API Security Webinar - Hendra Tanto
0 likes63 views
The document outlines the top API security challenges, including broken object level authorization, excessive data exposure, and security misconfiguration. It presents specific examples of vulnerabilities, such as a case involving Uber's API, and emphasizes the importance of proper authentication and authorization mechanisms. Additionally, it mentions strategies for securing APIs based on recommendations by industry experts.
API Security Webinar - Hendra Tanto
- 1. API SECURITY CHALLENGE F5 LABS Hendra Tanto h.tanto@f5.com
- 4. ● A1: Broken Object Level Authorization ● A2: Broken Authentication ● A3: Excessive Data Exposure ● A4: Lack of Resources & Rate Limiting ● A5: Broken Function Level Authorization ● A6: Mass Assignment ● A7: Security Misconfiguration ● A8: Injection ● A9: Improper Assets Management ● A10: Insufficient Logging & Monitoring API Security Top 10 Weak Authentication & Authorization Information Leakage Malicious Request Lack of Visibility
- 5. | ©2019 F5 NETWORKS 5 How to Secure API according to Gartner +? ms +? ms +? ms +? ms +? ms +? ms +? ms +500 ms
- 9. | ©2019 F5 9 API Management
- 10. | ©2019 F5 10 API Management – Traffic Management
- 12. | ©2019 F5 NETWORKS 12 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1 Host: partners.uber.com {“nationalPhoneNumber”:”xxxxxxxxxx”,”countryCode”:”1"} { “status”:”failure”, ”data”: { “code”:1009, ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found” } } #1 #2 Thank you for the driver's Uid!
- 13. | ©2019 F5 NETWORKS 13 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1 … {“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a- 837xxx604ce”} { “status”:”success”, ”data”:{ … ”getUser”:{ “uuid”:”cxxxxxc5f7371e”, ”firstname”:”Maxxxx”, ”lastname”:”XXXX”, … ”email”:”xxxx@gmail.com”, ”emailToken”:”xxxxxxxx”, … ”token”:”b8038ec4143bb4xxxxxx72d”, … ”lastSelectedPaymentProfileUuid”:”xxxxxx”, … ”driverInfo”:{ … }, ”partnerInfo”:{ “address”:”Nxxxxxxx”, ”dateOfBirth”:xxxxxx, ”… } } #3 #4 The driver's entire profile + Token
- 21. | ©2019 F5 21 Billing Service Edge API Gateway User Management Service Top Up Service Payment Service Point Service Other API /api/other/topup /api/other/user Payment API /api/payment/inquiry /api/payment/payment Billing API /api/billing/payment /api/billing/settlement 500 / Second 100 / Second 5000 / Second Partner 1 Partner 2 NGINX API Gateway Functions
- 24. Bank Breach through 3rd Party
- 25. Authorization Server Client Token Resource Server Identity 1 2 3 4 Validation Trust Resource Owner 5 API Authorization OAUTH 2.0 “The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen.”