SlideShare a Scribd company logo

API Testing and Hacking (1).pdf

V
Vishwas N

This document discusses API testing and security. It notes that while development has sped up, security has been overlooked. APIs connect many systems and components, so they are vulnerable if not properly secured. The document recommends testing APIs for common vulnerabilities, emphasizing authorization, and "hacking your own API" to identify issues before attackers do. APIs must be developed with security in mind from the start.

Engineering
1 of 26
Downloaded 46 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
Most read
20
21
22
23
Most read
24
25
26
API Testing and Hacking By : Vishwas Narayan
Developer Testers Q/A
We Developed faster failed quicker and implemented faster(thanks to devops engineers) But we Forgot Security We worked liked machines and forgot we are human beings We have “trust” for Each other
is a Vulnerability • Connections • Users • Content • URLs • Files in the endpoints • New files • Devices • …. Firewall AuthN AuthZ URL Filtering IDS/ IPS Anti-virus Sandboxing IoT Security Cryptography Trust issues lies everywhere
Software is Eating the world
Software is Eating the world Custom Code Open Source Software Infrastructure as Code Container Manifest Files Scaling Platforms Software Patches ● 80-90 percent of the code is open source ● 80% of the code is found in the Indirect Dependency ● Millions of the imports ● Agile is a Curse to Some Extent of the Development ● The Beauty of the Code is its Scalable and Reusable ● Happy Dev and Happy Bugs in the Production ● Agile is a Blessing Custom Wrappers / Frameworks
We all built solutions? Think web 3.0
Open Port number 22 with Web3.0 Application implemented
What's Dangerous is
What's even more Dangerous is
Source : A6: Security Misconfiguration ❗ - Top 10 OWASP 2017 (wallarm.com)
We have to learn how to miconfigure
What is an API? ● API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. ● Interface can be thought of as a contract of service between two applications. ● This contract defines how the two communicate with each other using requests and responses. According to Wikipedia “An application programming interface is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.”
Simple Analogy ● It's a Socket that communicates with the different services. ● Its a Source of Communication that takes the front end and connected the backend of the different services ● Its a doesn't care source that is coming in the picture its just a dumb formator of the code that needs more security ● Today's blessing of multiple language and abstraction as an API is a Curse.
Let's Create Some API and learn about it Lets Learn
Let's worship this ● Global state of the internet security DDoS attack reports | Akamai ● How to send API key in the header of python request? - Stack Overflow ● Postman Sending Request onto the API ● Postman Sending AUTH token ● Automating the postman Calls ● Akamai State of the Internet Report
Never treat a API like a Web Server
Most Common term in API Testing and Hacking is IDOR or BOLA
Can I get the document of Customer ID :1001 Of Course take it Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
Can I get the document of Customer ID :1001 Response 200 OK You can take the data Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
Hacker now understand the API slang
Always Turn off the Developer Mode
API Breaches in BOLA If a Client API manually specify an Object ID then it is potentially a BOLA Vulnerability.
API Testing and Hacking (1).pdf
Some Postman Hacks are GET /api/Student_ID/{marks} - To fetch the no auth Values here POST /api/Student_ID/{marks}/add_marks - adding marks to the ID POST /api/Student_ID/{marks}/add_grade - adding grade bypassing marks
How to FIX? ● Test API for the OWASP top 10 ● Authorization should be the most emphasis in the security practice ● Hack your own API ● SAST and DAST properly ● Stop relying on the Jailbroken Device Detection

More Related Content

PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PPT
Secure code practices
Hina Rawal
 
PDF
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
PPTX
The Rise of Ransomware
Tharindu Edirisinghe
 
PDF
You can detect PowerShell attacks
Michael Gough
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
OWASP Top 10 2021 What's New
Michael Furman
 
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Secure code practices
Hina Rawal
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
The Rise of Ransomware
Tharindu Edirisinghe
 
You can detect PowerShell attacks
Michael Gough
 
Source Code Analysis with SAST
Blueinfy Solutions
 

What's hot (20)

PDF
Api security-testing
n|u - The Open Security Community
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
PPTX
Ransomware
Nick Miller
 
PPT
Tor Presentation
Hassan Faraz
 
PPTX
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PPTX
Xss attack
Manjushree Mashal
 
ODP
OWASP Secure Coding
bilcorry
 
PPTX
The Zero Trust Model of Information Security
Tripwire
 
PPTX
Rise of software supply chain attack
Yadnyawalkya Tale
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
PHISHING PROTECTION
Sylvain Martinez
 
