SlideShare a Scribd company logo

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

M
Matt Tesauro

The document discusses API security vulnerabilities from both an attacker's and defender's perspective, outlining key attack vectors and strategies to mitigate risks. It introduces the OWASP API Top 10 vulnerabilities, highlights the importance of API security posture, runtime security, and testing, and provides actionable insights for both API testers and defenders. The author emphasizes the need for a comprehensive understanding of API security to address gaps in application security controls and improve overall system resilience.

Technology
Related topics:
API Security Insights
1 of 33
Downloaded 73 times
1
2
3
4
5
6
Most read
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Black and Blue APIs Attacker's and Defender's View of API Vulnerabilities
TABLE OF CONTENTS 01 Intro Quick background and such 03 Attacking APIs How to attack and what those attacks look like 02 Why Attacking APIs? What makes APIs interesting to attackers 04 Conclusion Key takeaways and your questions
Who is this guy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
02 Why attack APIs?
It’s All About the Data “Data is the new oil” Clive Humby British Mathematician “APIs are data pipelines” Matt Tesauro Your presenter
Even if you have a solid AppSec program App Sec Tooling API Sec Tooling SAST SCA DAST API Gateway API Inventory SDLC API Management API Specs WAF Threat Modeling Rate Limiting Anti-Bot Protection Developer Training App Inventory Service to Service Auth-n Anomaly Detection JWTs OpenID Connect OAuth2
Pro Bono Pen Testing (h4x0rs)
Defining the 3 Pillars of API Security 1. API Security Posture a. Full inventory of all APIs b. Who is calling the API? What data is sent/received? Where did the call originate? 2. API Runtime Security a. Watching API traffic and understanding what is normal b. Anomaly detection and alerting 3. API Security Testing a. Assess the security state of APIs b. DAST, not SAST ideally tested early and often c. Feed results into the issue trackers used by dev teams
A better (security) definition of an API An API consists of 3 parts: (1) Hostname e.g. example.com, uat.bigcorp.com (2) Path e.g. /api/v2/users/all , /v1/cart/addItem (3) Method e.g. POST, PUT, GET, PATCH, DELETE, … GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
03 Attacking APIs
Active Attacks Getting malicious with your API target
Attacks are grouped into the API Top 10 API-1 Broken Object Level Authorization (BOLA) API-2 Broken User Authentication API-3 Excessive Data Exposure API-4 Lack of Resource & Rate Limiting API-5 Broken Function Level Authorization API-6 Mass Assignment API-7 Security Misconfiguration API-8 Injection API-9 Improper Assets Management API-10 Insufficient Logging & Monitoring
Broken Object Level Authorization Attacker ○ Look at how API resources are structured ○ Change IDs within API calls ○ Can be names (non-numeric) ○ Make calls to other IDs/resources with your Auth-N method / token ○ Create something as user 1 ○ Try to access it as user 2 ○ Response differences ○ HTTP Response code (404 vs 405) ○ Time to respond ○ Length of response (rare) Defender ○ Detection requires fairly deep inspection of the API calls ○ WAFs will generally fail ○ Shaped like legit request with IDs swapped ○ Looking for BOLA can cause increased Auth-Z errors ○ 2 similar requests from the same client with different IDs can be found by ML ○ Posture - focus on most risky APIs Runtime - detect BOLA attacks Testing - Find BOLA early / pre-prod One user can access another user’s data or take actions for them
Broken User Authentication Attacker ○ Bruteforce credentials ○ No anti-automation on password resets or MFA/CAPTCHA ○ Password Spraying ○ Base-64 “protections” ○ Low entropy tokens ○ JWT weaknesses ○ Captured JWTs ○ None algorithm, no signature ○ Key mismatch, blank password, … ○ Cracking JWT secrets ○ jwt_tool Defender ○ Bruteforce attacks are noisy ○ Password spraying is very noisy ○ Ensure crypto is used correctly and carefully ○ JWT Best Practices RFC ○ Consider removing Auth-N from the API ○ Only get tokens through web app ○ Posture - identify Auth-N APIs Runtime -detect brute force, spraying, JWT manipulation Testing - identify poor practices early Using poor practices in authentication to attack APIs
