Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Hacking and Securing

Sam Stepanyan
September 09, 2024
28

API Hacking and Securing

The talk presented at the London.JS event September 3rd, 2024

Sam Stepanyan

September 09, 2024
Tweet

Transcript

  1. owasp.org @securestep9 $ whoami • Application Security Consultant & Architect

    • In Financial Services, City of London • Software Development Background • In Application Security space since 2006 • OWASP London Chapter Leader since 2015 • OWASP London Chapter volunteer since 2008 • OWASP Global Board Member since 2024 • Follow me on Twitter @securestep9 =>
  2. owasp.org @securestep9 The OWASP® is a nonprofit foundation that works

    to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of community members, and by hosting local and global conferences. Open Web Application Security Project Open Source Tools, Guidelines, Standards, Frameworks, Books Community - Chapters Worldwide Global Application Security Conferences: USA, Europe, Asia Worldwid e
  3. owasp.org @securestep9 • Belfast • Birmingham • Bristol • Cambridge

    • Dorset • Leeds • London • Manchester • Newcastle • Peterborough • Reading • Suffolk • Warwick OWASP in the UK
  4. owasp.org OWASP FOUNDATION OWASP Global AppSec San Francisco 2024 Call

    For Papers closes July 15th 2024 …and in 2025: Washington, DC 3-7 November 2025
  5. owasp.org @securestep9 • Awareness document for developers and web application

    security practitioners • A broad consensus about the most critical security risks to web applications • The 1st step towards changing the application development culture within your organization into one that produces more secure code • A Whitepaper Not a “Standard”! (However OWASP ASVS is) OWASP® Top 10
  6. owasp.org @securestep9 What is API? Application Programming Interface, is a

    set of defined rules that enable different software systems to communicate with each other
  7. owasp.org @securestep9 Types of API • REST API (REpresentational State

    Transfer) • RPC API • SOAP API • GraphQL API
  8. owasp.org @securestep9 Tesla API Honk Horn Flash Lights Remote Start

    Drive Speed Limit Set PIN Speed Limit Activate
  9. owasp.org @securestep9 Why APIs Are The Prime Target for Attackers?

    ❖ "Data is the new oil and the APIs are the data pipelines" ❖ Provide direct access to data ❖ Can be discovered even if not published ❖ Overperimssioned, provide too much information, expose backend logic flaws ❖ APIs often handle vast amounts of traffic, making it challenging to distinguish between normal activity and malicious behavior. ❖ When API breaches happen you don't lose 10 or 100 records - you lose millions of records via the ‘leaky’ APIs ❖ Lack of visibility: Shadow APIs (unmonitored or undocumented APIs) or third-party APIs can create blind spots that attackers exploit ❖ Overlooked Security in API Design and Implementation
  10. owasp.org @securestep9 API1:2023 Broken Object Level Authorization (BOLA) • BOLA

    occurs when an API does not properly enforce authorization checks, allowing users to access data or resources they should not be able to. • Attack Vector: Attackers manipulate object identifiers (like user IDs or account/resource IDs) in API requests to gain unauthorized access to another user's data. For Example: Endpoint: GET /api/user/123/profile Exploit: Changing 123 to 456 could grant an attacker access to another user's profile if proper authorization checks are missing.
  11. owasp.org @securestep9 API2:2023 Broken Authentication API authentication failures occur when

    an API incorrectly handles the process of verifying a user’s identity. These failures can lead to unauthorized access, data breaches, and other security issues. Example 1: Some API endpoints are missing all authentication (e.g. Bearer token) - allows anonymous attacker to access the data Example 2: API endpoint fails to validate JWT signature (alg:none/expired token). May allow User A to login as User B Example 3: API endpoint allows credentials brute-force/credential stuffing (no lockout/rate limiting)
  12. owasp.org @securestep9 API3:2023 Broken Object Property Level Authorization (BOPLA) •

    BOPLA (previously known as “Excessive Data Exposure/Mass Assignment” happens when the API allows access to or returns all of object’s properties. This could allow an attacker to update object properties that they should not have access to. • Example 1: a dating app allows to report a user for inappropriate behavior, however once the report is submitted the API returns the reported user object with all properties exposing sensitive details such as full name/address/payment card info etc • Example 2: a loyalty app allows users to edit their profile, however the update operation in API allows to update all user object properties which includes the loyalty points/miles balance
  13. owasp.org @securestep9 API4:2023 Unrestricted Resource Consumption • Also known as