PDF
Ch 11: Hacking Wireless Networks
Sam Bowne
 
PPT
Internet Traffic Monitoring and Analysis
Information Technology
 
PDF
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
PDF
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
KEY
Enterprise Open Source Intelligence Gathering
Tom Eston
 
PPTX
Understanding cyber resilience
Christophe Foulon, CISSP
 
Api security-testing
n|u - The Open Security Community
 
API SECURITY
Tubagus Rizky Dharmawan
 
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Ransomware
Nick Miller
 
Tor Presentation
Hassan Faraz
 
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Xss attack
Manjushree Mashal
 
OWASP Secure Coding
bilcorry
 
The Zero Trust Model of Information Security
Tripwire
 
Rise of software supply chain attack
Yadnyawalkya Tale
 
Android Hacking + Pentesting
Sina Manavi
 
PHISHING PROTECTION
Sylvain Martinez
 
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Internet Traffic Monitoring and Analysis
Information Technology
 
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Security testing fundamentals
Cygnet Infotech
 
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Understanding cyber resilience
Christophe Foulon, CISSP
 

Similar to API Testing and Hacking (1).pdf (20)

PPTX
apidays LIVE India 2022 - The Future of API’s Security.pptx
apidays
 
PDF
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
PPTX
Outpost24 webinar - Api security
Outpost24
 
PDF
Api Testing.pdf
JitendraYadav351971
 
PDF
API testing Notes and features, difference.pdf
kunjukunjuzz904
 
PDF
Modern APIs: The Non-Technical User’s Guide | The Enterprise World
Enterprise world
 
PDF
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
PDF
Top API Security Issues Found During POCs
42Crunch
 
PDF
Api FUNdamentals #MHA2017
JoEllen Carter
 
PPTX
Understanding APIs-2.pptx this is a report of api
khaledchause05
 
PDF
The Ultimate API Publisher's Guide
Pronovix
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
PDF
API Hijacking (1).pdf
Vishwas N
 
PDF
API Hijacking.pdf
VishwasN6
 
PDF
API Hijacking.pdf
Vishwas N
 
apidays LIVE India 2022 - The Future of API’s Security.pptx
apidays
 
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
Outpost24 webinar - Api security
Outpost24
 
Api Testing.pdf
JitendraYadav351971
 
API testing Notes and features, difference.pdf
kunjukunjuzz904
 
Modern APIs: The Non-Technical User’s Guide | The Enterprise World
Enterprise world
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Top API Security Issues Found During POCs
42Crunch
 
Api FUNdamentals #MHA2017
JoEllen Carter
 
Understanding APIs-2.pptx this is a report of api
khaledchause05
 
The Ultimate API Publisher's Guide
Pronovix
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
API Hijacking (1).pdf
Vishwas N
 
API Hijacking.pdf
VishwasN6
 
API Hijacking.pdf
Vishwas N
 

More from Vishwas N (20)

PDF
API Testing and Hacking.pdf
Vishwas N
 
PDF
What should be your approach for solving ML_CV problem statements_.pdf
Vishwas N
 
PDF
Deepfence.pdf
Vishwas N
 
PDF
DevOps - A Purpose for an Institution.pdf
Vishwas N
 
PDF
Dapr.pdf
Vishwas N
 
PDF
linkerd.pdf
Vishwas N
 
PDF
HoloLens.pdf
Vishwas N
 
PDF
Automated Governance for the DevOps Institutions.pdf
Vishwas N
 
PDF
Lets build with DevSecOps Culture.pdf
Vishwas N
 
PDF
Github Actions and Terraform.pdf
Vishwas N
 
PDF
KEDA.pdf
Vishwas N
 
PPTX
Ram bleed the hardware based approach for the hackers
Vishwas N
 
PPTX
Container on azure
Vishwas N
 
PPTX
Deeplearning and dev ops azure
Vishwas N
 
PPTX
Azure data lakes
Vishwas N
 
PPTX
Azure dev ops
Vishwas N
 
PPTX
Azure ai on premises with docker
Vishwas N
 
PPTX
Nlp for the precision medicine
Vishwas N
 
PPTX
Stem cell and the other techniques
Vishwas N
 
PPTX
Stem cells pros and cons
Vishwas N
 
API Testing and Hacking.pdf
Vishwas N
 
What should be your approach for solving ML_CV problem statements_.pdf
Vishwas N
 
Deepfence.pdf
Vishwas N
 
DevOps - A Purpose for an Institution.pdf
Vishwas N
 
Dapr.pdf
Vishwas N
 
linkerd.pdf
Vishwas N
 
HoloLens.pdf
Vishwas N
 
Automated Governance for the DevOps Institutions.pdf
Vishwas N
 
Lets build with DevSecOps Culture.pdf
Vishwas N
 
Github Actions and Terraform.pdf
Vishwas N
 
KEDA.pdf
Vishwas N
 
Ram bleed the hardware based approach for the hackers
Vishwas N
 
Container on azure
Vishwas N
 
Deeplearning and dev ops azure
Vishwas N
 
Azure data lakes
Vishwas N
 
Azure dev ops
Vishwas N
 
Azure ai on premises with docker
Vishwas N
 
Nlp for the precision medicine
Vishwas N
 
Stem cell and the other techniques
Vishwas N
 
Stem cells pros and cons
Vishwas N
 

Recently uploaded (20)

PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Welding lecture in detail for understanding
sahilpoonia10
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Well-logging-methods_new................
ZafriFarid
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 

API Testing and Hacking (1).pdf

  • 1. API Testing and Hacking By : Vishwas Narayan
  • 3. We Developed faster failed quicker and implemented faster(thanks to devops engineers) But we Forgot Security We worked liked machines and forgot we are human beings We have “trust” for Each other
  • 4. is a Vulnerability • Connections • Users • Content • URLs • Files in the endpoints • New files • Devices • …. Firewall AuthN AuthZ URL Filtering IDS/ IPS Anti-virus Sandboxing IoT Security Cryptography Trust issues lies everywhere
  • 5. Software is Eating the world
  • 6. Software is Eating the world Custom Code Open Source Software Infrastructure as Code Container Manifest Files Scaling Platforms Software Patches ● 80-90 percent of the code is open source ● 80% of the code is found in the Indirect Dependency ● Millions of the imports ● Agile is a Curse to Some Extent of the Development ● The Beauty of the Code is its Scalable and Reusable ● Happy Dev and Happy Bugs in the Production ● Agile is a Blessing Custom Wrappers / Frameworks
  • 7. We all built solutions? Think web 3.0
  • 8. Open Port number 22 with Web3.0 Application implemented
  • 10. What's even more Dangerous is
  • 11. Source : A6: Security Misconfiguration ❗ - Top 10 OWASP 2017 (wallarm.com)
  • 12. We have to learn how to miconfigure
  • 13. What is an API? ● API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. ● Interface can be thought of as a contract of service between two applications. ● This contract defines how the two communicate with each other using requests and responses. According to Wikipedia “An application programming interface is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.”
  • 14. Simple Analogy ● It's a Socket that communicates with the different services. ● Its a Source of Communication that takes the front end and connected the backend of the different services ● Its a doesn't care source that is coming in the picture its just a dumb formator of the code that needs more security ● Today's blessing of multiple language and abstraction as an API is a Curse.
  • 15. Let's Create Some API and learn about it Lets Learn
  • 16. Let's worship this ● Global state of the internet security DDoS attack reports | Akamai ● How to send API key in the header of python request? - Stack Overflow ● Postman Sending Request onto the API ● Postman Sending AUTH token ● Automating the postman Calls ● Akamai State of the Internet Report
  • 17. Never treat a API like a Web Server
  • 18. Most Common term in API Testing and Hacking is IDOR or BOLA
  • 19. Can I get the document of Customer ID :1001 Of Course take it Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
  • 20. Can I get the document of Customer ID :1001 Response 200 OK You can take the data Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
  • 21. Hacker now understand the API slang
  • 22. Always Turn off the Developer Mode
  • 23. API Breaches in BOLA If a Client API manually specify an Object ID then it is potentially a BOLA Vulnerability.
  • 25. Some Postman Hacks are GET /api/Student_ID/{marks} - To fetch the no auth Values here POST /api/Student_ID/{marks}/add_marks - adding marks to the ID POST /api/Student_ID/{marks}/add_grade - adding grade bypassing marks
  • 26. How to FIX? ● Test API for the OWASP top 10 ● Authorization should be the most emphasis in the security practice ● Hack your own API ● SAST and DAST properly ● Stop relying on the Jailbroken Device Detection