As browsers and web apps get hardened… B r o w s e r I m p r o v e m e n t s M F A , C A P T C H A APIs
Excessive Data Exposure Attacker ○ Look for API responses that provide ‘extra’ information ○ Mobile app APIs tend to trust client to filter data ○ Look for ‘interesting’ responses ○ Profile pages ○ Linked users ○ Internal meta-data ○ Is the data expected part of a larger data object or DB row? ○ Can be time consuming to check all possible responses for excessive data Defender ○ Single requests can’t be distinguished from normal traffic ○ SAST can help here to avoid “to_json” or similar ○ Don’t rely on clients filtering data ○ Separate data objects for app and API ○ Posture - Shows sensitive data, large responses Runtime - Detect multi-request data scraping Testing - Find verbose responses early Sometimes developer productivity helps attackers too!
Lack of Resource & Rate Limiting Attacker ○ Add thousands of items, ask for a list ○ Lack of pagination ○ Denial of API use (client) ○ Fuzzing and bruteforce attacks can discover these ○ Modify requests, different client, different IP to bypass limits ○ CPU / Memory intensive requests ○ robots.txt or documentation ○ Other games to play ○ Switch cAsE ○ Null and other terminators ○ Encoding data ○ Too high to make a difference Defender ○ Some requests will look normal but with large responses ○ Unusual requests ○ Headers, encoding, terminators, … ○ Observability can show usage spikes ○ Many bypass methods stand out from normal traffic ○ Posture - Determine APIs needing limits Runtime - Detect anomalous traffic and respond Testing - Fuzzing request data can find some issues early Failure to provide limits is a recipe for DOS or worse
Broken Function Level Authorization Attacker ○ Focus on APIs with multiple roles/groups ○ Potential for expose backplane ○ Most things have an ‘admin’ ○ Try undocumented HTTP methods ○ PATCH, PUT, POST, DELETE (!) ○ Create items with one group/role ○ Interact with those items as a different role ○ Bruteforce / guess potential backplane operations ○ Experiment with headers, request data to access admin functions Defender ○ Affects APIs with 2+ roles, groups, privilege levels ○ Calls to unsupported methods that fail ○ Same client, different roles within a short period of time ○ Failures for backplane/admin paths ○ Unusual requests - headers, body ○ Posture - Determine APIs with groups, roles, privilege levels Runtime - Detect unusual, failing requests or changes in role from a client Testing - Conduct Auth-Z testing early Failure to restrict access by group or role leading to compromise
Mass Assignment Attacker ○ Look for requests that appear to be partial data ○ Make guesses at unsent items ○ Look at request/response difference between roles/groups/privilege levels ○ Guess / bruteforce multiple values at once (hail mary) ○ Error messages or required field messages can provide clues ○ Fuzzing can also find issues ○ Combine with Broken Function Level Auth-Z to change data for other users ○ Change email/contact details Defender ○ Requests stand out from normal requests with deep inspection ○ Large number of failed/invalid requests ○ Increased request size ○ Increased severity for APIs with different roles/groups/privileges ○ Posture - Focus on APIs with multi-roles or sensitive data Runtime - Requests with extra data, multiple failed/invalid requests Testing - Add additional, valid fields to discover early Why not accept more data, what could go wrong?
Security Misconfiguration Attacker ○ Check the basics ○ TLS config ○ Info leaks via headers, etc ○ Default credentials, EICAR ○ Use Recon and Discovery ○ Verbose errors ○ Purposefully make bad requests ○ Misconfigured framework settings ○ Debug mode ○ Intermediate devices ○ Determine if WAF, API Gateway, etc is in line ○ Call ‘internal’ functions with origin headers e.g. X-Remote-Addr Defender ○ Basic network vuln scanners can find the basics ○ Passive traffic monitoring can show header issues, API gateway bypass, many others ○ Client with many erroring or malformed requests ○ Posture - Show weak configuration e.g. API gateway bypass Runtime - Unexpected client traffic, multiple errors, malformed or anomalous requests Testing - Good for the basics, better if fuzzing is included in tests A little misconfiguration can go a long way
