkedy

OWASP TOP 10 for APIs + tips for developers and pentesters

Ingenieurwesen
1 von 60
Downloaden Sie, um offline zu lesen
Agenda ● Modern AppSec: ○ SQLi ○ XSS ○ CSRF ○ More boring stuff
Real Agenda ● Modern AppSec Issues ● Relevant (and cool) Examples ● What has changed
Startups, Tier 1 Companies Single Page Apps, Cloud, CI/CD, Mostly APIs Government, Military, Financial Multi Page Apps, On Prem, Waterfall, Less APIs Whoami ● Head of Security Research @ Traceable.ai ● 8 Years of experience in AppSec ● I’ve grown up with APIs
Traditional
Modern
What’s changed? Client Client Web Server Web Server (API) GET /home.jsp Fetch Data Fetch Data HTML JSON Traditional Modern
What’s new? Client Web Server (API) Fetch Data Client JSON JSON JSON ● Clients: More types, more powerful ● Less Abstraction Layers: Shared language - JSON
Dev(Sec)Ops Hard too keep on track (Shadow APIs) Classic IT issues (open ports, old version) barley exist Bad : Good :
The Good News Issue Solved By SQLi ORMs CSRF Use of Authorization Header XSS Clients are responsible Path Manipulation Cloud Based Storage XXE JSON
The Bad News Less Abstraction - Predictable endpoints - More exposed PII Client does rendering - Wider Attack Surface - More entry points - More params !
OWASP API Project ● Defining the top 10 threats ● Leaders ● Join us! https://www.owasp.org/index.php/OWASP_API_Security_Project Erez Yalon (Checkmarx) Inon Shkedy (Traceable.ai)
OWASP TOP 10 For APIs #1 BOLA (Broken Object Level Authorization) #2 Broken Authentication #3 Excessive Data Exposure #4 Lack of Resources & Rate Limiting #5 BFLA (Broken Function Level Authorization) #6 Mass Assignment #7 Security Misconfiguration #8 Injection #9 Improper Assets Management #10 Insufficient Logging & Monitoring
Authz in APIs - The Challenge Object Level Function Level Code (Almost every controller) Code, Configuration, API-gateway ● Decentralized Mechanism ● Complex Users & Roles Hierarchies Riders Drivers Admins Hugo Sub #1 Sub #2 Bugo Jon Jack Inon
A1 - BOLA (Broken Object-Level Authorization) POST api/trips/rate_trip {“trip_id”:718492, “rate”:5} API DB NotLyft Trip.find_by_id(718492).update UPDATE trips … WHERE ID = 718492
BOLA - 2 types Based on user_id ● Easy to protect ○ If (params[:user_id] == current_user.id) Based on object_id ● Challenging ○ A trip with a co-rider
What is a good authorization mechanism? Decision Engine User #232 User #585 Admin #616 Receipts Controller Profile Controller Admin Panel Controller User #232 has access to view receipt #777? User #585 has access to update profile #616? Admin #616 Has access to delete user #888? 1 2
BOLA - Why So Common? ● More IDs are sent from the clients to the APIs ● REST standard encourages developers to send IDs in URLs ○ /users/717/details ● Even though there’s an authz mechanism, developers just don’t use it
BOLA - Why Not IDOR ● IDOR - Insecure Direct Object Reference ● C00L name, not accurate ● The problem is not about the IDs !
BOLA - Solutions that don’t solve the problem ● GUIDs instead of numbers ● Indirect Object Reference ● Relying on IDs from JWT tokens ● OAuth BOLA - Solutions that solve the problem ● Good authorization mechanism ● Make sure that developers actually use it in every controller
BOLA - Uber - Full Account Takeover Request Response Found by Anand Prakash, AppSecure
A2 - Broken User Authentication forgot_password web_login get_location update_picture EXTRA Protection Rate Limiting (A4) Extra protection: - Account lockout - Captcha - Brute Force attacks Misconfiguration: ● JWT allows {“alg”:”none”} ● Tokens don’t expire ● etc..
A2 - Facebook - Full Account Takeover facebook.com Lockout mechanism (after 10 attempts) beta.facebook.com mbasic.beta.facebook.com X X Found by Anand Prakash, AppSecure (5 Digits Reset Password Token) 100,000 options
A3 - Excessive Data Exposure ● APIs expose sensitive data of other Users by design
A3 - Excessive Data Exposure DATING APP Name: Bob Hobbies: Banana API GET /users/717 X Filtering sensitive information on the client side == BAD IDEA!!
