APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
0 likes270 views
The document discusses the vulnerabilities of APIs as a significant attack vector, highlighting the disconnect between organizations' confidence in their API security and actual incidents. It emphasizes the inadequacy of traditional web application scanning tools for effective API testing and outlines specific testing methodologies to enhance API security. The author promotes a free course on API security testing from APISec University to better equip individuals and organizations with necessary skills.
![Optus Quotes
• "Some experts say [Optus] may be the worst data breach in Australia's history"
• "Optus chief executive ... called it a "sophisticated attack", saying the company has very
strong cybersecurity."](https://image.slidesharecdn.com/coreyballapifirsthacking-230321121732-d665f6d8/85/APIsecure-2023-API-First-Hacking-Corey-Ball-Author-of-Hacking-APIs-7-320.jpg)
![• The Australian Cyber Security Minister ...
• Optus chief executive responded, "We have multiple layers of protection. So it is not the case
of having some sort of completely exposed APIs [software interfaces] sitting out there".
Source: https://www.bbc.com/news/world-australia-63056838](https://image.slidesharecdn.com/coreyballapifirsthacking-230321121732-d665f6d8/85/APIsecure-2023-API-First-Hacking-Corey-Ball-Author-of-Hacking-APIs-8-320.jpg)
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
- 1. API First Hacking #whoami Corey Ball @hAPI_hacker • 13+ years in IT & Cyber • Senior Manager Pentest Consulting, Moss Adams • Author of Hacking APIs (No Starch Press, 2022) • Founder and Chief Hacking Officer, APIsec University - APIsecU (https://apisecu.com/)
- 2. • OWASP API Security Project Contributor Free API Penetration Testing Course + Book Giveaway
- 3. Overview Today I will explain why the following are true. • APIs are a leading attack vector • Organizations are confident in their insecure APIs
- 4. • Web app scanning tools are insufficient for API testing • Specific testing is required to earn confidence in API Security Classic Hacking Process 1. Call me lazy, but the classic kill chain is a lot of work 2. Gain access 3. Pivot through the network to find data 4. Exfiltrate data
- 5. The Hacking Process with APIs 1. Use Vulnerable API 2. Find Weakness 3. Exploit
- 6. 4. The path of least resistance 1 - Thanks Dan Barahona, APIsec University APIs are a leading Attack Vector • Examples!
- 7. Optus Quotes • "Some experts say [Optus] may be the worst data breach in Australia's history" • "Optus chief executive ... called it a "sophisticated attack", saying the company has very strong cybersecurity."
- 8. • The Australian Cyber Security Minister ... • Optus chief executive responded, "We have multiple layers of protection. So it is not the case of having some sort of completely exposed APIs [software interfaces] sitting out there". Source: https://www.bbc.com/news/world-australia-63056838
- 11. Noname 2022 Survey Results • 71% of respondents report confidence in their API protection • 67% of respondents are confident that their DAST and SAST tools are capable of testing APIs Meanwhile... • 76% experienced an API security incident in the last 12 months Credit: https://nonamesecurity.com/press/new-research-reveals-disconnect-between-api-protection- and-api-security-incidents Common Web App Tools Techniques are Ineffective Against APIs 1. Definition of False-Negative
- 12. Automated Scans At Worst
- 13. Automated Scans At Best
- 14. Test the Gaps! Authorized API Testing - Create resources as UserA and attempt to Create, Read, Update, Delete as UserB - Create resources as GroupA and attempt to Create, Read, Update, Delete as GroupB
- 15. - Make sure that users are only able to alter object properties that belong to them Test API Authentication - Weak Passwords - Authentication Bypass or Missing Auth Altogether - Authentication Attempt Lockout - Rate Limiting
- 16. Test API Tokens - Are the tokens predictable? - Does the JWT Payload leak sensitive information? - Can the JWT Algorithm be altered or the secret guessed? Excessive Data Exposure - Use the API as it was intended and analyze the response - Does the API return too much information? - Can that information be used in additional attacks?
- 17. Improper Assets Management - What version is the API? ( /v1, /v2, /v3 ) - How is that version designated? (Path, Header, POST body) - Can you request unsupported versions? - Is the unsupported version vulnerable to additional attacks? Do all of the supported versions support a business purpose?
- 18. Fuzz Everything! - Inputs = POST Body, query parameters, and headers - Test inputs for Injection - Test inputs for Mass Assignment - Test for SSRF
- 19. Test File Upload Functionality - Can malicious files be uploaded? - Can arbitrary filetypes be manipulated? - Can uploaded files be executed with web app functionality? API-First Security Testing • API requests make up over 80% of all web traffic • APIs are the path of least resistance for adversaries • The data that APIs interact with are often the most valuable to attackers • "API Traffic increased 681% in 2022" • "US companies faced $12-23 billion in losses as a result of compromises linked to web APIs" Source: Bill Doerrfeld https://blog.treblle.com/why-api-security-is-a-top-concern/
- 20. Earn Confidence in Your API Security 1. Use baseline scanning tools for security misconfiguration 2. Cover the gaps with penetration testing, bug bounty hunting, and by using tools and techniques that are designed for APIs. 3. Remediate and Retest
- 21. hAPI Hacking! APIsec University (Free Course) • Completely free course that teaches hands-on API security testing • Course is 12 CPEs • Certification Exam Q1 2023
- 22. - - - - - - corey.ball@mossadams.com | @hAPI_hacker