Prevent Malicious Hacking Attacks on your APIs
âąAls PPTX, PDF herunterladenâą
2 gefĂ€llt mirâą1,896 views
The document discusses various types of malicious hacking attacks on APIs, including SQL injection, XPath injection, code injection, log injection, XML external entity injection, cross-site scripting (XSS), denial-of-service (DoS) attacks, checking user permissions, malformed XML, XML bombs, malicious attachments, fuzzing scans, and custom scripting. It provides brief descriptions of each attack type and references additional resources on API security best practices.
Empfohlen
Weitere Àhnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (6)
Ăhnlich wie Prevent Malicious Hacking Attacks on your APIs
Ăhnlich wie Prevent Malicious Hacking Attacks on your APIs (20)
Mehr von SmartBear
Mehr von SmartBear (20)
KĂŒrzlich hochgeladen
KĂŒrzlich hochgeladen (20)
Prevent Malicious Hacking Attacks on your APIs
- 1. Prevent Malicious Hacking attacks on your APIs Michael Giller @GillerMichael
- 2. @GillerMichael Security Scans Overview - Injection ï SQL Injection: ï§ tries to exploit bad database integration coding ï XPath Injection: ï§ tries to exploit bad XML processing inside your target service
- 3. @GillerMichael Security Scans Overview - Injection ï Code Injection: ï§ Watch out for those eval() functions! ï Log Injection ï§ Could be used to stir up false alarms ï XML External Entity Injection ï§ Vulnerabilities in XML parsing
- 4. @GillerMichael Security Scans Overview - XSS ï Cross Site Scripting (XSS): ï§ enables attackers to inject client-side script into Web pages viewed by other users. ï§ Used to bypass same origin policy ï§ Could be used to plant a Trojan horse, get full access to user cookies and history, etc
- 5. @GillerMichael Security Scans Overview - DoS ï” Denial-of-Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users â E.g. CyberBunker launched an all-out assault, on a spam-fighting company Spamhaus
- 6. @GillerMichael Security Scans Overview ï Check user permissions: ï§ Make sure that your users can only access the information they need to access ï§ Watch out for sequential IDs
- 7. @GillerMichael Security Scans Overview (Cont.) ï Malformed XML: ï§ tries to exploit bad handling of invalid XML on your server or in your service ï XML Bomb : ï§ tries to exploit bad handling of malicious XML request (be careful) ï Malicious Attachment: ï§ tries to exploit bad handling of attached files
- 8. @GillerMichael Security Scans Overview (Cont.) ï Fuzzing Scan: ï§ generates random input for specified request parameters for a specified number of requests ï Custom Script: ï§ allows you to use a script for generating custom parameter fuzzing values
- 9. References: @GillerMichael âą SoapUI team had a great informational âBetter Safe Than Sonyâ webinar discussing security. You can watch it here: ï http://www.soapui.org/soapUI-News/watch-yesterdays- webinar.html âą Open Web Application Security Project (OWASP) published top 10 most common types of attacks here: ï https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet âą Hereâs the attacks particular to REST: ï https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Hinweis der Redaktion
- Injection attack is by far the most likely and common type of attack hackers are likely to attempt to explore vulnerabilities in your API. This slide talks about different classes of attacks people may send against your API parameters. To test how your APIs behave against these attacks, you can use SoapUIâs Security feature as shown here - http://www.soapui.org/Security/getting-started.html
- Injection attack is by far the most likely and common type of attack hackers are likely to attempt to explore vulnerabilities in your API. This slide talks about different classes of attacks people may send against your API parameters. To test how your APIs behave against these attacks, you can use SoapUIâs Security feature as shown here - http://www.soapui.org/Security/getting-started.html
- Cross-site scripting (XSS) enables attackers to inject client-side script into your applications so that XSS script can be viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy. This type of security attack is becoming more and more popular in recent years. Prevent this with SoapUIâs Cross Side Scripting test - http://www.soapui.org/Security/cross-site-scripting.html
- You can mimic denial-of-service (DoS) by creating a load test. Either in SoapUI (http://www.soapui.org/Getting-Started/load-testing.html) or in our integration with LoadUI (http://www.loadui.com/Load-Testing-soapUI-Tests/getting-started-with-soapui-integration.html)
- This can be tested with a functional test case where you can string steps together. E.g.: Login as User 1, Post data, Logout User 1. Login as User 2, try to get User 1âs data, check that you cannot To string API calls together, see - http://www.soapui.org/Working-with-soapUI/point-and-click-testing.html
- These can be tested with SoapUI security tests: Malformed XML: http://www.soapui.org/Security/malformed-xml.html XML Bomb: http://www.soapui.org/Security/xml-bomb.html Malicious Attachment: http://www.soapui.org/Security/malicious-attachment.html
- These can be tested with SoapUI security tests: Fuzzing Scan: http://www.soapui.org/Security/fuzzing-scan.html Custom Scan: http://www.soapui.org/Security/script-custom-scan.html (If you can think of Security Tests outside of configurable offered scans, you can still use the framework to compose your own vulnerability checks)