SlideShare a Scribd company logo

API Hijacking.pdf

V
VishwasN6

The document discusses API security and the vulnerabilities associated with it, highlighting the importance of understanding business logic and anticipating hacker strategies. It outlines the OWASP Top 10 API security risks and emphasizes best practices such as fixing APIs promptly, managing authentication and authorization, and performing comprehensive security assessments. Additionally, it references various tools and reports that support API security evaluation and highlights common pitfalls in API design.

Internet
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
API Hijacking By : Vishwas Narayan API Security Practitioner,Community Advocate Opstree Business Logic Easy Attack Vector
Know your Resources โ— Don't Open Secrets in the API documentation โ— Keep the API Docs in Email Authentication not open โ— Documents that say what is the API is until you feel there is a new security patch that has to be done โ— Fix the API as soon as possible
Know your Situation โ€œUnderstand what is the business logic before you open the API that you feel its secureโ€
Know your Adversary/Enemy โ€œHack your APIโ€™s before hacker knows how hack itโ€ โ— You need to know the next move โ— You need to make moves before a stranger makes it
OWASP Top 10 in API Security 1. Broken Object Level Authorization 2. Broken User Authentication 3. Excessive Data Exposure 4. Lack of Resources & Rate Limiting 5. Broken Function Level Authorization 6. Mass Assignment 7. Security Miscon๏ฌguration 8. Injection 9. Improper Assets Management 10. Insu๏ฌƒcient Logging & Monitoring OWASP API Security Project | OWASP Foundation
Summarising issues in API โž” Authentication/Session Management โž” Authorization/Access Control/IDOR โž” Inputs and Output Validation/Error Handling โž” Rate Limiting/Throttling
Let's worship this โ— Global state of the internet security DDoS attack reports | Akamai โ— How to send API key in the header of python request? - Stack Overflow โ— Postman Sending Request onto the API โ— Postman Sending AUTH token โ— Automating the postman Calls โ— Akamai State of the Internet Report โ— Salt Security releases Salt Labs State of API Security Report, Q3 2022
DOMO Report 9.0 Data Never Sleeps 9.0 | Domo
API Hijacking.pdf
ALL report says one thing you architect the api wrong way guess what world will show you how it can be
Common APIโ€™s 1. APIโ€™s 2. Open API 3. Public API 4. External API 5. Internal API 6. Swaggers 7. Rest API 8. SOAP 9. Graphql 10. Machine to Machine API 11. BETA ,Pre Production,Production API 12. Third Party 13. Composite API
Unknown APIโ€™s 1. Zombie API 2. Shadow API 3. Frankenstein API
API Hijacking.pdf
What is cURL and how does it relate to APIs? - IBM Developer The turtle and the Bunny (animation) by VirtualSketcher on DeviantArt
dsopas/MindAPI: Organize your API security assessment by using MindAPI. It's free and open for community collaboration. (github.com)
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
API Hijacking.pdf
assetnote/kiterunner: Contextual Content Discovery Tool (github.com)
MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. (github.com)
Thank you lets go Handson

More Related Content

PDF
API Testing and Hacking (1).pdf
Vishwas N
ย 
PDF
API Testing and Hacking.pdf
VishwasN6
ย 
PDF
API Testing and Hacking.pdf
Vishwas N
ย 
PDF
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
ย 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
ย 
PDF
HowYourAPIBeMyAPI
Jie Liau
ย 
PPTX
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays
ย 
PDF
OWASPAPISecurity
Jie Liau
ย 
API Testing and Hacking (1).pdf
Vishwas N
ย 
API Testing and Hacking.pdf
VishwasN6
ย 
API Testing and Hacking.pdf
Vishwas N
ย 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
ย 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
ย 
HowYourAPIBeMyAPI
Jie Liau
ย 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays
ย 
OWASPAPISecurity
Jie Liau
ย 

Similar to API Hijacking.pdf (20)

