Wake up and smell the API

Slide 1

Slide 1 text

@hpoom Wake up and smell the API By Simon Wood 1 Untangling the Web London - July 2015

Slide 2

Slide 2 text

/ @hpoom About me Technology Director Shortbreaks ! Holiday Extras Simon Wood 2

Slide 3

Slide 3 text

/ @hpoom 3 Holiday Extras

Slide 4

Slide 4 text

/ @hpoom API Growth 4 Private APIs Public APIs What I am going to cover

Slide 5

Slide 5 text

@hpoom APIs Are Eating The World 5

Slide 6

Slide 6 text

@hpoom 6 APIs Mobile Social Cloud Diagram by Sam Ramji - http://bit.ly/biz-apis

Slide 7

Slide 7 text

@hpoom APIs 7 Private

Slide 8

Slide 8 text

@hpoom What is a Private API? 8

Slide 9

Slide 9 text

” @hpoom When it comes to modern devices and cloud services, there’s no such thing as a private API. George Reese ! bit.ly/private-API "Vintage Bank Vault" by Brook Ward. Licensed under Creative Commons.- https://flic.kr/p/dTo7wU

Slide 10

Slide 10 text

” @hpoom If You Have A Publicly Available Mobile App You Have a Public API. Kin Lane ! bit.ly/public-API

Slide 11

Slide 11 text

@hpoom intercept API Calls 11

Slide 12

Slide 12 text

/ @hpoom mitmproxy mitmproxy.org Proxy Tools 12 Charles charlesproxy.com

Slide 13

Slide 13 text

/ @hpoom How proxy works 13 Client Server Proxy Request Response Request Response

Slide 14

Slide 14 text

@hpoom 14 Private API vulnerability

Slide 15

Slide 15 text

” @hpoom we’re excited by the interest in developing for the Snapchat platform but we prohibit access to the private API we use to provide our service ! bit.ly/snapchat-api

Slide 16

Slide 16 text

/ @hpoom 16

Slide 17

Slide 17 text

” @hpoom If it has an http:// in front of the address, it is a public API. Kin Lane ! bit.ly/http-public

Slide 18

Slide 18 text

/ @hpoom Moonpig

Slide 19

Slide 19 text

” @hpoom I've seen some half-arsed security messures in my time but this just takes the biscuit. Whoever architected this system needs to be water-boarded. Paul Price ! bit.ly/moonpig-api

Slide 20

Slide 20 text

@hpoom 20 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !

Slide 21

Slide 21 text

@hpoom 21 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !

Slide 22

Slide 22 text

@hpoom 22 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw ! Host: api.moonpig.com ! Connection: Keep-Alive! ! *string*:*string*!

Slide 23

Slide 23 text

@hpoom 23 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !

Slide 24

Slide 24 text

@hpoom 24 {! "Address": "xxxxxx\r\nxxxxxxx\r\nxxxxxxx",! "AddressBookId": 414628930,! "AddressType": "CustomerAddress",! "AddressTypeId": 1,! "Company": "Test",! "Country": "United Kingdom",! "County": "London",! "Firstname": "Test",! "Greeting": null,! "Lastname": "Test",! "Postcode": " LN1 3FN",! "PostcodeSystemUpdated": null,! "SortByLastName": false,! "Suffix": null,!

Slide 25

Slide 25 text

@hpoom 25 ! ! Credit Card (Unspeci! 11466749! 12/18! 5993! Mr X XXX! 5983632541-1/TransactionId>! !

Slide 26

Slide 26 text

/ @hpoom Responsible Disclosure 26

Slide 27

Slide 27 text

/ @hpoom Ola Cabs bit.ly/olacarbs-api

Slide 28

Slide 28 text

/ @hpoom Teller.io

Slide 29

Slide 29 text

” @hpoom The government is determined to support a more competitive banking sector where banks and financial technology firms can thrive alongside the established players, competing to offer new and improved services to customers George Osborne ! autumn-statement-2014

Slide 30

Slide 30 text

@hpoom Reverse Engineer the banks 30

Slide 31

Slide 31 text

/ @hpoom How teller works 31 Request Response Request Response

Slide 32

Slide 32 text

/ @hpoom 32

Slide 33

Slide 33 text

@hpoom APIs 33 Public

Slide 34

Slide 34 text

@hpoom What is a Public API? 34

Slide 35

Slide 35 text

@hpoom Innovation encouraged 35

Slide 36

Slide 36 text

/ @hpoom Pillow

Slide 37

Slide 37 text

/ @hpoom ESPN

Slide 38

Slide 38 text

@hpoom Community Feedback 38

Slide 39

Slide 39 text

@hpoom Developer Portal 39

Slide 40

Slide 40 text

/ @hpoom GitHub

Slide 41

Slide 41 text

/ @hpoom Twilio

Slide 42

Slide 42 text

/ @hpoom Share API payloads 42 apicommons.org

Slide 43

Slide 43 text

@hpoom 43 Future is public APIs

Slide 44

Slide 44 text

@hpoom Thank you please contact me if you have any questions! ! Twitter: @hpoom logo 44 By Simon Wood Untangling the Web London - July 2015