Wake up and smell the API

@hpoom Wake up and smell the API By Simon Wood
1 Untangling the Web London - July 2015

/ @hpoom About me Technology Director Shortbreaks ! Holiday Extras
Simon Wood 2

/ @hpoom 3 Holiday Extras

/ @hpoom API Growth 4 Private APIs Public APIs What
I am going to cover

@hpoom APIs Are Eating The World 5

@hpoom 6 APIs Mobile Social Cloud Diagram by Sam Ramji
- http://bit.ly/biz-apis

@hpoom APIs 7 Private

@hpoom What is a Private API? 8

” @hpoom When it comes to modern devices and cloud
services, there’s no such thing as a private API. George Reese ! bit.ly/private-API "Vintage Bank Vault" by Brook Ward. Licensed under Creative Commons.- https://flic.kr/p/dTo7wU

” @hpoom If You Have A Publicly Available Mobile App
You Have a Public API. Kin Lane ! bit.ly/public-API

@hpoom intercept API Calls 11

/ @hpoom mitmproxy mitmproxy.org Proxy Tools 12 Charles charlesproxy.com

/ @hpoom How proxy works 13 Client Server Proxy Request
Response Request Response

@hpoom 14 Private API vulnerability

” @hpoom we’re excited by the interest in developing for
the Snapchat platform but we prohibit access to the private API we use to provide our service ! bit.ly/snapchat-api

/ @hpoom 16

” @hpoom If it has an http:// in front of
the address, it is a public API. Kin Lane ! bit.ly/http-public

/ @hpoom Moonpig

” @hpoom I've seen some half-arsed security messures in my
time but this just takes the biscuit. Whoever architected this system needs to be water-boarded. Paul Price ! bit.ly/moonpig-api

@hpoom 20 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw
! Host: api.moonpig.com ! Connection: Keep-Alive! ! !

! Host: api.moonpig.com ! Connection: Keep-Alive! ! *string*:*string*!

@hpoom 24 {! "Address": "xxxxxx\r\nxxxxxxx\r\nxxxxxxx",! "AddressBookId": 414628930,! "AddressType": "CustomerAddress",! "AddressTypeId":
1,! "Company": "Test",! "Country": "United Kingdom",! "County": "London",! "Firstname": "Test",! "Greeting": null,! "Lastname": "Test",! "Postcode": " LN1 3FN",! "PostcodeSystemUpdated": null,! "SortByLastName": false,! "Suffix": null,!

@hpoom 25 <ArrayOfCustomerCreditCard ! xmlns=“http://schemas.datacontract.org/2004/07/! Moonpig.Model.CustomerAttributes.Accounting"! xmlns:i="http://www.w3.org/2001/XMLSchema-instance">! <CustomerCreditCard>! <CardType>Credit Card
(Unspeci</CardType>! <CustomerId>11466749</CustomerId>! <ExpiryDate>12/18</ExpiryDate>! <LastFourDigits>5993</LastFourDigits>! <NameOnCard>Mr X XXX</NameOnCard>! <TransactionId>5983632541-1/TransactionId>! </CustomerCreditCard>! </ArrayOfCustomerCreditCard>

/ @hpoom Responsible Disclosure 26

/ @hpoom Ola Cabs bit.ly/olacarbs-api

/ @hpoom Teller.io

” @hpoom The government is determined to support a more
competitive banking sector where banks and financial technology firms can thrive alongside the established players, competing to offer new and improved services to customers George Osborne ! autumn-statement-2014

@hpoom Reverse Engineer the banks 30

/ @hpoom How teller works 31 Request Response Request Response

/ @hpoom 32

@hpoom APIs 33 Public

@hpoom What is a Public API? 34

@hpoom Innovation encouraged 35

/ @hpoom Pillow

/ @hpoom ESPN

@hpoom Community Feedback 38

@hpoom Developer Portal 39

/ @hpoom GitHub

/ @hpoom Twilio

/ @hpoom Share API payloads 42 apicommons.org

@hpoom 43 Future is public APIs

@hpoom Thank you please contact me if you have any
questions! ! Twitter: @hpoom logo 44 By Simon Wood Untangling the Web London - July 2015

Wake up and smell the API

Wake up and smell the API

More Decks by Simon Wood

Other Decks in Technology

Featured

Transcript