Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No REST for Security: Hacking API's - Nicole Be...

No REST for Security: Hacking API's - Nicole Becher

API’s are everywhere!

We are living in the API Economy. Learn about the unique security challenges that exist in API-driven applications. In this talk, we will explore security vulnerabilities I’ve seen from pen-testing API’s, how to hack them and how to implement countermeasures to help developers to protect them.

API security is becoming an important topic with developers, DevOps and DevSecOps alike. Whether its communicating with other microservices, containers, cloud services, applications or data stores, API’s are everywhere in a modern DevOps stack.

This talk will explore the basics of an API and dive deeply into the security issues that arise when developing API-driven applications. Some of these include how you can fingerprint an API, manipulate REST methods, an overview of different types of API authentication methods, such as Basic Authentication, Basic Digest, Session vs Token, JWT and OAuth.

Learn some of the weaknesses in these authentication schemes such as overstuffing a JWT, stealing an OAuth token and other attacks on the authorization flow.

We will also learn how the traditional web application security vulnerabilities can be used over API’s, like cross-site request forgery (CSRF), cross site scripting (XSS) and other injection attacks. Understand how to protect your API against availability attacks such as brute-force and Distributed Denial of Service attacks. Many attacks will be demonstrated live on intentionally vulnerable applications.

DevOpsDays Zurich

May 02, 2018
Tweet

More Decks by DevOpsDays Zurich

Other Decks in Technology

Transcript