Pentesting API TOP 10 by @vk_tushar

Transcript

1. Tushar Kulkarni Pentesting API Top 10 roottusk.com

2. vAPI : Vulnerable Adversely Programmed Interface GET /user/me HTTP/1.1 •

   Security Research Engineer at Holm Security • Lead at OWASP Nagpur • Spoken at Blackhat , HITB, OWASP Appsecdays etc. • Like to play CTFs in my Free Time

3. vAPI : Vulnerable Adversely Programmed Interface

4. vAPI : Vulnerable Adversely Programmed Interface Tech Stack

5. vAPI : Vulnerable Adversely Programmed Interface Installation Docker - Make

   sure you have docker and docker-compose - Go to the root of the project and run docker-compose up -d Manually - Prerequisites include PHP, MySQL - Configure the MySQL credentials and Server port in the .env file of the project - You can run php artisan serve command to start the Laravel Server

6. vAPI : Vulnerable Adversely Programmed Interface Tools required to Test

   API - Postman - We currently have Postman collection and Environment which store the API calls - Thinking of providing it also in OpenAPI - MITM Proxy (OWASP ZAP/Burpsuite) - Not entirely necessary but may help some users if they have more familiarity with MITM tools.

7. vAPI : Vulnerable Adversely Programmed Interface OWASP API Top 10

   Project API1:2019 Broken Object Level Authorization API2:2019 Broken User Authentication API3:2019 Excessive Data Exposure API4:2019 Lack of Resources & Rate Limiting API5:2019 Broken Function Level Authorization API6:2019 Mass Assignment API7:2019 Security Misconfiguration API8:2019 Injection API9:2019 Improper Assets Management API10:2019 Insufficient Logging & Monitoring https://owasp.org/www-project-api-security/

8. vAPI : Vulnerable Adversely Programmed Interface API1:2019 Broken Object Level

   Authorization

9. vAPI : Vulnerable Adversely Programmed Interface API2:2019 Broken User Authentication

   - Credential Stuffing - Weak Password Policies - Sensitive data in URL - Weak Encryption - Misconfigured Tokens/ Not Validating tokens properly

10. vAPI : Vulnerable Adversely Programmed Interface API3:2019 Excessive Data Exposure

    <Insert Drake Disapproval Meme here> <Insert Drake Approval Meme here>

11. vAPI : Vulnerable Adversely Programmed Interface API4:2019 Lack of Resources

    and Rate Limiting

12. vAPI : Vulnerable Adversely Programmed Interface API5:2019 Broken Function Level

    Authorization

13. vAPI : Vulnerable Adversely Programmed Interface API6:2019 Mass Assignment -

    Automatically Adding User supplied parameters into Object Properties • Permission-related properties: user.is_admin, user.is_vip should only be set by admins. • Process-dependent properties: user.cash should only be set internally after payment verification. • Internal properties: article.created_time should only be set internally by the application.

14. vAPI : Vulnerable Adversely Programmed Interface API7:2019 Security Misconfiguration

15. vAPI : Vulnerable Adversely Programmed Interface API8:2019 Injection - OS

    Command, SQL, XML ,LDAP and a lot of others - Lack of Sanitization

16. vAPI : Vulnerable Adversely Programmed Interface API9:2019 Improper Assets Management

    - API versions v1,v2,v1.1 - Environment (Staging,Dev, Prod) - Handling PII/PHI

17. vAPI : Vulnerable Adversely Programmed Interface API10:2019 Insufficient Logging and

    Monitoring • It does not produce any logs, the logging level is not set correctly, or log messages do not include enough detail. • Log integrity is not guaranteed (e.g., Log Injection). • Logs are not continuously monitored. • API infrastructure is not continuously monitored.

18. vAPI : Vulnerable Adversely Programmed Interface Vulnerabilities in Web Apps

    VS Vulnerabilities in APIs - XSS? - A lot of Broken Authorization and Access Control - DAST on a Web App gives different results than on a Web API

19. vAPI : Vulnerable Adversely Programmed Interface Project Roadmap - Acknowledgements

    for Completion of Challenges / Dashboard - Crowdsourced Playground for API Security Challenges Image Source: dinosoftlabs

20. vAPI : Vulnerable Adversely Programmed Interface Demo

21. vAPI : Vulnerable Adversely Programmed Interface Contributors and Thanks https://dsopas.github.io/MindAPI/

    API Security Weekly: Issue #132 OWASP Vulnerable Web Applications Directory (VWAD) arainho/awesome-api-security: A collection of awesome API Security tools and resources.

22. vAPI : Vulnerable Adversely Programmed Interface References https://owasp.org/www-project-api-security/ https://blog.api.rakuten.net/api-benefits/ https://blog.api.rakuten.net/api-security/

    http://helpcentral.componentone.com/nethelp/c1webapi/ https://dev.to/ricardo_borges/some-practices-to-design-restful-apis-interfaces-5a5i

23. vAPI : Vulnerable Adversely Programmed Interface Q & A THANK

    YOU • Twitter: @vk_tushar • Github: @roottusk • Mail: [email protected] • Web: roottusk.com