apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer Society
0 likes162 views
The document outlines the vulnerabilities and security issues associated with API architectures, emphasizing common attack vectors such as broken authorization, injection attacks, and excessive data exposure. It highlights the importance of integrating security measures throughout the API lifecycle and suggests various security strategies and tools to protect APIs from cyber threats. Additionally, it calls for collaboration among development, security, and API teams to effectively address API security challenges.
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer Society
- 1. Attack API Architecture Alvin TAM Executive Committee Enterprise Architecture special group Hong Kong Computer Society (ExCo EASG HKCS) Attack vector created by storyset - www.freepik.com
- 3. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. API Security Flaws Can Result in Data Breaches
- 4. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture? ?
- 5. OWASP API Security Top 10 Broken object level authorization Broken authentication Excessive data exposure Lack of resources and rate limiting Broken function level authorization Mass assignment Security misconfiguration Injection Improper asset management Insufficient logging and monitoring 01 02 03 04 05 06 07 08 09 10 What happens if you increment that number? /patient/333555 You can have a check with an open source https://github.com/OWASP/crAPI
- 6. APIs How are our API Architectures being attacked? Website/Single Page Application IoT Devices Mobile App Cloud Service Keys: 1 4 3 2 2 2 1 2 3 4 Unsecured API keys in repositories and storage Hard-coded credentials (incl. API Keys) in applications API logic flaws Sniffed API calls Plus all traditional web application attacks!
- 7. Hackers have a lot of ways to attack • Hackers can • Attacking Authentication • Fuzzing • Broken object-level authorization (BOLA) • Broken Function Level Authorization • Blind Mass Assignment Attack • Change product price • Injection • XXS • SQL Injection
- 8. Attacking Authentication • Password Brute-Force Attacks • Password Forget password OTP attacks • Brute-Forcing Predictable Tokens POST /identity/api/auth/v3/check-otp HTTP/1.1 Host: 192.168.195.130:8888 User-Agent: Mozilla/5.0 (x11; Linux x86_64; rv: 78.0) Gecko/20100101 Accept: */* Accept -Language: en-US, en;q=0.5 Accept-Encoding: gzip,deflate Referer: http://111.222.101:8888/forgot- password Content-Type: application/json Origin: http://111.222.101.100:8888 Content-Length: 62 Connection: close { "email":"a@email.com", "otp":"1234", "password": "Newpassword" } Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJoYWNrYXBpcy5pbyIsImV4c CI6IDE1ODM2Mzc0ODgsInVzZXJuYW1lIj oiU2N1dHRsZXBoMXNoIiwic3VwZXJhZG 1pbiI6dHJ1ZX0.1c514f4967142c27e4e57 b612a7872003fa6cbc7257b3b74da17a8b 4dc1d2ab9
- 9. Fuzzing • Targeted fuzzing payloads are aimed at provoking a response from specific technologies and types of vulnerabilities. Targeted fuzzing payload types might include API object or variable names, cross-site scripting (XSS) payloads, directories, file extensions, HTTP request methods, JSON or XML data, SQL or No SQL commands, or commands for particular operating systems. • Sending various symbols (-_!@#$%^&*();':''|,./?>) Sending characters from unexpected languages (漢, さ, Ж, Ѫ, Ѭ, Ѧ, Ѩ, Ѯ) • There are two fuzzing techniques: fuzzing wide and fuzzing deep. Fuzzing wide is the act of sending an input across all of an API’s unique requests in an attempt to discover a vulnerability. Fuzzing deep is the act of thoroughly testing an individual request with a variety of inputs, replacing headers, parameters, query strings, endpoint paths, and the body of the request with your payloads. You can think of fuzzing wide as testing a mile wide but an inch deep and fuzzing deep as testing an inch wide but a mile deep.
- 10. Broken object-level authorization (BOLA) • Broken object-level authorization (BOLA) vulnerabilities occur when a user is able to access other users' data due to the flaws in authorization controls validating access to data objects. • Get /api/v1/user/account?id=100001 • Get /api/v1/user/account?id=100002 • Get /api/v1/user/account?id=100003 • …..
- 11. Broken Function Level Authorization • Finding BFLAs Hunting for BFLA involves searching for functionality to which you should not have access. A BFLA vulnerability might allow you to update object values, delete data, and perform actions as other users. To check for it, try to alter or delete resources or gain access to functionality that belongs to another user or privilege level. • Create, read, update, or delete resources as UserA. • Swap out your UserA token for UserB’s. • Send GET, PUT, POST, and DELETE requests for UserA’s resources using UserB’s token. • Check UserA’s resources to validate changes have been made by using UserB’s token. Request: GET /api/picture/2 Token: UserA_token Response: 200 OK { "_id": 2, "name": "development flower", "creator_id": 2, "username": "UserA", "money_made": 0.35, "likes": 0 }
- 12. Blind Mass Assignment Attack • If you cannot find variable names in the locations discussed, you could perform a blind mass assignment attack. In such an attack, you’ll attempt to brute-force possible variable names through fuzzing. Send a single request with many possible variables, like the following, and see what sticks: POST /api/v1/register --snip-- { "username":"hAPI_hacker", "email":"hapi@hacker.com", "admin": true, "admin":1, "isadmin": true, "role":"admin", "role":"administrator", "user_priv": "admin", "password":"Password1!" } PUT /api/v1/account/update Token:UserA-Token --snip-- { "username": "Brock", "address": "456 Onyx Dr", "city": "Pewter Town", "region": "Kanto", "email": "ash@email.com", "mfa": false } • If an API is vulnerable, it might ignore the irrelevant variables and accept the variable that matches the expected name and format.