Injection Attacker ○ Place injection strings into ○ Tokens / API keys ○ Headers (esp API specific ones) ○ Query data ○ Data in request body ○ Recon/Discovery can help focus what types of injection to try ○ Error messages can also help ○ Many good online resources for injections ○ Fuzzing lists ○ OWASP Testing Guide ○ 2nd order injections Defender ○ Input validation AND output encoding ○ Many failed or malformed requests ○ Large number of errors or validation failures at API ○ Overly trusting of East/West API calls ○ Posture - Focus on APIs with sensitive data, East/West APIs Runtime - Surge in errors, failed, invalid or malformed requests, control characters in requests Testing - Attempt injections early in dev cycle Treat data like code and bad things happen
Improper Assets Management Attacker ○ You find many misconfiguration issues ○ Internal APIs are publicly accessible ○ API documentation is inaccurate ○ “Hidden”/undocumented APIs ○ Dev/New APIs in production ○ Legacy APIs are not decommissioned ○ API v minus 1 or more available Basically, your pen test was productive and easy Defender ○ Need to know all APIs (host, path, method) ○ Classify all data received and sent by APIs ○ API Gateway enforced, East/West traffic ○ Public vs internal APIs ○ Posture - Solved with solid posture management Runtime - Updates posture as environment changes Testing - Not particularly useful here Know what you have if you want to protect it adequately
Insufficient Logging & Monitoring Attacker ○ Fuzzing does not cause a reaction / blocking ○ Assumes control is in scope for testing ○ Attacks, especially blatant injections go unnoticed ○ Phone numbers never look like: <script>alert(XSS)</script> ○ Mostly, external testers / attackers can only infer the level of logging and monitoring Defender ○ No attacks are seen / noticed ○ Diagnosing API issues is difficult ○ Unplanned downtime or resource consumption ○ Posture - Determine the appropriate level of logging per API Runtime - Monitoring is what this provides, also can retain traffic for analysis aka quasi-logging Testing - Validate logging is working (at best) Change guesses to decisions with data
Bonus Material Things that didn’t fit nicely into the OWASP API Top 10
Structural vs Data Attacks Structural Attacks ○ Modifying the structure of a request ○ Repeating data structures ○ Adding non-printing characters e.g. spaces, tabs, null characters between data elements ○ Removing portions of the data structure ○ Messing with the structure of the request only - data provided is legit ○ QA / HTTP testing tools generally normalize the structure so won’t work ○ Custom craft HTTP requests (Python requests library) or use a local proxy like Zap or Burpsuite Data Attacks ○ Modifying the data in a request ○ Substituting fuzzing / injection data for legit data values ○ Providing unexpected or overly large / small data values ○ Structure of the request is not modified ○ What most fuzzing and injections attacks look like - changing data without changing the structure ○ QA / HTTP testing tools can be leveraged to automate these attacks 2 fundamental ways to be naughty with APIs
GraphQL - left as an exercise for the student Googling “GraphQL”
04 Conclusion
Key Takeaways for API testers (1) Knowledge of how to test web apps prepares you for most of API testing If you need some help, look at the OWASP Testing Guide (2) Some special knowledge and tools are needed for parts of API testing More on this later (3) Gaps in AppSec controls coverage and framework shortfalls lead to security shortfalls API testing is likely to be “productive”
Key Takeaways for API testers and defenders https://owasp.org/www-community/api_security_tools
Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resource & Rate Limiting Broken Function Level Authorization weak weak weak
Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring weak
Sorry about the firehose Black and Blue APIs Audience
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, infographics & images by Freepik THANKS! Do you have any questions? mattt@nonamesecurity.com nonamesecurity.com

