Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal

Transcript

1. Building an Inventory: How to identify all the APIs hidden

   in plain sight? Maria Teresa Pereira Paris, 8th December 2023

2. GET /api/user/me • Engaged in APIs since 2017 • Engaged

   in Cybersecurity since 2021 • Engaged in API Hacking since 2022 • Senior IT Advisor / Pentester at KPMG Portugal • Past Experiences: Process Automation, Backend Development @maria-teresa-pereira @starmtp

3. Governance Testing Monitoring 3 Pillars of API Security

4. API Inventory and its importance 01

5. What is an API inventory? API Inventory is an up-to-date,

   structured and centralized catalogue of all the external and internal APIs used within an organization: • Information about each API, such as name, description, purpose and owner; • Version details, including changes, updates and deprecations; • Any integration with 3rd party APIs; • API endpoints details - purpose of each endpoint, parameters, requests and responses; • Other API details, such as authentication and authorization, errors, redirects, dependencies, data formats, usage statistics, lifecycle status, among others.

6. Why is important to have an API inventory? • Have

   a handle on their attack surface and exposure; • Track all the APIs that are used by your applications; • Have clear visibility of who owns the APIs; • Track older versions of the APIs; • Identify Zombie and Shadow APIs.

7. Real-World: The Breach • Optus is the second largest telecommunications

   company in Australia; • Root cause: a REST API used for testing that was unknowingly exposed to the Internet. • The data breach resulted in the exposure of approximately 10 million customer records, including PII. September 2022 Ref: https://twitter.com/onejvo/status/1573929672748208128 Ref: https://twitter.com/Jeremy_Kirk/status/1573407117566152704/photo/1

8. Real-World: The Breach A change of heart? September 2022 Ref1:

   https://twitter.com/Jeremy_Kirk/status/1574564051694145536/photo/1 Ref2: https://twitter.com/Jeremy_Kirk/status/1574572905454743553

9. Real-World: The Breach Mix of several OWASP API Security Top

   10 Vulnerabilities (2019): September 2022 API 09:2019 — Improper assets management API 02:2019 — Broken user authentication API 01:2019 — Broken object level authorization API 03:2019 — Excessive data exposure API 04:2019 — Lack of resources and rate limiting API 10:2019 — Insufficient logging and monitoring

10. How to identify all the APIs? 02

11. API Safari: How to discover all the APIs? • Using

    specialized tools, scripts, and services to scan websites, applications, and network traffic for API endpoints. API Discovery Automated Manual • Review documentation and user interfaces. • Check for API-related URL patterns and network traffic. • Analyse source code, if available. • Explore API directories and ask developers.

12. MindAPI Ref: https://github.com/dsopas/MindAPI MindAPI is a mind map which combines

    years of experience in testing API security. It's divided into two sections: • Reconnaissance • Testing On both you have guidelines, links to open-source tools and documentation that help you on the way.

13. Manual API Discovery Disadvantages Advantages • Time-Consuming; • Human Error;

    • Limited Scalability; • Dependent on expertise; • Inefficient for Dynamic Environments. • Suitable for short or limited requirements; • Precision.

14. Automated API Discovery Disadvantages • Efficiency; • Scalability; • Consistency;

    • Time-Saving; • Data Analysis. • Potential for False Positives; • Legal and Ethical Concerns; • Lack of Context; • Dependency on Updates; • Limited Depth. Advantages

15. Which is the best option? • Both! • Automated Scans

    + Manual Validation

16. How to document the APIs? 03

17. API Documentation, what for purpose?

18. What should include a good API documentation? • Overview of

    the API; • Getting started - quick guide; • Authentication; • Endpoints; • Request and Response Formats; • Parameters; • Error and status codes; • Versioning; • Pagination; • Testing instructions; • Contact information; • Examples and use cases; • Performance and Best Practices; • (…)

19. API Reference Documentation • From linking or referencing API reference

    guides to providing tutorials, sample code, and usage examples; • Provide technical details about the APIs, such as the methods, parameters, and responses; • Can be easily generated with a tool like Swagger UI, based on the OpenAPI Specification.

20. The OpenAPI Specification (OAS) • OpenAPI Specification, formerly known as

    Swagger, is an interoperable, machine-readable, and human-friendly specification format that is used to define REST APIs. It relies on YAML or JSON Schema to describe the API’s underlying data. • Can be used to: • Generate documentation; • Mock Servers; • API Tests; • Help server and client implementation; • API Governance.

21. Swagger VS OAS Swagger OAS Original project name - is

    the name of a toolset Evolution from Swagger 2.0 - now is the standard for describing REST APIs Swagger 2.0 OpenAPI Specification 3.1.0

22. The API Atlas: API Marketplace • Large platform that houses

    multiple APIs, providing an ecosystem for developers to discover, evaluate, and integrate APIs seamlessly, often including API documentation as part of the package. • Brings API buyers and sellers together in one platform. • Complements OAS in providing standardized and accessible API information. Ref: https://rapidapi.com/search/marketplace

23. Key Takeaways 03

24. How to identify all the APIs hidden in plain sight?

    • Use manual methods like network traffic analysis and browser developer tools; • Employ automated tools for API discovery and web scraping; • Actively explore web pages, examine source code, and perform security testing; • Check for API documentation, OpenAPI specifications, and publicly accessible repositories; • Engage with development teams and collaborate with the community.

25. Governance Testing Monitoring What’s next?

26. Thank you! @maria-teresa-pereira @starmtp Do you have any questions?