    Unrestricted Rate Limiting happens when API requests consume resources such as CPU/memory/disk space or 3rd-party paid services without any limitation causing Denial of Service or financial impact • Example 1: a /forgot_password/ API call sends an SMS message. Each SMS message costs the app owner $0.05. An attacker sends millions of API requests to the endpoint causing a $100,000+ bill for the site owner • Example 2: a social media website allows image upload which then generates thumbnails. Each such operation consumes memory/disk space and CPU. An attacker sends millions of images to the endpoint causing the system to crash
  14. owasp.org @securestep9 API5:2023 Broken Function Level Authorization (BFLA) BFLA refers

    to the improper implementation of authorization checks in APIs, which allows an attacker to perform unauthorized actions or access data beyond their privileges. • Missing Authorization Checks: The API might expose endpoints that do not have any authorization checks, allowing any user to access them. • Inconsistent Authorization: The API might apply authorization inconsistently across different endpoints. For example, while one endpoint checks a user’s role, another might not, leading to unauthorized access.(/admin/deleteUser/id) • Improper HTTP Method Handling : Attackers can potentially perform sensitive actions they should not have access to by simply changing the HTTP method e.g changing GET to PUT or DELETE • Elevating Privileges: An attacker might manipulate parameters in API requests to access higher privilege functions. For example, changing a user ID in a request to another user ID to perform actions on behalf of another user or sending {is_admin:true}
  15. owasp.org @securestep9 API6:2023 Unrestricted Access to Sensitive Business Flows Vulnerable

    APIs do not adequately protect key business processes, allowing attackers to exploit them for malicious purposes. For example, automated scripts might abuse workflows like bulk purchasing, reservation systems, or promotional programs, leading to financial loss or service disruption Example: Purchasing a product flow - an attacker can buy all the stock of a high-demand item at once and resell for a higher price (scalping)
  16. owasp.org @securestep9 API7:2023 Server Side Request Forgery (SSRF) Server-Side Request

    Forgery (SSRF) vulnerabilities occur when an API fetches a remote resource using a user-supplied URL without proper validation. This flaw allows an attacker to manipulate the URL and coerce the application into sending crafted requests to unintended destinations, such as internal networks that are otherwise protected by firewalls. Example: AWS Metadata http://169.254.169.254/
  17. owasp.org @securestep9 API8:2023 Security Misconfiguration Security misconfiguration can happen at

    any level of the API stack, from the network level to the application level. Example 1: Lack of TLS on some endpoints (stop using unencrypted HTTP!) Example 2: A CDN is in use, but the a messaging app API fails to set the appropriate Cache-Control header. GET /dm/get_message?conversation_id=1234567 Because the API response does not include the Cache-Control HTTP response header, private conversations end-up cached by the CDN, allowing malicious actors to retrieve them
  18. owasp.org @securestep9 API9:2023 Improper Inventory Management Improper Inventory Management refers

    to the failure to maintain a proper inventory of API endpoints and resources, including proper documentation, visibility, and control. This can lead to exposed, forgotten, unmonitored or undocumented endpoints (aka “Shadow APIs”), which attackers can exploit to get unauthorized access (e.g. via an older version of the API) Example: Instagram had an older version of an API without rate limiting applied. This allowed attackers to reset passwords of user by having unlimited amount of tries to guess the 6-digit password reset code Remember - if you don’t know what you have you cannot possibly secure it!
  19. owasp.org @securestep9 API10:2023 Unsafe Consumption of APIs API might be

    vulnerable if: • Interacts with other APIs over an unencrypted channel (HTTP) • Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components • Blindly follows redirections • Does not limit the number of resources available to process third-party services responses; • Does not implement timeouts for interactions with third-party services Example: An API relies on a third-party service to enrich user provided business addresses. When an address is supplied to the API by the end user, it is sent to the third-party service and the returned data is then stored on a local SQL-enabled database: GET https://api.company-information.service.gov.uk/company/SC656788
  20. owasp.org @securestep9 OWASP ASVS (Standard!) The ASVS is a community-driven

    effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.
  21. owasp.org @securestep9 OWASP Abuse Case Cheatsheet As an attacker, I

    will perform an injection attack (SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries) against input fields of the User or API interfaces As an attacker, I have access to hundreds of millions of valid username and password combinations to perform credential stuffing. As an attacker, I have default administrative account lists, automated brute force, and dictionary attack tools I use against login areas of the application and support systems. As an attacker, I manipulate session tokens using expired and fake tokens to gain access. As an attacker, I steal keys that were exposed in the application to get unauthorized access to the application or system. As an attacker, I leverage metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. aka “Attacker Stories”
  22. owasp.org @securestep9 OWASP Completely Ridiculous API App (CRAPI) • OWASP

    crAPI is an intentionally vulnerable API-driven, microservice-based web application that is a platform for vehicle owners. • crAPI is filled with API vulnerabilities for the purpose of teaching, learning, and practicing API security. • https://github.com/OWASP/crAPI
  23. ® Thank You @securestep9 sam.stepanyan @ owasp.org DISCLAIMER: Still frames

    from the Dire Straits music video © Warner Records. Fair Use claimed for the purpose of comment