More Related Content

PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Designing APIs with OpenAPI Spec
Adam Paxton
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PDF
Kubernetes Security Best Practices - With tips for the CKS exam
Ahmed AbouZaid
 
PDF
Api Gateway
KhaqanAshraf
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Api security-testing
n|u - The Open Security Community
 
Designing APIs with OpenAPI Spec
Adam Paxton
 
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Kubernetes Security Best Practices - With tips for the CKS exam
Ahmed AbouZaid
 
Api Gateway
KhaqanAshraf
 

What's hot (20)

PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PDF
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
PDF
DevSecOps
Spv Reddy
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPTX
Secure your app with keycloak
Guy Marom
 
PPTX
Rest API Security
Stormpath
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Apigee Demo: API Platform Overview
Apigee | Google Cloud
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
API Docs with OpenAPI 3.0
Fabrizio Ferri-Benedetti
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PPTX
Monitoring Solutions for APIs
Apigee | Google Cloud
 
PDF
CI:CD in Lightspeed with kubernetes and argo cd
Billy Yuen
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
PDF
DevOps introduction
Sridhara T V
 
PDF
The Architecture of an API Platform
Johannes Ridderstedt
 
PDF
Continuous Integration
drluckyspin
 
PDF
DevOps for beginners
Pradeep Patel, PMP®
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
DevSecOps
Spv Reddy
 
OWASP API Security Top 10 - API World
42Crunch
 
Secure your app with keycloak
Guy Marom
 
Rest API Security
Stormpath
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Apigee Demo: API Platform Overview
Apigee | Google Cloud
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Docs with OpenAPI 3.0
Fabrizio Ferri-Benedetti
 
Pentesting ReST API
Nutan Kumar Panda
 
Monitoring Solutions for APIs
Apigee | Google Cloud
 
CI:CD in Lightspeed with kubernetes and argo cd
Billy Yuen
 
DevSecOps What Why and How
NotSoSecure Global Services
 
DevOps introduction
Sridhara T V
 
The Architecture of an API Platform
Johannes Ridderstedt
 
Continuous Integration
drluckyspin
 
DevOps for beginners
Pradeep Patel, PMP®
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Ad

Similar to Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities (20)

PDF
Landmines in the API Landscape
Matt Tesauro
 
PDF
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PPTX
A Deep Dive into RESTful API Design Part 2
VivekKrishna34
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
PPTX
API Development Essentials: REST, SOAP, GraphQL Explained
ankitraj5ar
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
PPTX
Fail safe modeling for cloud services and applications
Marc Mercuri
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPTX
API Testing Using REST Assured with TestNG
Siddharth Sharma
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PPTX
POSTMAN.pptx
RamaKrishna970827
 
PDF
ReSTful API Final
Claudine Bruyns
 
PPTX
SOAP vs REST
Nadia Boumaza
 
PPTX
REST Api Tips and Tricks
Maksym Bruner
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
PPTX
API
Masters Academy
 
PDF
REST APIs
Arthur De Magalhaes
 
PDF
Modern REST API design principles and rules.pdf
Aparna Sharma
 
Landmines in the API Landscape
Matt Tesauro
 
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
A Deep Dive into RESTful API Design Part 2
VivekKrishna34
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
API Development Essentials: REST, SOAP, GraphQL Explained
ankitraj5ar
 
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Fail safe modeling for cloud services and applications
Marc Mercuri
 
Application fuzzing
Blueinfy Solutions
 
API Testing Using REST Assured with TestNG
Siddharth Sharma
 
OSINT for Attack and Defense
Andrew McNicol
 
POSTMAN.pptx
RamaKrishna970827
 
ReSTful API Final
Claudine Bruyns
 
SOAP vs REST
Nadia Boumaza
 
REST Api Tips and Tricks
Maksym Bruner
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
API
Masters Academy
 
REST APIs
Arthur De Magalhaes
 
Modern REST API design principles and rules.pdf
Aparna Sharma
 
Ad

More from Matt Tesauro (20)