A3 - Why ? ● API Economy + REST Standard == Generic Endpoints :( ● “to_ json” / “to_string” functions from ORM / Model ● Developers don’t think who’s the consumer
Recent Example - “3fun” app Found by Alex Lomas, Pen Test Partners
Found by Alex Lomas, Pen Test Partners
Found by Alex Lomas, Pen Test Partners
A4 - Lack of Resources & Rate Limiting ● Might lead to DOS ● www.socialnetwork.com/users/list?limit=99999999
A5 - BFLA (Broken Function Level Authorization) DELETE /users/717 DELETE /users/717 Admin API APIRiders API Drivers aPI
Why in APIs ● Easier to detect in APIs Fetch User’s Profile (not sensitive function) Delete user (admin function) Traditional App GET /app/users_view.aspx?user_id=1337 POST app/admin_panel/users_mgmt.aspx action=delete&user_id=1337 API GET /api/users/1337 DELETE /api/users/1337 HARD topredict :( VeryPredictable
Function Level Authorization ● Various ways to implement: ○ Code ○ Configuration ○ API Gateway ● Comlex Roles: ○ Admins / Super-admins / supervisors / riders / drivers
A5 - BFLA - Example - Shopify @uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. “The code did not properly check what type the existing account was” Found by uzsunny $20,000 bounty on Hackerone
A6 - Mass Assignment “Create_user” flow in traditional apps APP Server create_user fname=inon& lname=shkedy& pass=123456 ORM {first_name=Inon last_name=shkedy pass=123456}
A6 - Mass Assignment APP Server POST /users/create {“user”:{“lname”:”Inon”,”fname”: ”shkedy”,”pass”:”123456”}} (ORM Black Magic) ORM {JSON AS IS}
A6 - Mass Assignment POST /api/users/new {“username”:”Inon”, ”pass”:”123456”} Legit POST /api/users/new {“username”:”Inon”, ”pass”:”123456”, ”role”:”admin”} M alicious
A6 - Why in APIs ● Mass Assignment Ain’t New ● Easier to exploit in APIs ○ Always try with POST, PUT & PATCH ● Don’t guess object properties ○ Just find a GET method which returns them ● Use Mass Assignment to bypass other security controls
A6 - Example Found by James Kettle, Port Swigger
A7 - Security Misconfiguration ● Lack of CSRF / CORS protection ● Lack of security related HTTP headers ● Unnecessary exposed HTTP methods ● Weak encryption ● Etc... Bad Things
A8 - Injection Why from A1 to A8 ? ● Ask yourself - why injection was A1 ? ● SQLi much less common: ○ ORMs ○ Gazillion of security products that solve them ○ Use of NoSQL ● NoSQL Injection are a thing, but are usually not as severe / common
A9 - Improper Asset Management API endpoints with no documentation API /v1/get_user /v2/update_loc ation /v0/b2b_old/ export_all_users X payment-api.acme.com mobile-api.acme.com qa-3-old.acme.com Unknown API hosts Developers DevOps
A9 - Why in APIs? ● APIs change all the time because of CI/CD ● Cloud + deployment automation (K8S) == Too easy to spin up a new API host ● Excuse me mister , but what the heck is “qa-3-old.app.com” ?
A10 - Insufficient Logging & Monitoring ● Same as A10 (2017)
How to hack APIs?
Pentesters Methodology - API Mindfulness ● Beginner’s mind (Shoshin) - Always be curious about APIs Understand the business logic by asking meaningful questions ● Wean yourself off GUI Don’t let fear stop you from generating API calls from scratch ● Use the evaluation phases
High-Level Evaluation Learn: ● REST based ride sharing app ● Has a carpooling feature Ask: ● What is “VIN”??
Drill Down Evaluation Learn: ● Trips & users - Numeric ID ● Drivers & payment - GUID Ask: ● More than one version? ● Payment splitting?! ● Maybe soap? Do: ● Cause an error: /v2/trips/aaa555 ● Find the payment splitting feature
Access Control Evaluation Learn: ● Different user types Ask: ● Should the last name be exposed? ● Can I be a driver & a rider? ● Support for cookies authz? Do: ● Identify the session label
Real Attack #1: Food Delivery App ● Background: ○ Food delivery app ○ API seemed to be pretty secured ● Attack Steps: ○ Downloaded an old version of the app ○ Found a niche feature hidden in the GUI – update user’s phone number ○ Includes 2 steps Step API endpoint BOLA 1. Send an SMS with a token Vulnerable 2. Verify Code POST /api/v/api/v3/<user_phone_num>/verify_update_number Not Vulnerable
