SlideShare ist ein Scribd-Unternehmen logo

Pentesting Rest API's by :- Gaurang Bhatnagar

OWASP Delhi
OWASP Delhi

Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks

Internet
1 von 38
Downloaden Sie, um offline zu lesen
PENTESTING REST API’S ~ GAURANG BHATNAGAR
AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
API STANDARDS
REST API REST - Representation State Transfer Data is sent as JSON
FINGERPRINTING & DISCOVERING API
WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

Debug API: API Testing Tools DEBUGGING AND FUZZING
AUTOMATING TESTS: FUZZING FUZZAPI
AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
BYPASSING THE ALGORITHM HS256 RS256 None RS256 HS256 Two key pair One key
CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
JWT ATTACKS TESTBED https://pentesterlab.com/exercises/jwt
AUTHORIZATION ATTACKS ON API
HOW OAUTH WORKS?
OAUTH ATTACKS Access token leakage (Via Open Redirect)
OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop

Empfohlen

Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 

Empfohlen

Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
API Testing
API TestingAPI Testing
API Testing
Bikash Sharma
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
Ken Yee
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 

Was ist angesagt? (20)

Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
API Testing
API TestingAPI Testing
API Testing
 

Ähnlich wie Pentesting Rest API's by :- Gaurang Bhatnagar

apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 

Ähnlich wie Pentesting Rest API's by :- Gaurang Bhatnagar (20)

2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Java Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and Mobile
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 

Mehr von OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 

Mehr von OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 

Kürzlich hochgeladen

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 

Kürzlich hochgeladen (20)

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

Pentesting Rest API's by :- Gaurang Bhatnagar

  • 1. PENTESTING REST API’S ~ GAURANG BHATNAGAR
  • 2. AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
  • 3. Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
  • 4. API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
  • 6. REST API REST - Representation State Transfer Data is sent as JSON
  • 8. WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
  • 9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
  • 10. DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

  • 11. Debug API: API Testing Tools DEBUGGING AND FUZZING
  • 13. AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
  • 15. CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
  • 16. JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
  • 20. OAUTH ATTACKS Access token leakage (Via Open Redirect)
  • 21. OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

  • 22. MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
  • 23. BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

  • 24. MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
  • 25. ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
  • 26. 1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
  • 27. 2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
  • 28. ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
  • 29. MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
  • 30. TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
  • 31. IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
  • 32. BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
  • 33. CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
  • 34. CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
  • 38. VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop