Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Paris 2023 - Building an Inventory, Ma...

apidays
December 18, 2023

Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023

Building an Inventory: How to identify all the APIs hidden in plain sight?
Maria Teresa Pereira, Senior IT Advisor / Pentester - Cybersecurity Services at KPMG Portugal

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 18, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Building an Inventory: How to identify all the APIs hidden

    in plain sight? Maria Teresa Pereira Paris, 8th December 2023
  2. GET /api/user/me • Engaged in APIs since 2017 • Engaged

    in Cybersecurity since 2021 • Engaged in API Hacking since 2022 • Senior IT Advisor / Pentester at KPMG Portugal • Past Experiences: Process Automation, Backend Development @maria-teresa-pereira @starmtp
  3. What is an API inventory? API Inventory is an up-to-date,

    structured and centralized catalogue of all the external and internal APIs used within an organization: • Information about each API, such as name, description, purpose and owner; • Version details, including changes, updates and deprecations; • Any integration with 3rd party APIs; • API endpoints details - purpose of each endpoint, parameters, requests and responses; • Other API details, such as authentication and authorization, errors, redirects, dependencies, data formats, usage statistics, lifecycle status, among others.
  4. Why is important to have an API inventory? • Have

    a handle on their attack surface and exposure; • Track all the APIs that are used by your applications; • Have clear visibility of who owns the APIs; • Track older versions of the APIs; • Identify Zombie and Shadow APIs.
  5. Real-World: The Breach • Optus is the second largest telecommunications

    company in Australia; • Root cause: a REST API used for testing that was unknowingly exposed to the Internet. • The data breach resulted in the exposure of approximately 10 million customer records, including PII. September 2022 Ref: https://twitter.com/onejvo/status/1573929672748208128 Ref: https://twitter.com/Jeremy_Kirk/status/1573407117566152704/photo/1
  6. Real-World: The Breach A change of heart? September 2022 Ref1:

    https://twitter.com/Jeremy_Kirk/status/1574564051694145536/photo/1 Ref2: https://twitter.com/Jeremy_Kirk/status/1574572905454743553
  7. Real-World: The Breach Mix of several OWASP API Security Top

    10 Vulnerabilities (2019): September 2022 API 09:2019 — Improper assets management API 02:2019 — Broken user authentication API 01:2019 — Broken object level authorization API 03:2019 — Excessive data exposure API 04:2019 — Lack of resources and rate limiting API 10:2019 — Insufficient logging and monitoring
  8. API Safari: How to discover all the APIs? • Using

    specialized tools, scripts, and services to scan websites, applications, and network traffic for API endpoints. API Discovery Automated Manual • Review documentation and user interfaces. • Check for API-related URL patterns and network traffic. • Analyse source code, if available. • Explore API directories and ask developers.
  9. MindAPI Ref: https://github.com/dsopas/MindAPI MindAPI is a mind map which combines

    years of experience in testing API security. It's divided into two sections: • Reconnaissance • Testing On both you have guidelines, links to open-source tools and documentation that help you on the way.
  10. Manual API Discovery Disadvantages Advantages • Time-Consuming; • Human Error;

    • Limited Scalability; • Dependent on expertise; • Inefficient for Dynamic Environments. • Suitable for short or limited requirements; • Precision.
  11. Automated API Discovery Disadvantages • Efficiency; • Scalability; • Consistency;

    • Time-Saving; • Data Analysis. • Potential for False Positives; • Legal and Ethical Concerns; • Lack of Context; • Dependency on Updates; • Limited Depth. Advantages
  12. What should include a good API documentation? • Overview of

    the API; • Getting started - quick guide; • Authentication; • Endpoints; • Request and Response Formats; • Parameters; • Error and status codes; • Versioning; • Pagination; • Testing instructions; • Contact information; • Examples and use cases; • Performance and Best Practices; • (…)
  13. API Reference Documentation • From linking or referencing API reference

    guides to providing tutorials, sample code, and usage examples; • Provide technical details about the APIs, such as the methods, parameters, and responses; • Can be easily generated with a tool like Swagger UI, based on the OpenAPI Specification.
  14. The OpenAPI Specification (OAS) • OpenAPI Specification, formerly known as

    Swagger, is an interoperable, machine-readable, and human-friendly specification format that is used to define REST APIs. It relies on YAML or JSON Schema to describe the API’s underlying data. • Can be used to: • Generate documentation; • Mock Servers; • API Tests; • Help server and client implementation; • API Governance.
  15. Swagger VS OAS Swagger OAS Original project name - is

    the name of a toolset Evolution from Swagger 2.0 - now is the standard for describing REST APIs Swagger 2.0 OpenAPI Specification 3.1.0
  16. The API Atlas: API Marketplace • Large platform that houses

    multiple APIs, providing an ecosystem for developers to discover, evaluate, and integrate APIs seamlessly, often including API documentation as part of the package. • Brings API buyers and sellers together in one platform. • Complements OAS in providing standardized and accessible API information. Ref: https://rapidapi.com/search/marketplace
  17. How to identify all the APIs hidden in plain sight?

    • Use manual methods like network traffic analysis and browser developer tools; • Employ automated tools for API discovery and web scraping; • Actively explore web pages, examine source code, and perform security testing; • Check for API documentation, OpenAPI specifications, and publicly accessible repositories; • Engage with development teams and collaborate with the community.