Attack steps POST /api/v3.1/login_with_code How I felt Step #1 😈 Found that the token could be used for the login mechanism as well: #2 😞 “login_with_code” verifies also the device GUID #3 🤔 Double verification? Sounds like a feature that might have been added recently #4 🤓 Scanned for old versions of endpoint (v0.0 - v5.0 in the URL) #5 😈 Found that V2.7 was exposed and didn’t verify the device GUID #6 | Full Account Takeover |
Real Attack #2: Social Network ● Background: ○ Large social network ○ Haven’t found interesting in the Web App ○ Endpoint that exposes the user resource from the evaluation phase: GET /V3/users/<USER_GUID> POST /app/api/old_mobile/users {“user”: <USER_GUID>} ● Attack Steps: ○ Expanded the attack surface ■ old android version from apkpure.com ○ Found an older implementation of “user” resource Different EP structure. Potentially trigger different code PUT ○ Tried to change the method from “POST” to “PUT” ○ Created a request to update my own user PUT /app/api/old_mobile/users {“user”:<MY_GUID>, “email”:”inon@traceable.ai”, “full_name”:”Hugo Bugo”} ○ Received 403 == They implemented “function level authorization”
Real Attack #2: Social Network ● Attack Steps #2: ○ Expanded the attack surface ■ Used VirusTotal to find sub domains �� ○ “beta-prod” exposes the same API endpoint from previous steps /app/api/old_mobile/users ○ The API behaves differently (different headers & error handling) ■ Different behavior == different build / deployment / network flow ○ The “funcion-level authorization” isn’t active on “beta-prod” ■ API Is vulnerable to A5 (BFLA) ○ Used the API call from previous step to update any user’s email PUT /app/api/old_mobile/users {“user”:”ANY_USER_ID”, “email”:”inon@traceable.ai”} ○ Used the “forgot password” feature to reset the password == | FULL ACCOUNT TAKEOVER |
Got Stuck?
Expanding the attack surface ● Find more API endpoints! Wet Endpoints Dry Endpoints Source Active traffic from active clients Full / Partial documentation Pros Easier to work with Easier to find a large amount of them Cons You’re limited to the endpoints your clients have access to Hard to work with them API
Find more endpoints ★ Use multiple clients (mobile/web/web for mobile) ★ Use older versions of each client ○ APK Pure (Android) ○ Archive.com (Web Apps) ★ Use different hosts that run the same API ○ Use VirusTotal and Censys to find more hosts ★ Use different environments (QA/Staging/beta) ★ Use Burp “Site View” feature ★ Scan client files for strings that look like URLs ○ .js (JS-Scan tool) /.ipa / .apk files ★ Look for swagger / WADL files: /swagger.json; /api-docs; /application.wadl; etc.. ★ Look for exposed API documentation for developers Wet Endpoints Dry Endpoints
Bypass Security Controls ★ Sometimes non-prod environments (QA, Staging, etc) don’t implement basic security mechanisms ★ Different protocols == different implementations. ○ An app can expose REST, SOAP, ElasticSearch, GraphQL and websockets at the same time. ○ Don’t assume they implement the same security mechanisms. ★ Find different hosts that expose the same API; They might be deployed with different configurations / versions
Find vulnerable endpoints ★ Always look for the most niche features ★ Interesting features that tend to be vulnerable: ○ Export mechanism (look for Export Injection) ○ User management, sub-users ○ Custom views of a dashboard ○ Object sharing among users (like sharing a post / receipt)
Mass Assignment + CSRF - Reset User’s Password App Server Legacy multi-page app /app/home Mobile API /mobile/api session_id cookie based Authorization Header Auth settings are shared == API supports cookies == Potential CSRF ★ Let’s exploit it to change user’s email! ★ “POST /api/update_email” endpoint requires password 😞 ★ Anyhow, “PUT /mobile/api/users/me” is vulnerable to Mass Assignment We can update every user’s property, including email! 😈
Exploitation ★ Target a victim who uses the old app (cookies are stored in his browser) ★ Create a malicious HTML page to exploit the CSRF and call ★ Send it to the victim, change his email address and reset his password ☺
Questions ? Follow me on @InonShkedy

