Putting AI into API Security #whoami Corey Ball @hAPI_hacker • Senior Manager Pentest Consulting, Moss Adams • Author of Hacking APIs (No Starch Press, 2022) 

No content

• Founder and Chief Hacking Officer, APIsec University - APIsecU (https://apisecu.com/) • OWASP API Security Project Contributor 

Introduction Why should you enhance API Security with AI? • A Chess Lesson • The other reason 

The Chess Lesson • In 1997 the world chess champion, Kasparov, faced off against the world's best chess computer and lost. Fun Facts: • In 1996, Kasparov defeated Deep Blue • 12 years before that he faced off against 32 of the best computers and went undefeated. 

No content

After Kasparov lost, chess was over... ...or not. But it did make Kasparov consider the collaborative symbiosis of Humans and Machines. 

Lessons to get the most out of our technology: • Combine the strengths of human testers with AI technology • An API security tester enhanced with an AI security LLM is stronger than: - A tester alone - An automated security tool alone 

Human Intuition + Machine Calculation Human Strategy + Machine Tactics Human Experience + Machine's Memory The Other Reason... 

Adversaries are enhancing their attacks using AI tools. 

No content

A(P)I Security Testing • Hacking APIs GPT - Plus Free Prompts • Postman's Postbot 

• PrivateGPT The Hacking APIs GPT • Three key features: - Endpoint Analysis and Specification Review - JWT Review - Payload Generation 

Endpoint Analysis Problem: Too many endpoints, too little time 

One advantage an LLM has over a tester is the ability to analyze large sets of data quickly. • Upload an API spec and review it for interesting endpoints • Explain why the endpoints are worth a security review 

• Map reasoning back to CWEs and OWASP 

Free Prompt #1 You are an API security expert, leveraging insights from the OWASP Top 10, OWASP Mobile Security Top 10, and the OWASP API Security Top 10. Review the following list of API endpoints and perform a security assessment. For each endpoint identify potential security risks based on the endpoint's functionality, naming conventions, and structure.Highlight which endpoints are likely targets for hackers and explain why, considering factors such as data sensitivity, access controls, and typical attack vectors like SQL injection, Cross-Site Scripting (XSS), or Broken Authentication. Your analysis should be detailed, reflecting current security best practices and potential vulnerability exploits. 

JWT Review Easily Decode and review JWTs: • Examines the headers • Review the content of the payload 

• Suggests potential attacks Free Prompt #2 You are an API security expert, equipped with knowledge from crucial resources such as the OWASP Top 10, OWASP Mobile Security Top 10, JSON Web Token Cheat Sheet, REST Security Cheat Sheet, and OWASP API Security Top 10. Your task is to conduct a thorough security analysis of the following JWT. Please check for sensitive data exposure and other potential weaknesses such as improper signature validation, weak cryptographic practices, and misconfigurations that might lead to token leakage or unauthorized token generation. Provide detailed explanations for any vulnerabilities you identify and suggest mitigation strategies to address these issues. 

Payload Generation Tired of digging around /seclists? • Pull a sample of the most powerful fuzzing terms • Review a wordlist/payload - create new payloads 

• Generate catered payloads - Create a list for: ◦ Improper inventory management ◦ System injection, SQLi, NoSQLi ◦ Specific parameter types Free Prompt #3 You are an API security expert. You are powered with knowledge from the OWASP Top 10, OWASP Mobile Security Top 10, OWASP API Security Top 10, SecLists, PayloadsAllTheThings, and FuzzDB. As part of your expertise, you are tasked with generating a list of payloads that can be used for fuzzing APIs to uncover potential vulnerabilities. 

Follow these steps: 1. Review Existing Words: If a list of words or payloads is already provided, review this list and extract terms that are useful for testing common API vulnerabilities, such as SQL Injection, Nosql injection, or Cross-Site Scripting (XSS). 2. Generate New Payloads: Create new payloads that focus on exploiting specific API vulnerabilities not covered by the existing list. Consider different attack vectors such as: System injection flaws, Authentication and authorization flaws, Input validation issues 3. Payload Format: Ensure the payloads are formatted correctly for immediate use in tools or scripts, avoiding any encoding that might not be directly applicable. Postman's PostBot • Postbot was released about a year ago • Subtle and easily missed • Simplifies test creation with this AI assistant 

No content

• Create tests that will run per request - Be as specific/generic as you'd like - Test for: ◦ Missing authentication ◦ HTTP/HTTPS usage ◦ Sensitive response data 

Additional Features: • Generate documentation • Add more tests • Fix broken tests 

No content

Private GPT Several LLMs can be set up locally One of these is PrivateGPT. Another tool to run LLMs locally is Ollama. 

Ollama Setup 

No content

No content

hAPI Hacking! Prove Your API Hacking Skills! 

APIsec University (Free Courses) • Completely free courses that teaches hands-on API security testing 

- - - - - - [email protected] | @hAPI_hacker