PPTX
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
ย 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
ย 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
ย 
PPTX
Outpost24 webinar - Api security
Outpost24
ย 
PPTX
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
ย 
PDF
Hacker vs AI
Nordic APIs
ย 
PDF
API Security Best Practices and Guidelines
WSO2
ย 
PPTX
What Is an API? | API Security Explained | API Security Best Practices | Simp...
Simplilearn
ย 
PDF
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
IRJET Journal
ย 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
ย 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
ย 
PPTX
Web API Security
Stefaan
ย 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
ย 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
ย 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSIยฎ
United States Cybersecurity Institute (USCSIยฎ)
ย 
PDF
Space Camp :: Introduction to API Security
Postman
ย 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
ย 
PDF
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
apidays
ย 
PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
ย 
PDF
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
ย 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
ย 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
ย 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
ย 
Outpost24 webinar - Api security
Outpost24
ย 
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
ย 
Hacker vs AI
Nordic APIs
ย 
API Security Best Practices and Guidelines
WSO2
ย 
What Is an API? | API Security Explained | API Security Best Practices | Simp...
Simplilearn
ย 
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
IRJET Journal
ย 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
ย 
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
ย 
Web API Security
Stefaan
ย 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
ย 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
ย 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSIยฎ
United States Cybersecurity Institute (USCSIยฎ)
ย 
Space Camp :: Introduction to API Security
Postman
ย 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
ย 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
apidays
ย 
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
ย 
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
ย 
Ad

Recently uploaded (20)

PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
ย 
PPTX
artificial intelligence overview of it and more
yafotin445
ย 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
ย 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
ย 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
ย 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
ย 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
ย 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
ย 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
ย 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
ย 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
ย 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
ย 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
ย 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
ย 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
ย 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
ย 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
ย 
PDF
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
ย 
artificial intelligence overview of it and more
yafotin445
ย 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
ย 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
ย 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
ย 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
ย 
SAP Ariba Sourcing PPT for learning material
NKKumar16
ย 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
ย 
Digital Literacy And Online Safety on internet
riksa rifqi
ย 
Internet___Basics___Styled_ presentation
poonam62133
ย 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
ย 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
ย 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
ย 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
ย 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
ย 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
ย 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
ย 
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
Ad

API Hijacking.pdf

  • 1. API Hijacking By : Vishwas Narayan API Security Practitioner,Community Advocate Opstree Business Logic Easy Attack Vector
  • 2. Know your Resources โ— Don't Open Secrets in the API documentation โ— Keep the API Docs in Email Authentication not open โ— Documents that say what is the API is until you feel there is a new security patch that has to be done โ— Fix the API as soon as possible
  • 3. Know your Situation โ€œUnderstand what is the business logic before you open the API that you feel its secureโ€
  • 4. Know your Adversary/Enemy โ€œHack your APIโ€™s before hacker knows how hack itโ€ โ— You need to know the next move โ— You need to make moves before a stranger makes it
  • 5. OWASP Top 10 in API Security 1. Broken Object Level Authorization 2. Broken User Authentication 3. Excessive Data Exposure 4. Lack of Resources & Rate Limiting 5. Broken Function Level Authorization 6. Mass Assignment 7. Security Miscon๏ฌguration 8. Injection 9. Improper Assets Management 10. Insu๏ฌƒcient Logging & Monitoring OWASP API Security Project | OWASP Foundation
  • 6. Summarising issues in API โž” Authentication/Session Management โž” Authorization/Access Control/IDOR โž” Inputs and Output Validation/Error Handling โž” Rate Limiting/Throttling
  • 7. Let's worship this โ— Global state of the internet security DDoS attack reports | Akamai โ— How to send API key in the header of python request? - Stack Overflow โ— Postman Sending Request onto the API โ— Postman Sending AUTH token โ— Automating the postman Calls โ— Akamai State of the Internet Report โ— Salt Security releases Salt Labs State of API Security Report, Q3 2022
  • 8. DOMO Report 9.0 Data Never Sleeps 9.0 | Domo
  • 10. ALL report says one thing you architect the api wrong way guess what world will show you how it can be
  • 11. Common APIโ€™s 1. APIโ€™s 2. Open API 3. Public API 4. External API 5. Internal API 6. Swaggers 7. Rest API 8. SOAP 9. Graphql 10. Machine to Machine API 11. BETA ,Pre Production,Production API 12. Third Party 13. Composite API
  • 12. Unknown APIโ€™s 1. Zombie API 2. Shadow API 3. Frankenstein API
  • 14. What is cURL and how does it relate to APIs? - IBM Developer The turtle and the Bunny (animation) by VirtualSketcher on DeviantArt
  • 15. dsopas/MindAPI: Organize your API security assessment by using MindAPI. It's free and open for community collaboration. (github.com)
  • 25. MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. (github.com)
  • 26. Thank you lets go Handson