Empfohlen

Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 

Empfohlen

Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 

Was ist angesagt? (20)

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 

Ähnlich wie API Security - OWASP top 10 for APIs + tips for pentesters

Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Azure API Management - why should I care?
Azure API Management - why should I care?Azure API Management - why should I care?
Azure API Management - why should I care?Jouni Heikniemi
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure ADSharePointRadi
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
MuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led ConnectivityMuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led ConnectivityJitendra Bafna
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API designAmrita jain
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6Jack Carnes
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsJim Jeffers
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback frameworkThomas Papaspiros
 
Supriya Saha Resume
Supriya Saha ResumeSupriya Saha Resume
Supriya Saha Resumesupriya saha
 

Ähnlich wie API Security - OWASP top 10 for APIs + tips for pentesters (20)

Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Azure API Management - why should I care?
Azure API Management - why should I care?Azure API Management - why should I care?
Azure API Management - why should I care?
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure AD
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
MuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led ConnectivityMuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
 
Online banking
Online bankingOnline banking
Online banking
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API design
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback framework
 
Supriya Saha Resume
Supriya Saha ResumeSupriya Saha Resume
Supriya Saha Resume
 

Kürzlich hochgeladen

Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 

Kürzlich hochgeladen (20)

Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 

API Security - OWASP top 10 for APIs + tips for pentesters

  • 1. Agenda ● Modern AppSec: ○ SQLi ○ XSS ○ CSRF ○ More boring stuff
  • 2. Real Agenda ● Modern AppSec Issues ● Relevant (and cool) Examples ● What has changed
  • 3. Startups, Tier 1 Companies Single Page Apps, Cloud, CI/CD, Mostly APIs Government, Military, Financial Multi Page Apps, On Prem, Waterfall, Less APIs Whoami ● Head of Security Research @ Traceable.ai ● 8 Years of experience in AppSec ● I’ve grown up with APIs
  • 6. What’s changed? Client Client Web Server Web Server (API) GET /home.jsp Fetch Data Fetch Data HTML JSON Traditional Modern
  • 7. What’s new? Client Web Server (API) Fetch Data Client JSON JSON JSON ● Clients: More types, more powerful ● Less Abstraction Layers: Shared language - JSON
  • 8. Dev(Sec)Ops Hard too keep on track (Shadow APIs) Classic IT issues (open ports, old version) barley exist Bad : Good :
  • 9. The Good News Issue Solved By SQLi ORMs CSRF Use of Authorization Header XSS Clients are responsible Path Manipulation Cloud Based Storage XXE JSON
  • 10. The Bad News Less Abstraction - Predictable endpoints - More exposed PII Client does rendering - Wider Attack Surface - More entry points - More params !
  • 11. OWASP API Project ● Defining the top 10 threats ● Leaders ● Join us! https://www.owasp.org/index.php/OWASP_API_Security_Project Erez Yalon (Checkmarx) Inon Shkedy (Traceable.ai)
