Api days 2018 - API Security by Sqreen
1 like463 views
The document discusses API security from an insider's perspective. It begins by introducing the speaker and their background in hacking. It then discusses the top 10 OWASP vulnerabilities and how they apply to APIs, including injection vulnerabilities, broken authentication, and using components with known vulnerabilities. The document emphasizes that many security issues occur in code and can be detected at runtime by hooking frameworks. It provides examples of detecting SQL injections, issues with authentication, monitoring business vulnerabilities, and checking for outdated dependencies. The overall message is that APIs can be secured by understanding where vulnerabilities may exist in code and deployments.
![(byebug) thread list
+ 1 #<Thread:/webrick/server.rb:283 run> ...
2 #<WEBrick::TimeoutHandler::Thread/webrick/utils.rb:162 sleep> ...
3 #<Thread:sleep>/webrick/server.rb:174
(byebug) thread switch 3
[168, 177] in 2.2.0/webrick/server.rb
173: begin
=> 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], …)
175: if svrs[0].include? shutdown_pipe[0]
176: break
At first sight](https://image.slidesharecdn.com/apidays2018-sqreen-180131230712/85/Api-days-2018-API-Security-by-Sqreen-17-320.jpg)
![(byebug) break ActiveRecord::SQLite3Adapter.exec_query
[283, 292] in …/active_record/…/sqlite3_adapter.rb
287:
=> 288: def exec_query(sql, name = nil, …)
[...]
(byebug) var local
[…]
sql = SELECT * FROM posts WHERE id=3
Database access: from the inside](https://image.slidesharecdn.com/apidays2018-sqreen-180131230712/85/Api-days-2018-API-Security-by-Sqreen-20-320.jpg)
![(byebug) var local
[…]
sql = SELECT * FROM posts WHERE id=3 UNION SELECT
password from users
params = { ‘q’ => ‘3 UNION SELECT password from users’}
Database access: from the inside](https://image.slidesharecdn.com/apidays2018-sqreen-180131230712/85/Api-days-2018-API-Security-by-Sqreen-22-320.jpg)
![class SessionsController < ApplicationController
def create
user = login(params[:email], params[:password])
JWT.encode(user.email, hmac_secret)
end
end
User authentication](https://image.slidesharecdn.com/apidays2018-sqreen-180131230712/85/Api-days-2018-API-Security-by-Sqreen-25-320.jpg)
![irb(main):001:0> Gem.loaded_specs.map do |k, v|
puts "%20st%st%s " % [k, v.version, v.homepage]
end
rake 10.4.2
erubis 2.7.0 http://www.kuwata-lab.com/erubis/
nokogiri 1.6.6.2 http://nokogiri.org
actionview 4.2.3 http://www.rubyonrails.org
sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby
execjs 2.6.0 https://github.com/rails/execjs
...
CVE-2015-1819
CVE-2015-7941
CVE-2015-7942
CVE-2015-8035
An application
dependencies](https://image.slidesharecdn.com/apidays2018-sqreen-180131230712/85/Api-days-2018-API-Security-by-Sqreen-32-320.jpg)
Api days 2018 - API Security by Sqreen
- 1. API security: an insider’s point of view APIDays Paris • 2017/01/30
- 2. Jean-Baptiste Aviat CTO & Co-founder at Sqreen Former hacker at Apple (Red Team) jb@sqreen.io @jbaviat Who Am I?
- 3. What should I do for security?
- 4. You MUST do EVERYTHING, NOW!
- 5. You do that, right? Don’t you?
- 8. Where should I even start?
- 9. The OWASP top 10
- 10. Web?! WTF I do APIs dude
- 11. No worries. This is security sanity. It works for APIs as well.
- 12. •Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
- 13. •Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
- 14. •Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
- 15. •Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
- 16. An HTTP server with a debugger
- 17. (byebug) thread list + 1 #<Thread:/webrick/server.rb:283 run> ... 2 #<WEBrick::TimeoutHandler::Thread/webrick/utils.rb:162 sleep> ... 3 #<Thread:sleep>/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], …) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
- 19. SQL injection vulnerability •injection vuln = using data in an other context, without proper preparation •basically, anything can be retrieved from the database
- 20. (byebug) break ActiveRecord::SQLite3Adapter.exec_query [283, 292] in …/active_record/…/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, …) [...] (byebug) var local […] sql = SELECT * FROM posts WHERE id=3 Database access: from the inside
- 21. 0 ActiveRecord::SQLite3Adapter.exec_query(sql#String, …) … 7 PostsController.set_post … 27 ActionController.dispatch(request#ActionDispatch::Request, …) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 76 WEBrick::GenericServer.start_thread(sock#TCPSocket, …) Database access: a closer look
- 22. (byebug) var local […] sql = SELECT * FROM posts WHERE id=3 UNION SELECT password from users params = { ‘q’ => ‘3 UNION SELECT password from users’} Database access: from the inside
- 23. Take aways •Injections vulnerabilities lies in your code •They can be detected at runtime, hooking e.g. SQL drivers •Ruby on Rails: ActiveRecord::ConnectionAdapters::AbstractAdapter::log
- 25. class SessionsController < ApplicationController def create user = login(params[:email], params[:password]) JWT.encode(user.email, hmac_secret) end end User authentication
- 27. Take aways •Authentication related vulnerabilities happen (or lies) in the code •Many can be detected at runtime, hooking authentication frameworks •Ruby on Rails: Devise::Strategies::DatabaseAuthenticatable.authenticate!
- 29. Stripe::Charge.create( :amount => 2000, :currency => "usd", :description => "Charge for jb@sqreen.io“ ) Payment monitoring
- 30. Take aways •Business vulnerabilities… are triggered in your code! •Even if you have no vulnerability •They can be measured during runtime •And analysed (realtime or not) then •What to monitor? You know your business!
- 31. OWASP: Components with Known Vulnerabilities
- 32. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
- 33. Take aways •Defined in your code - or in your configuration files anyway •So important even GitHub does it nowadays •Runtime allows to check all deployments are fine
- 34. Meta take aways (OMG) •Bug happens •Some of them are security related •Be aware of in-code vulnerabilities •And business vulnerabilities •It will be on you (you, as an API builder) some day
- 35. Questions? OWASP top 10 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf CTO security checklist: https://cto-security-checklist.sqreen.io/