Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Is your API leaking? Breaking APIs to increase security.

Joe Kuemerle
January 07, 2016
Technology
0
110

Is your API leaking? Breaking APIs to increase security.

Smartphone apps, single page web applications and most other applications are required to use various APIs in order to accomplish work. While this technology is wonderfully powerful, many developers are unaware of all the ways in which an improperly implemented API can cause data breaches and lead to expensive publicity disasters or compromise of internal systems. In this session we will dive into ways to investigate and compromise web based APIs in order to increase the security and stability of our applications.

Joe Kuemerle

January 07, 2016
Tweet

More Decks by Joe Kuemerle

See All by Joe Kuemerle
Pilots, Surgeons and Developers - Improving Application Security With Checklists
jkuemerle
0
18
Lightweight Data Access in .NET
jkuemerle
0
39
Defense Against The Dark Arts: Application security and you
jkuemerle
0
36
Application Security: What you don't know can hurt you - PrairieDevCon 2015
jkuemerle
0
65
Keeping Secrets: Using Encryption Effectively
jkuemerle
0
98
Keeping Secrets: Using Encryption Effectively - CodeMash 2015
jkuemerle
0
60
Get Rid of Visual SourceSafe??! - NWNUG March 2014
jkuemerle
0
96
Close The Feedback Loop. Using Application Analytics To Improve Agile Development - CodepaLOUsa 2014
jkuemerle
0
61
Application Security - CodepaLOUsa 2014
jkuemerle
0
49

Other Decks in Technology

See All in Technology
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
780
データベース02: データベースの概念
trycycle
0
160
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.8k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
web-application-security
matsuihidetoshi
0
170
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
130
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
340
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
100
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.6k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
300
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
1
280

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
YesSQL, Process and Tooling at Scale
rocio
164
13k
How to Ace a Technical Interview
jacobian
272
22k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Git: the NoSQL Database
bkeepers
PRO
422
63k
The Invisible Side of Design
smashingmag
294
49k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
A designer walks into a library…
pauljervisheath
200
23k
How GitHub (no longer) Works
holman
304
140k

Transcript

  1. Is your API leaking? Breaking APIs to increase security. Joe

    Kuemerle / @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/krisgriffon/18786084/

  2. Joe Kuemerle  Many years of development experience with a

    broad range of technologies  Focused on application and data security, coding best practices and regulatory compliance  Presenter at community, regional and national events.  http://twitter.com/jkuemerle  http://bit.ly/codemash2016  http://bit.ly/doorcomp

  3. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/arthurtlabar/7983314496/

  4. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/woodhead/6950573661/

  5. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/centralasian/5565136539/

  6. @jkuemerle / www.kuemerle.com Convenience Security

  7. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/dahlstroms/4511228299/ https://upload.wikimedia.org/wikipedia/commons/e/ec/1974_AMC_Matador_grand_national_int.jpg

  8. @jkuemerle / www.kuemerle.com

  9. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/aukirk/13049646504/

  10. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/if-by-whiskey/3203756823/

  11. @jkuemerle / www.kuemerle.com http://bit.ly/1kMa4ea

  12. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/chrisjohnbeckett/15475991686/

  13. @jkuemerle / www.kuemerle.com https://commons.wikimedia.org/wiki/File:TLS_protocol_stack.jpg

  14. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/shawnhoke/7563591726/

  15. @jkuemerle / www.kuemerle.com https://www.startssl.com/ https://letsencrypt.org/

  16. @jkuemerle / www.kuemerle.com

  17. Bypass Certificate Validation? DO NOT EVER DO THIS @jkuemerle /

    www.kuemerle.com (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge]; } SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, new TrustManager[] { new TrustAllX509TrustManager() }, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier(){ public boolean verify(String string,SSLSession ssls) { return true; } }); ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return (true); };

  18. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/jasohill/3031344752/

  19. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/barisione/2179852655/

  20. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/yer_sister/543799566/

  21. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/fredsitt/9818423086/

  22. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/rushen/16491810210

  23. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/97591625@N00/7020152239

  24. @jkuemerle / www.kuemerle.com

  25. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/mrbendy/227710896

  26. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/caseorganic/2803957237/

  27. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/underactive/4641141770

  28. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/132604339@N03/22724469359/

  29. http://www.veracode.com/resources/state-of-software-security

  30. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/Testing_for_NoSQL_injection

  31. @jkuemerle / www.kuemerle.com

  32. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/hystericalmark/4906298122

  33. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/joeshlabotnik/497312470/

  34. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/kevinomara/3422866722/

  35. http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  36. https://github.com/skylot/jadx

  37. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

  38. None

  39. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/76074333@N00/317952268/

  40. @jkuemerle / www.kuemerle.com

  41. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/kalexanderson/6451988393/

  42. References @jkuemerle / www.kuemerle.com  The Most Dangerous Code in

    the World: Validating SSL Certificates in Non-Browser Software http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf  https://www.owasp.org/index.php/Testing_for_NoSQL_inj ection  https://blog.vpn.ac/a-story-of-imitation-and-security-done- wrong.html  http://www.troyhunt.com/2014/09/hack-your-api-first- learn-how-to.html

  43. Resources @jkuemerle / www.kuemerle.com  https://www.ssllabs.com/ssltest/  http://www.telerik.com/fiddler  http://www.telerik.com/fiddler/add-ons

     https://portswigger.net/burp/proxy.html  https://www.owasp.org/index.php/OWASP_Zed_Attack_ Proxy_Project  https://www.kali.org/