  • 12. OWASP TOP 10 For APIs #1 BOLA (Broken Object Level Authorization) #2 Broken Authentication #3 Excessive Data Exposure #4 Lack of Resources & Rate Limiting #5 BFLA (Broken Function Level Authorization) #6 Mass Assignment #7 Security Misconfiguration #8 Injection #9 Improper Assets Management #10 Insufficient Logging & Monitoring
  • 13. Authz in APIs - The Challenge Object Level Function Level Code (Almost every controller) Code, Configuration, API-gateway ● Decentralized Mechanism ● Complex Users & Roles Hierarchies Riders Drivers Admins Hugo Sub #1 Sub #2 Bugo Jon Jack Inon
  • 14. A1 - BOLA (Broken Object-Level Authorization) POST api/trips/rate_trip {“trip_id”:718492, “rate”:5} API DB NotLyft Trip.find_by_id(718492).update UPDATE trips … WHERE ID = 718492
  • 15. BOLA - 2 types Based on user_id ● Easy to protect ○ If (params[:user_id] == current_user.id) Based on object_id ● Challenging ○ A trip with a co-rider
  • 16. What is a good authorization mechanism? Decision Engine User #232 User #585 Admin #616 Receipts Controller Profile Controller Admin Panel Controller User #232 has access to view receipt #777? User #585 has access to update profile #616? Admin #616 Has access to delete user #888? 1 2
  • 17. BOLA - Why So Common? ● More IDs are sent from the clients to the APIs ● REST standard encourages developers to send IDs in URLs ○ /users/717/details ● Even though there’s an authz mechanism, developers just don’t use it
  • 18. BOLA - Why Not IDOR ● IDOR - Insecure Direct Object Reference ● C00L name, not accurate ● The problem is not about the IDs !
  • 19. BOLA - Solutions that don’t solve the problem ● GUIDs instead of numbers ● Indirect Object Reference ● Relying on IDs from JWT tokens ● OAuth BOLA - Solutions that solve the problem ● Good authorization mechanism ● Make sure that developers actually use it in every controller
  • 20. BOLA - Uber - Full Account Takeover Request Response Found by Anand Prakash, AppSecure
  • 21. A2 - Broken User Authentication forgot_password web_login get_location update_picture EXTRA Protection Rate Limiting (A4) Extra protection: - Account lockout - Captcha - Brute Force attacks Misconfiguration: ● JWT allows {“alg”:”none”} ● Tokens don’t expire ● etc..
  • 22. A2 - Facebook - Full Account Takeover facebook.com Lockout mechanism (after 10 attempts) beta.facebook.com mbasic.beta.facebook.com X X Found by Anand Prakash, AppSecure (5 Digits Reset Password Token) 100,000 options
  • 23. A3 - Excessive Data Exposure ● APIs expose sensitive data of other Users by design
  • 24. A3 - Excessive Data Exposure DATING APP Name: Bob Hobbies: Banana API GET /users/717 X Filtering sensitive information on the client side == BAD IDEA!!
  • 25. A3 - Why ? ● API Economy + REST Standard == Generic Endpoints :( ● “to_ json” / “to_string” functions from ORM / Model ● Developers don’t think who’s the consumer
  • 26. Recent Example - “3fun” app Found by Alex Lomas, Pen Test Partners
  • 29. A4 - Lack of Resources & Rate Limiting ● Might lead to DOS ● www.socialnetwork.com/users/list?limit=99999999
  • 30. A5 - BFLA (Broken Function Level Authorization) DELETE /users/717 DELETE /users/717 Admin API APIRiders API Drivers aPI
  • 31. Why in APIs ● Easier to detect in APIs Fetch User’s Profile (not sensitive function) Delete user (admin function) Traditional App GET /app/users_view.aspx?user_id=1337 POST app/admin_panel/users_mgmt.aspx action=delete&user_id=1337 API GET /api/users/1337 DELETE /api/users/1337 HARD topredict :( VeryPredictable
  • 32. Function Level Authorization ● Various ways to implement: ○ Code ○ Configuration ○ API Gateway ● Comlex Roles: ○ Admins / Super-admins / supervisors / riders / drivers