PDF
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
PDF
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
PDF
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
PDF
Running FaaS with Scissors
Matt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
PPTX
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Running FaaS with Scissors
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
KodekX | Application Modernization Development
KodekX
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
A Presentation on Artificial Intelligence
memembruh336
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation theory and applications.pdf
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

  • 1. Black and Blue APIs Attacker's and Defender's View of API Vulnerabilities
  • 2. TABLE OF CONTENTS 01 Intro Quick background and such 03 Attacking APIs How to attack and what those attacks look like 02 Why Attacking APIs? What makes APIs interesting to attackers 04 Conclusion Key takeaways and your questions
  • 3. Who is this guy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 5. It’s All About the Data “Data is the new oil” Clive Humby British Mathematician “APIs are data pipelines” Matt Tesauro Your presenter
  • 6. Even if you have a solid AppSec program App Sec Tooling API Sec Tooling SAST SCA DAST API Gateway API Inventory SDLC API Management API Specs WAF Threat Modeling Rate Limiting Anti-Bot Protection Developer Training App Inventory Service to Service Auth-n Anomaly Detection JWTs OpenID Connect OAuth2
  • 8. Defining the 3 Pillars of API Security 1. API Security Posture a. Full inventory of all APIs b. Who is calling the API? What data is sent/received? Where did the call originate? 2. API Runtime Security a. Watching API traffic and understanding what is normal b. Anomaly detection and alerting 3. API Security Testing a. Assess the security state of APIs b. DAST, not SAST ideally tested early and often c. Feed results into the issue trackers used by dev teams
  • 9. A better (security) definition of an API An API consists of 3 parts: (1) Hostname e.g. example.com, uat.bigcorp.com (2) Path e.g. /api/v2/users/all , /v1/cart/addItem (3) Method e.g. POST, PUT, GET, PATCH, DELETE, … GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
  • 12. Attacks are grouped into the API Top 10 API-1 Broken Object Level Authorization (BOLA) API-2 Broken User Authentication API-3 Excessive Data Exposure API-4 Lack of Resource & Rate Limiting API-5 Broken Function Level Authorization API-6 Mass Assignment API-7 Security Misconfiguration API-8 Injection API-9 Improper Assets Management API-10 Insufficient Logging & Monitoring
  • 13. Broken Object Level Authorization Attacker ○ Look at how API resources are structured ○ Change IDs within API calls ○ Can be names (non-numeric) ○ Make calls to other IDs/resources with your Auth-N method / token ○ Create something as user 1 ○ Try to access it as user 2 ○ Response differences ○ HTTP Response code (404 vs 405) ○ Time to respond ○ Length of response (rare) Defender ○ Detection requires fairly deep inspection of the API calls ○ WAFs will generally fail ○ Shaped like legit request with IDs swapped ○ Looking for BOLA can cause increased Auth-Z errors ○ 2 similar requests from the same client with different IDs can be found by ML ○ Posture - focus on most risky APIs Runtime - detect BOLA attacks Testing - Find BOLA early / pre-prod One user can access another user’s data or take actions for them
  • 14. Broken User Authentication Attacker ○ Bruteforce credentials ○ No anti-automation on password resets or MFA/CAPTCHA ○ Password Spraying ○ Base-64 “protections” ○ Low entropy tokens ○ JWT weaknesses ○ Captured JWTs ○ None algorithm, no signature ○ Key mismatch, blank password, … ○ Cracking JWT secrets ○ jwt_tool Defender ○ Bruteforce attacks are noisy ○ Password spraying is very noisy ○ Ensure crypto is used correctly and carefully ○ JWT Best Practices RFC ○ Consider removing Auth-N from the API ○ Only get tokens through web app ○ Posture - identify Auth-N APIs Runtime -detect brute force, spraying, JWT manipulation Testing - identify poor practices early Using poor practices in authentication to attack APIs
  • 15. As browsers and web apps get hardened… B r o w s e r I m p r o v e m e n t s M F A , C A P T C H A APIs
