HowYourAPIBeMyAPI
4 likes232 views
- The document discusses API security and common attacks on APIs. It provides an overview of why API security is important given the increasing usage of APIs over traditional web traffic. - It summarizes the OWASP API Security Top 10 risks and describes some common authentication attacks like password brute forcing and token analysis attacks. - The document demonstrates several API security issues like broken authorization, mass assignment, and server side request forgery through video examples. It also references real world cases of API attacks.
![curl -X GET https://127.0.0.1/info
https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://jieliau.medium.com/
{
"Name": "Jie Liau",
"Experiences": [
"Building Your Container Botnet in 1 Minute . - Session speaker in iThome CYBERSEC 2021",
"Container Security. - Session speaker in InfoSec 2020",
"Protecting Your Internet Route Integrity. - Session speaker in iThome CYBERSEC 2020",
"The Dark Side. - Seminar speaker in CSE, Yuan Ze University 2018",
"The Tor Network. - Session speaker in TDOH Conference 2017",
"What Does Network Operation Looks Like. - Seminar speaker in CSE, Yuan Ze University 2016"
],
"Certi
fi
cations": [
"CCIE",
"OSCP",
"CEH"
]
}](https://image.slidesharecdn.com/cybersec2023-230515015506-35b064ee/85/HowYourAPIBeMyAPI-2-320.jpg)
HowYourAPIBeMyAPI
- 1. How Your API Be My API Jie @ iThome CyberSec 2023 2023/05/10
- 2. curl -X GET https://127.0.0.1/info https://www.linkedin.com/in/jieliau https://github.com/jieliau https://www.facebook.com/jie.liau https://twitter.com/0xJieLiau https://jieliau.medium.com/ { "Name": "Jie Liau", "Experiences": [ "Building Your Container Botnet in 1 Minute . - Session speaker in iThome CYBERSEC 2021", "Container Security. - Session speaker in InfoSec 2020", "Protecting Your Internet Route Integrity. - Session speaker in iThome CYBERSEC 2020", "The Dark Side. - Seminar speaker in CSE, Yuan Ze University 2018", "The Tor Network. - Session speaker in TDOH Conference 2017", "What Does Network Operation Looks Like. - Seminar speaker in CSE, Yuan Ze University 2016" ], "Certi fi cations": [ "CCIE", "OSCP", "CEH" ] }
- 3. This talk is given by me as individual My employer is not involved in any way Disclaimer
- 4. According to Akamai, 83% of all internet tra ffi c is from API, while HTML tra ffi c has fallen to just 17% https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-retail-attacks-and-api-traf fi c
- 5. According to Gartner, by 2022 APIs would become the #1 most frequent attack vector https://www.infosecurity-magazine.com/next-gen-infosec/api-attacks-threat-vector-2022/ https://www.gartner.com/en/webinars/4002323/api-security-protect-your-apis-from-attacks-and-data-breaches
- 6. What is API
- 7. Application Programming Interface RESTful API Web Services URIs HTTP protocol/method Problems Directly access to sensitive data Over-permissioned Vulnerable to logic fl aws API Web App Mobile App Micro Services
- 8. Why API Security is important
- 9. Reconnaissance Weaponise Delivery Exploit Lateral Movement Privilege Escalation Breach Classic Cyber Kill Chain Find Vulnerability Breach Reconnaissance API Attack Cyber Kill Chain
- 10. OWASP API Security Project The unique vul and security risks of Application Programming Interfaces First release of API Security Top 10 in 2019 OWASP API Security Top 10 2023 now is RC https://owasp.org/www-project-api-security/ https://github.com/OWASP/API-Security/tree/master/2023/en/src
- 11. 2019 OWASP API Security Top 10 API1 Broken Object Level Authorization API6 Mass Assignment API2 Broken User Authentication API7 Security Miscon fi guration API3 Excessive Data Exposure API8 Injection API4 Lack of Resources & Rate Limiting API9 Improper Assets Management API5 Broken Function Level Authorization API10 Insuf fi cient Logging & Monitoring
- 12. 2023 OWASP API Security Top 10 (RC) API1 Broken Object Level Authorisation API6 Server Side Request Forgery API2 Broken Authentication API7 Security Miscon fi guration API3 Broken Object Property Level Authorisation API8 Lack Of Protection From Automated Threats API4 Unrestricted Resource Consumption API9 Improper Assets Management API5 Broken Function Level Authorisation API10 Unsafe Consumption Of APIs
- 13. Find Your API
- 14. Passive Google Dork intitle:"index of” twitter-api-php intitle:"index of" facebook-api inurl:”/wp-json/wp/v2/users" inurl:pastebin "API_KEY" Git Dork Shodan “content-type: application/json” “content-type: application/xml” “wp-json” The Wayback Machine Active Nmap nmap —script=http-enum 192.168.0.123 -p 80, 443 OWASP Amass amass enum -active -d yourapi.com Gobuster Kiterunner Browser Dev Tool
- 18. Analyse Your HTTP Req and Rep Tools Postman Burp Suite Mitmproxy2swagger Excessive Data Exposure
- 21. Classic Authentication Attack Password Brute-Force Password Spraying Combining a long list of users with short list of targeted passwords
- 23. API Token Attack Token Analysis Identify predicable tokens Burp Suite Sequencer
- 25. BOLA / BFLA Broken Object Level Authorisation User A is able to request User B’s resources, and vice versa Broken Function Level Authorisation Perform unauthorized actions, PUT, DELETE, etc…
- 28. Improper Assets Management Version number URL Header Parameter Request body Non-production API test.example.com uat.example.com beta.example.cm
- 30. Mass Assignment Overwrite object properties that should not be able to do Assign yourself as admin account “isadmin”: true “isadmin”: 1 “admin”: true { “name”: “Demo”, “email”: “email@example.com”, “company”: “companyABC”, } { “name”: “Demo”, “email”: “email@example.com”, “company”: “companyXYZ”, “admin”: “true” }
- 32. Server Side Request Forgery Types In-Band SSRF Blind SSRF Look for any URL POST body Parameter Header, for example Referrer Any user input Tools https://webhook.site https://pingb.in
- 34. Injection SQL Injection Null byte - %00 ‘ ‘ OR 1 = 1 — - NoSQL Injection $gt {“$gt”:-1} $ne {“$ne”:””} $nin {“$where”: “sleep(1000)“} OS Injection | || & && ; ‘ “” whoami, ipcon fi g, pwd, etc…
- 35. Real World Cases
- 36. https://www.bleepingcomputer.com/news/security/hacker-claims-to-be-selling-twitter-data-of-400-million-users/ Submitting email addresses or phone numbers to the API to identify which account they were linked to
- 39. References
- 41. Thank You !!!