  • 33. A5 - BFLA - Example - Shopify @uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. “The code did not properly check what type the existing account was” Found by uzsunny $20,000 bounty on Hackerone
  • 34. A6 - Mass Assignment “Create_user” flow in traditional apps APP Server create_user fname=inon& lname=shkedy& pass=123456 ORM {first_name=Inon last_name=shkedy pass=123456}
  • 35. A6 - Mass Assignment APP Server POST /users/create {“user”:{“lname”:”Inon”,”fname”: ”shkedy”,”pass”:”123456”}} (ORM Black Magic) ORM {JSON AS IS}
  • 36. A6 - Mass Assignment POST /api/users/new {“username”:”Inon”, ”pass”:”123456”} Legit POST /api/users/new {“username”:”Inon”, ”pass”:”123456”, ”role”:”admin”} M alicious
  • 37. A6 - Why in APIs ● Mass Assignment Ain’t New ● Easier to exploit in APIs ○ Always try with POST, PUT & PATCH ● Don’t guess object properties ○ Just find a GET method which returns them ● Use Mass Assignment to bypass other security controls
  • 38. A6 - Example Found by James Kettle, Port Swigger
  • 39. A7 - Security Misconfiguration ● Lack of CSRF / CORS protection ● Lack of security related HTTP headers ● Unnecessary exposed HTTP methods ● Weak encryption ● Etc... Bad Things
  • 40. A8 - Injection Why from A1 to A8 ? ● Ask yourself - why injection was A1 ? ● SQLi much less common: ○ ORMs ○ Gazillion of security products that solve them ○ Use of NoSQL ● NoSQL Injection are a thing, but are usually not as severe / common
  • 41. A9 - Improper Asset Management API endpoints with no documentation API /v1/get_user /v2/update_loc ation /v0/b2b_old/ export_all_users X payment-api.acme.com mobile-api.acme.com qa-3-old.acme.com Unknown API hosts Developers DevOps
  • 42. A9 - Why in APIs? ● APIs change all the time because of CI/CD ● Cloud + deployment automation (K8S) == Too easy to spin up a new API host ● Excuse me mister , but what the heck is “qa-3-old.app.com” ?
  • 43. A10 - Insufficient Logging & Monitoring ● Same as A10 (2017)
  • 44. How to hack APIs?
  • 45. Pentesters Methodology - API Mindfulness ● Beginner’s mind (Shoshin) - Always be curious about APIs Understand the business logic by asking meaningful questions ● Wean yourself off GUI Don’t let fear stop you from generating API calls from scratch ● Use the evaluation phases
  • 46. High-Level Evaluation Learn: ● REST based ride sharing app ● Has a carpooling feature Ask: ● What is “VIN”??
  • 47. Drill Down Evaluation Learn: ● Trips & users - Numeric ID ● Drivers & payment - GUID Ask: ● More than one version? ● Payment splitting?! ● Maybe soap? Do: ● Cause an error: /v2/trips/aaa555 ● Find the payment splitting feature
  • 48. Access Control Evaluation Learn: ● Different user types Ask: ● Should the last name be exposed? ● Can I be a driver & a rider? ● Support for cookies authz? Do: ● Identify the session label
  • 49. Real Attack #1: Food Delivery App ● Background: ○ Food delivery app ○ API seemed to be pretty secured ● Attack Steps: ○ Downloaded an old version of the app ○ Found a niche feature hidden in the GUI – update user’s phone number ○ Includes 2 steps Step API endpoint BOLA 1. Send an SMS with a token Vulnerable 2. Verify Code POST /api/v/api/v3/<user_phone_num>/verify_update_number Not Vulnerable
  • 50. Attack steps POST /api/v3.1/login_with_code How I felt Step #1 😈 Found that the token could be used for the login mechanism as well: #2 😞 “login_with_code” verifies also the device GUID #3 🤔 Double verification? Sounds like a feature that might have been added recently #4 🤓 Scanned for old versions of endpoint (v0.0 - v5.0 in the URL) #5 😈 Found that V2.7 was exposed and didn’t verify the device GUID #6 | Full Account Takeover |