  • 16. Excessive Data Exposure Attacker ○ Look for API responses that provide ‘extra’ information ○ Mobile app APIs tend to trust client to filter data ○ Look for ‘interesting’ responses ○ Profile pages ○ Linked users ○ Internal meta-data ○ Is the data expected part of a larger data object or DB row? ○ Can be time consuming to check all possible responses for excessive data Defender ○ Single requests can’t be distinguished from normal traffic ○ SAST can help here to avoid “to_json” or similar ○ Don’t rely on clients filtering data ○ Separate data objects for app and API ○ Posture - Shows sensitive data, large responses Runtime - Detect multi-request data scraping Testing - Find verbose responses early Sometimes developer productivity helps attackers too!
  • 17. Lack of Resource & Rate Limiting Attacker ○ Add thousands of items, ask for a list ○ Lack of pagination ○ Denial of API use (client) ○ Fuzzing and bruteforce attacks can discover these ○ Modify requests, different client, different IP to bypass limits ○ CPU / Memory intensive requests ○ robots.txt or documentation ○ Other games to play ○ Switch cAsE ○ Null and other terminators ○ Encoding data ○ Too high to make a difference Defender ○ Some requests will look normal but with large responses ○ Unusual requests ○ Headers, encoding, terminators, … ○ Observability can show usage spikes ○ Many bypass methods stand out from normal traffic ○ Posture - Determine APIs needing limits Runtime - Detect anomalous traffic and respond Testing - Fuzzing request data can find some issues early Failure to provide limits is a recipe for DOS or worse
  • 18. Broken Function Level Authorization Attacker ○ Focus on APIs with multiple roles/groups ○ Potential for expose backplane ○ Most things have an ‘admin’ ○ Try undocumented HTTP methods ○ PATCH, PUT, POST, DELETE (!) ○ Create items with one group/role ○ Interact with those items as a different role ○ Bruteforce / guess potential backplane operations ○ Experiment with headers, request data to access admin functions Defender ○ Affects APIs with 2+ roles, groups, privilege levels ○ Calls to unsupported methods that fail ○ Same client, different roles within a short period of time ○ Failures for backplane/admin paths ○ Unusual requests - headers, body ○ Posture - Determine APIs with groups, roles, privilege levels Runtime - Detect unusual, failing requests or changes in role from a client Testing - Conduct Auth-Z testing early Failure to restrict access by group or role leading to compromise
  • 19. Mass Assignment Attacker ○ Look for requests that appear to be partial data ○ Make guesses at unsent items ○ Look at request/response difference between roles/groups/privilege levels ○ Guess / bruteforce multiple values at once (hail mary) ○ Error messages or required field messages can provide clues ○ Fuzzing can also find issues ○ Combine with Broken Function Level Auth-Z to change data for other users ○ Change email/contact details Defender ○ Requests stand out from normal requests with deep inspection ○ Large number of failed/invalid requests ○ Increased request size ○ Increased severity for APIs with different roles/groups/privileges ○ Posture - Focus on APIs with multi-roles or sensitive data Runtime - Requests with extra data, multiple failed/invalid requests Testing - Add additional, valid fields to discover early Why not accept more data, what could go wrong?
  • 20. Security Misconfiguration Attacker ○ Check the basics ○ TLS config ○ Info leaks via headers, etc ○ Default credentials, EICAR ○ Use Recon and Discovery ○ Verbose errors ○ Purposefully make bad requests ○ Misconfigured framework settings ○ Debug mode ○ Intermediate devices ○ Determine if WAF, API Gateway, etc is in line ○ Call ‘internal’ functions with origin headers e.g. X-Remote-Addr Defender ○ Basic network vuln scanners can find the basics ○ Passive traffic monitoring can show header issues, API gateway bypass, many others ○ Client with many erroring or malformed requests ○ Posture - Show weak configuration e.g. API gateway bypass Runtime - Unexpected client traffic, multiple errors, malformed or anomalous requests Testing - Good for the basics, better if fuzzing is included in tests A little misconfiguration can go a long way
