INTERFACE by apidays 2023 - Everything you need to know about API security, Tony Lauro, Akamai Technologies

Transcript

1. © 2023 Akamai | Confidential 1 Everything You Should Know

   About API Security Tony Lauro | CISSP, GWAPT, GSTRT Director Security Strategy - Akamai
2. None

3. © 2022 Akamai | Confidential 2 1. API Basics 2.

   Two Real-World API Abuse Stories 3. API Attack Simulation 4. Existing Security Controls 5. API Attack Detection Agenda

4. API Security Problems • Discovery of APIs in any environment

   • Risk posture (OWASP Top 10) • Understanding API user behavior • API abuse • Investigations and threat hunting Why you need API Security? 83% of internet traffic is on APIs Signature based, anomaly detection, cumulative risk score

5. © 2023 Akamai | Confidential 4 The Anatomy of an

   API Attack

6. © 2023 Akamai | Confidential 5 Uber: Account Takeover ?

   How I Could Have Hacked Your Uber Account (Anand Prakash, 2019) ? Anand got from a phone number/email address to full account takeover ? The vulnerabilities were quickly fixed by Uber (1) POST /addDriver (1) Error message with UUID (2) POST /getConsentScreenDetails (2) PII and access token

7. © 2023 Akamai | Confidential 6 Uber: Account Takeover (1)

   (2)

8. © 2023 Akamai | Confidential 7 Uber: Excessive Data Exposure

   API3:2019 — Excessive data exposure ? The APIs exposed much more data than required to operate

9. © 2023 Akamai | Confidential 8 Uber: BOLA API1:2019 —

   Broken Object Level Authorization • Users can access resources that are not owned by them

10. © 2023 Akamai | Confidential 9 Scoolio: A Massive Data

    Exposure Scoolio is a student app used in German- speaking countries Among its features: ◦ Social network and chat rooms ◦ Studies planning and self management ◦ Tutoring ◦ Personality tests The business model: collect data to monetize through better ads

11. © 2023 Akamai | Confidential 10 Scoolio: A Massive Data

    Exposure • Scoolio - visit of the basement of horror (Zerforschung, 2021) • The API exposed PII and more for any user in the platform (1) GET /api/v3/Explorer (1) Profile IDs (2) GET /api/v2/Profile/{ProfileID} (2) PII (email, DOB, GPS location)

12. © 2023 Akamai | Confidential 11 The Scope of Scoolio

    2021 Vulnerability ? API1:2019 — Broken object level authorization ◦ Once again, PII of users is exposed to any user ? UUID is a good practice because it is hard to guess ◦ ID is even easier to exploit by a simple iteration ? In this case, the UUID was obtained through another endpoint

13. © 2023 Akamai | Confidential 12 Scoolio: Improper Assets Management

    ? API9:2019 - Improper Assets Management ? Old API version exposing more PII still accessible ◦ Also indicates an excessive data exposure of the old API

14. © 2023 Akamai | Confidential 13 Scoolio: Improper Assets Management

    /api/v3/Profile/{ProfileID} /api/v2/Profile/{ProfileID}

15. © 2023 Akamai | Confidential 14 Detection Challenges

16. © 2023 Akamai | Confidential 15 Challenges Today’s Focus Tomorrow’s

    Focus Discover your complete API footprint - including rogue, legacy, admin, zombie, etc. Prevent OWASP Top 10 vulnerabilities and misconfigurations from hitting production. Stop business logic abuse such as data scraping or data exfiltration using behavioral analytics. Shadow APIs Vulnerable APIs API Abuse

17. © 2023 Akamai | Confidential 16 BOLA Detection - The

    Concept • BOLA is unauthorized resource access by an actor: ◦ Username sent as a path param (e.g., /users/v1/{username}/password) ◦ Fields in the payload (e.g., the UUID we just saw in Uber or Scoolio) • Detecting BOLA could be possible if we map: ◦ Entities: both actors and resources ◦ Relationships between all entities • Some resources should not be accessed by anyone but their owner ◦ For example, my personal details or my wallet data

18. © 2023 Akamai | Confidential 17 BOLA Detection - Relationship

    Mapping Consider a banking app where users can: • Read their account data • Read the exchange rate Account data can be accessed by a single user The exchange rate can be accessed by multiple users • Out of this session’s scope UserID: 1337 UserID: 430 UserID: 777 Account: 7331 Account: 835 Account: 908 UserID: 1337 UserID: 430 UserID: 777 $ -> € $ -> ¥

19. © 2023 Akamai | Confidential 18 BOLA Detection - Relationship

    Violation A violation of those relationships => BOLA Indicated by the red arrow in the below chart UserID: 1337 UserID: 430 Account: 7331 Account: 835 Account: 908 UserID: 777 X

20. © 2023 Akamai | Confidential 19 BOLA Detection In Practice

    Let’s test our proposal against the Uber and Scoolio attacks Keys: Green: The actor identity Red: The requested resource Uber Scoolio GET /api/v3/Profile/{ProfileID} Headers: - Authorization: <MyAccessToken>

21. © 2023 Akamai | Confidential 20 BOLA Alert (Neosec Platform)

22. © 2023 Akamai | Confidential 21 API Security Flaws Result

    in Data Breaches

23. © 2023 Akamai | Confidential 22 API Security Maturity

24. © 2023 Akamai | Confidential 23 By 2024, API abuses

    and related data breaches will nearly double.1 Existing application security solutions not built for APIs 83% of web traffic is APIs 1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs 2 Akamai: Blog - API Discovery and Profiling -- Visibility to Protection More APIs deployed every day More API traffic More API attacks The API Security Environment

25. © 2023 Akamai | Confidential 24 API Security Maturity Model

    How mature is your organization? Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Visibility to API activity API Discovery Risk Audit Behavioral Detection Response Investigate and Threat Hunt Do you have logs for API environment? Are your logs sufficient? How to you handle sensitive data? Do you know all your microservices? Do you know all your APIs? What is your risk posture? • Misconfigured? • Errors? • Documented? • Sensitive data? Can you detect misuse or business abuse? Can you identify the entities in your APIs? Deploy automated responses? Are responses customizable? Can you find threats in your past data? Can you hunt for threats? Use your own data. Sensors not required. Breadth of coverage is most important. Audit of entire estate, not just where sensors deployed. Behavioral analytics requires data & SaaS. Open platform to create response playbooks. Requires historical data and SaaS.

26. © 2023 Akamai | Confidential 25