  • 51. Real Attack #2: Social Network ● Background: ○ Large social network ○ Haven’t found interesting in the Web App ○ Endpoint that exposes the user resource from the evaluation phase: GET /V3/users/<USER_GUID> POST /app/api/old_mobile/users {“user”: <USER_GUID>} ● Attack Steps: ○ Expanded the attack surface ■ old android version from apkpure.com ○ Found an older implementation of “user” resource Different EP structure. Potentially trigger different code PUT ○ Tried to change the method from “POST” to “PUT” ○ Created a request to update my own user PUT /app/api/old_mobile/users {“user”:<MY_GUID>, “email”:”inon@traceable.ai”, “full_name”:”Hugo Bugo”} ○ Received 403 == They implemented “function level authorization”
  • 52. Real Attack #2: Social Network ● Attack Steps #2: ○ Expanded the attack surface ■ Used VirusTotal to find sub domains �� ○ “beta-prod” exposes the same API endpoint from previous steps /app/api/old_mobile/users ○ The API behaves differently (different headers & error handling) ■ Different behavior == different build / deployment / network flow ○ The “funcion-level authorization” isn’t active on “beta-prod” ■ API Is vulnerable to A5 (BFLA) ○ Used the API call from previous step to update any user’s email PUT /app/api/old_mobile/users {“user”:”ANY_USER_ID”, “email”:”inon@traceable.ai”} ○ Used the “forgot password” feature to reset the password == | FULL ACCOUNT TAKEOVER |
  • 54. Expanding the attack surface ● Find more API endpoints! Wet Endpoints Dry Endpoints Source Active traffic from active clients Full / Partial documentation Pros Easier to work with Easier to find a large amount of them Cons You’re limited to the endpoints your clients have access to Hard to work with them API
  • 55. Find more endpoints ★ Use multiple clients (mobile/web/web for mobile) ★ Use older versions of each client ○ APK Pure (Android) ○ Archive.com (Web Apps) ★ Use different hosts that run the same API ○ Use VirusTotal and Censys to find more hosts ★ Use different environments (QA/Staging/beta) ★ Use Burp “Site View” feature ★ Scan client files for strings that look like URLs ○ .js (JS-Scan tool) /.ipa / .apk files ★ Look for swagger / WADL files: /swagger.json; /api-docs; /application.wadl; etc.. ★ Look for exposed API documentation for developers Wet Endpoints Dry Endpoints
  • 56. Bypass Security Controls ★ Sometimes non-prod environments (QA, Staging, etc) don’t implement basic security mechanisms ★ Different protocols == different implementations. ○ An app can expose REST, SOAP, ElasticSearch, GraphQL and websockets at the same time. ○ Don’t assume they implement the same security mechanisms. ★ Find different hosts that expose the same API; They might be deployed with different configurations / versions
  • 57. Find vulnerable endpoints ★ Always look for the most niche features ★ Interesting features that tend to be vulnerable: ○ Export mechanism (look for Export Injection) ○ User management, sub-users ○ Custom views of a dashboard ○ Object sharing among users (like sharing a post / receipt)
  • 58. Mass Assignment + CSRF - Reset User’s Password App Server Legacy multi-page app /app/home Mobile API /mobile/api session_id cookie based Authorization Header Auth settings are shared == API supports cookies == Potential CSRF ★ Let’s exploit it to change user’s email! ★ “POST /api/update_email” endpoint requires password 😞 ★ Anyhow, “PUT /mobile/api/users/me” is vulnerable to Mass Assignment We can update every user’s property, including email! 😈
  • 59. Exploitation ★ Target a victim who uses the old app (cookies are stored in his browser) ★ Create a malicious HTML page to exploit the CSRF and call ★ Send it to the victim, change his email address and reset his password ☺
  • 60. Questions ? Follow me on @InonShkedy