- 13. Change the product price • POST /identity/api/auth/signup • POST /workshop/api/shop/orders • POST /workshop/api/merchant/contact_mechanic POST /workshop/api/shop/products HTTP/1.1 Host: 192.168.195.130:8888 Authorization: Bearer UserA-Token { "name":"MassAssignment SPECIAL", "price":-5000, "image_url":"https://example.com/chickendinner.jpg " } POST /workshop/api/shop/products HTTP/1.1 Host: 197.164.150.110:8888 Authorization: Bearer UserA-Token { "name":"TEST1", "price":25, "image_url":"string", "credit":1337 }
- 14. Injection • Database injection techniques such as SQL injection take advantage of SQL databases, whereas NoSQL injection takes advantage of NoSQL databases. • Cross-site scripting (XSS) attacks insert scripts into web pages that run on a user’s browser. Cross-API scripting (XAS) is similar to XSS but leverages third-party applications ingested by the API you’re attacking. • Command injection is an attack against the web server operating system that allows you to send it operating system commands.
- 15. Cross Site Scripting (XXS) • Here are a few examples of XSS payloads: <script>alert("xss")</script> <script>alert(1);</script> <%00script>alert(1)</%00script> SCRIPT>alert("XSS");///SCRIPT> • Payload Box XSS payload list This list contains over 2,700 XSS scripts that could trigger a successful XSS attack (https://github.com/payloadbox/xss-payload-list). POST /api/profile/update HTTP/1.1 Host: hapihackingblog.com Authorization: hAPI.hacker.token Content-Type: application/json { "fname": "hAPI", "lname": "Hacker", "city": "<script>alert("xas")</script>" }
- 16. SQL / No SQL Injection • SELECT * FROM userdb WHERE username = ‘hacker' AND password = 'Password1!' • SELECT * FROM userdb WHERE username = ‘hacker' OR 1=1-- - No SQL POST /community/api/v2/coupon/validate- coupon HTTP/1.1 --snip-- {"coupon_code":"%7b$where%22% 3a%22sleep(1000)%22%7d"} Then you can go inside the site in API, e.g. POST /login HTTP/1.1 Host: 192.168.195.132:8000 --snip-- user=hapi%40hacker.com&pass=§ Password1%21§
- 17. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture?
- 18. Application Developer A. Security Team B. API Team C. Integration Team D. Nobody E. Who is primarily responsible for API security in your organization? Retrospective Question
- 19. Security in the API Lifecycle Design Time Runtime API Security Testing API Threat Protection API Discovery (Runtime) API Discovery (Design Time)
- 20. API Security with Mobile and Client-Side Apps ● Avoid credential hardcoding ● Protect from man in the middle attacks ● Verify the environment App APIs
- 21. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Including your Security Team in API Strategy Is the Security team involved? 80% 20% Yes No Percentage of Respondents Use API management solution Don’t use API management solution Base 66 32 Yes 88% 66% No 12% 34% Statistically significant difference @ 95% prepare your tech team ready for Security Development
- 22. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture?
- 23. ID Delivering API Security Architecture Developer End User Browser Mobile Application to Application API Portal API Gateway Access Management Web Application Firewall API Security Testing Discover unsecured APIs Integrate with API gateway, provide proxy/gateway, use AI/ML to detect unusal API usage API Management In-App Protection APIs
- 24. Scenario: Mobile APP, Web and IoT Devices on API Architecture
- 25. Create a policy to secure your APIs. Secure: Observe your API usage. Learn what “normal” is for API behavior. Analyze: Inventory APIs that have been delivered, or are in the development process. APIs consumed from third-parties should also be included. API API Putting it all together Discover: 1 2 3
- 26. Three Sides of API Security Architecture API Security Testing API Protection API Access Control Key functionality Identification of API security flaws and vulnerabilities Content validation, threat detection, traffic throttling Authentication, authorization, identity propagation Key technologies used Dynamic application security testing (DAST), fuzzing, static application security testing (SAST) Attack signature, reputation- based control, anomaly detection, OAS message validation OAuth 2.0, OpenID Connect, JSON Web Tokens Product categories Application security testing tools, specialized API security platforms Web application firewalls, API management, specialized API security platforms. API management, access management software, IDaaS.
- 27. Your API Security Building Blocks Authentication of the API client (e.g., mobile app) JSON/XML element encryption Quota management/ Traffic throttling Content inspection Content validation (JSON schema, XML schema) Tokenization of sensitive information (e.g., patient number) Automated attack/Bot detection Usage plan management Data transformation Store audit logs Digital signature API key authentication Fine-grained authorization OAuth scope management Transport security (TLS/SSL) Integration with access management XML/SOAP security (WS-security, etc.) Alerting (including to SIEM)
- 28. API Client Applications Authentication and authorization Validation against API Definition Remove sensitive data from API responses Validation of API response Security Analytics platforms Store Audit Logs Identity and access management Detection of harmful or unusual API traffic Application firewalls, bot mitigation, AI/ML Data masking, Data tokenization uses uses uses uses Example Policy for API Security Architecture
- 29. 23 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Recommendations Include your security team in your API platform team Consider the whole picture for API security architecture, not just an API gateway Think “North South” as well as “East West” for API security architecture
- 30. Enjoy speeding APIs & being protected from hackers Alvin TAM Executive Committee Enterprise Architecture special group Hong Kong Computer Society (ExCo HKCS)