vAPI : Vulnerable Adversely Programmed Interface

Transcript

1. Tushar Kulkarni vAPI : Vulnerable Adversely Programmed Interface (OWASP API

   Top 10) Let us have a look at OWASP API Top 10 through a vulnerable lab and exercises. roottusk.github.io

2. vAPI : Vulnerable Adversely Programmed Interface LET’S HAVE A LOOK

   AT • What is vAPI • Installation • OWASP API Top 10 • Vulnerabilities in Web Applications vs APIs • Demo • Contributors

3. vAPI : Vulnerable Adversely Programmed Interface GET /user/me HTTP/1.1 •

   Security Developer at Holm Security • Lead at OWASP Nagpur • Maintaining Open Source Projects including vAPI • Like to play CTFs and Do Bug Bounties in my Free Time

4. vAPI : Vulnerable Adversely Programmed Interface What is it? If

   you’re a Security Engineer - - Get acclimatized with the categorization of API vulnerabilities - Learn the very basic vulnerabilities that might occur in REST APIs If you’re a Developer - - Get to have a look at the vulnerable code - Made to think of possible ways to mitigate the issues

5. vAPI : Vulnerable Adversely Programmed Interface Installation Docker - Make

   sure you have docker and docker-compose - Go to the root of the project and run docker-compose up -d Manually - Prerequisites include PHP, MySQL - Configure the MySQL credentials and Server port in the .env file of the project - You can run php artisan serve command to start the Laravel Server

6. vAPI : Vulnerable Adversely Programmed Interface Tools required to Test

   API - Postman - We currently have Postman collection and Environment which store the API calls - Soon would be migrated to an OpenAPI (You can contribute ;-) ) - MITM Proxy (OWASP ZAP/Burpsuite) - Not entirely necessary but may help some users if they have more familiarity with MITM tools.

7. vAPI : Vulnerable Adversely Programmed Interface OWASP API Top 10

   Project API1:2019 Broken Object Level Authorization API2:2019 Broken User Authentication API3:2019 Excessive Data Exposure API4:2019 Lack of Resources & Rate Limiting API5:2019 Broken Function Level Authorization API6:2019 Mass Assignment API7:2019 Security Misconfiguration API8:2019 Injection API9:2019 Improper Assets Management API10:2019 Insufficient Logging & Monitoring

8. vAPI : Vulnerable Adversely Programmed Interface Vulnerabilities in Web Apps

   VS Vulnerabilities in APIs - XSS? - A lot of Broken Authorization and Access Control - DAST on a Web App gives different results than on a Web API

9. vAPI : Vulnerable Adversely Programmed Interface API Security is the

   new Cool - Platform Independence - The Core Part of the Business Logic relies on the API - Major part of Modern Web Applications - Automation

10. vAPI : Vulnerable Adversely Programmed Interface Project Roadmap - Laravel

    Migration - Acknowledgements for Completion of Challenges / Dashboard - Total Crowdsourced Playground for API Security Challenges Image Source: dinosoftlabs

11. vAPI : Vulnerable Adversely Programmed Interface Demo

12. vAPI : Vulnerable Adversely Programmed Interface Contributors and Thanks https://dsopas.github.io/MindAPI/

    API Security Weekly: Issue #132 OWASP Vulnerable Web Applications Directory (VWAD) arainho/awesome-api-security: A collection of awesome API Security tools and resources.

13. vAPI : Vulnerable Adversely Programmed Interface References https://owasp.org/www-project-api-security/ https://blog.api.rakuten.net/api-benefits/ https://blog.api.rakuten.net/api-security/

    http://helpcentral.componentone.com/nethelp/c1webapi/ https://dev.to/ricardo_borges/some-practices-to-design-restful-apis-interfaces-5a5i

14. vAPI : Vulnerable Adversely Programmed Interface Q & A THANK

    YOU Join #20th-anniv-topicsofinterest on Slack • Twitter: @vk_tushar • Github: @roottusk • Mail: [email protected]