  • 21. Injection Attacker ○ Place injection strings into ○ Tokens / API keys ○ Headers (esp API specific ones) ○ Query data ○ Data in request body ○ Recon/Discovery can help focus what types of injection to try ○ Error messages can also help ○ Many good online resources for injections ○ Fuzzing lists ○ OWASP Testing Guide ○ 2nd order injections Defender ○ Input validation AND output encoding ○ Many failed or malformed requests ○ Large number of errors or validation failures at API ○ Overly trusting of East/West API calls ○ Posture - Focus on APIs with sensitive data, East/West APIs Runtime - Surge in errors, failed, invalid or malformed requests, control characters in requests Testing - Attempt injections early in dev cycle Treat data like code and bad things happen
  • 22. Improper Assets Management Attacker ○ You find many misconfiguration issues ○ Internal APIs are publicly accessible ○ API documentation is inaccurate ○ “Hidden”/undocumented APIs ○ Dev/New APIs in production ○ Legacy APIs are not decommissioned ○ API v minus 1 or more available Basically, your pen test was productive and easy Defender ○ Need to know all APIs (host, path, method) ○ Classify all data received and sent by APIs ○ API Gateway enforced, East/West traffic ○ Public vs internal APIs ○ Posture - Solved with solid posture management Runtime - Updates posture as environment changes Testing - Not particularly useful here Know what you have if you want to protect it adequately
  • 23. Insufficient Logging & Monitoring Attacker ○ Fuzzing does not cause a reaction / blocking ○ Assumes control is in scope for testing ○ Attacks, especially blatant injections go unnoticed ○ Phone numbers never look like: <script>alert(XSS)</script> ○ Mostly, external testers / attackers can only infer the level of logging and monitoring Defender ○ No attacks are seen / noticed ○ Diagnosing API issues is difficult ○ Unplanned downtime or resource consumption ○ Posture - Determine the appropriate level of logging per API Runtime - Monitoring is what this provides, also can retain traffic for analysis aka quasi-logging Testing - Validate logging is working (at best) Change guesses to decisions with data
  • 24. Bonus Material Things that didn’t fit nicely into the OWASP API Top 10
  • 25. Structural vs Data Attacks Structural Attacks ○ Modifying the structure of a request ○ Repeating data structures ○ Adding non-printing characters e.g. spaces, tabs, null characters between data elements ○ Removing portions of the data structure ○ Messing with the structure of the request only - data provided is legit ○ QA / HTTP testing tools generally normalize the structure so won’t work ○ Custom craft HTTP requests (Python requests library) or use a local proxy like Zap or Burpsuite Data Attacks ○ Modifying the data in a request ○ Substituting fuzzing / injection data for legit data values ○ Providing unexpected or overly large / small data values ○ Structure of the request is not modified ○ What most fuzzing and injections attacks look like - changing data without changing the structure ○ QA / HTTP testing tools can be leveraged to automate these attacks 2 fundamental ways to be naughty with APIs
  • 26. GraphQL - left as an exercise for the student Googling “GraphQL”
  • 28. Key Takeaways for API testers (1) Knowledge of how to test web apps prepares you for most of API testing If you need some help, look at the OWASP Testing Guide (2) Some special knowledge and tools are needed for parts of API testing More on this later (3) Gaps in AppSec controls coverage and framework shortfalls lead to security shortfalls API testing is likely to be “productive”
  • 29. Key Takeaways for API testers and defenders https://owasp.org/www-community/api_security_tools
  • 30. Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resource & Rate Limiting Broken Function Level Authorization weak weak weak
  • 31. Key Takeaways for API defenders The existing AppSec program and controls have API Security gaps to fill Risk Posture Runtime Testing Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring weak
  • 32. Sorry about the firehose Black and Blue APIs Audience
  • 33. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, infographics & images by Freepik THANKS! Do you have any questions? mattt@nonamesecurity.com nonamesecurity.com