Automated API pentesting using fuzzapi

Oct 14, 2016Download as pptx, pdf

12 likes10,352 views

Fuzzapi is an API Fuzzer that will help Developers/Pen Testers to fuzz APIs and find few commonly found vulnerabilities. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

Automating API Pen Testing
using Fuzzapi
just another tool?

About us
Abhijeth Dugginapeddi
@abhijeth
Application Security
Likes training, spreading awareness
Got some bugs in Google/FB/Yahoo/Microsoft etc
Among top 5 bug hunters on Synack
Srinivas Rao Kotipalli
@srini0x00
Security Engineer
Author, Speaker, Trainer
Blogs at androidpentesting.com
Author of “Hacking Android”
Lalith Rallabhandi
@lalithr95
Developer Intern
Blogger, Coder, Security Enthusiast
Does bounties when free and found bugs
With Microsoft/Google/FB/Badoo etc

Only @abhijeth @srini0x00 and @lalithr95 are
responsible for whatever is on the slides
Nobody else is responsible for anything else we
say

Source
http://vignette2.wikia.nocookie.net/garfield/images/4/43/Garfield_the_Cat.png/revision/latest?cb=2015050
8141623

On a serious note
• What is fuzzAPI
• How to use fuzzAPI
• Need for automating Pen Testing APIs
• Developer vs Pen tester use cases
• Continuous Integration
• Spread the smile ☺

#fuzzAPI
• Open Source REST API Fuzzer
• Test for vulnerabilities while writing your code
• Helps Pen testers to fasten their testing
• Covers most top attacks on APIs
• Built in Ruby on Rails

Rest API Penetration Testing
Authorization Authentication
Input validations Others ☺
Common
checks

Source: @wesecureappSource: @wesecureapp

Facebook ☺
Credits: www.pranavhivarekar.in

• There are companies/teams who deploy code
to production >10 times every day
• Developers can do basic testing
• Penetration testers can save a lot of time
• Penetration testers can work on logical stuff
• Easier to fix vulnerabilities sooner than later
Continuous Integration

Cool stuff about Fuzzapi
Access Control Violation
XXE
Other regular vulns like
XSS/SQLi.. etc
Privilege Escalation
Rate limiting

How stuff works
API_Fuzzer – Ruby gem Fuzzapi -- Rails application

Fuzzapi approach for XXE
• XxeCheck performs a call with
payload to internal server
• If status: OK – fuzzapi
confirms XXE

Fuzzapi sample approach for Privilege Escalation

Fuzzapi sample approach for Rate limiting
• Fuzzapi sends multiple sample requests and waits for timeout/error
• Failure in limiting requests allows to perform this check

Continuous integration --Rails !!!
• Identify test requests
• Use API_Fuzzer module with
test request
• Run scans

Developer’s eye Security Engineer’s eye
Work with developers to
help them configure stuff
Add more checks ☺
Use it while doing security
testing
Train developers to
understand/fix vulns
Having scrum meetings about
findings/fixes
Customizing fuzzapi according
to organization’s requirement
Add more checks ☺
Testing APIs while writing
code

Roadmap for fuzzapi/us
Add more checks
Write more blogs
Make more tutorial videos
Write more tools
Repeat

Oh yea btw :D Don’t you want links to download?
API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer
fuzzapi: https://github.com/lalithr95/Fuzzapi
For queries/concerns/feedback/rant:
Twitter:
@abhijeth
@lalithr95
@srini0x00

It’s 2016 and if you still don’t know about bug
bounties/responsible disclosures, you should say hi to these guys
@Bugcrowd @synack @Hacker0x01

Thanks ☺
and all the security folks for contributing to the open source community 

Kong is an open source API gateway that runs in front of RESTful APIs. It provides functionality through plugins such as authentication, security, traffic control, and logging. Kong creates and manages APIs and plugins to add authentication. For example, a key authentication plugin is enabled on an API, and a consumer is created with a key that must be provided in requests to access the API. Without a valid key, requests return an error.

Kubernetes - Security JourneyJerry Jalava

CNCF Singapore - Introduction to EnvoyHarish

Envoy is an open source edge and service proxy developed by Lyft to be used as a communication bus and network proxy. It can be used to add capabilities like traffic management, observability and security to services without code modification. Some key features include lightweight and low latency design, dynamic configuration via xDS APIs, rich observability, and built-in load balancing, failure recovery and traffic control capabilities. It uses concepts like clusters, listeners and routes. The Envoy admin API provides endpoints to interact with it and retrieve stats, configs and logs. Dynamic configuration allows adding and updating resources like clusters and listeners at runtime. Circuit breaking, outlier detection and health checking can be configured and demoed.

GrafanaNoelMc Grath

This document provides an overview of Grafana, an open source metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB. It discusses Grafana's features such as rich graphing, time series querying, templated queries, annotations, dashboard search and export/import. The document also covers Grafana's history and alternatives. It positions Grafana as providing richer features than Graphite Web and highlights features like multiple y-axes, unit formats, mixing graph types, thresholds and tooltips.

Pentesting ReST APINutan Kumar Panda

The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.

Application Threat ModelingMarco Morana

This document discusses application threat modeling (ATM) as a systematic approach to identifying security risks in software applications. It describes how ATM can be used at different stages of the software development lifecycle, from requirements to design to testing. The key steps of ATM include decomposing the application, identifying threats and vulnerabilities, analyzing attack vectors, and determining mitigation strategies. ATM helps prioritize risks and supports decision making around risk acceptance, avoidance, or mitigation.

Service meshArnab Mitra

This document discusses service meshes and provides examples of popular service meshes like Linkerd and Istio. It defines a service mesh as a dedicated infrastructure layer that handles service-to-service communication and provides traffic management, observability, and policy enforcement. Benefits of a service mesh include discovery, load balancing, failure recovery, metrics, monitoring, and access control. Popular service meshes like Linkerd and Istio are then described in more detail.

API Security Best Practices & GuidelinesPrabath Siriwardena

This document provides API security best practices and guidelines. It discusses defining APIs and who may access them, such as employees, partners, customers or the general public. Authentication can be direct, using credentials, or brokered, using a third party. Best practices include using TLS, strong credentials, short-lived tokens, and throttling access. The guidelines aim to prevent attacks like CSRF, authorization code interception, and brute force attacks through measures like state parameters, PKCE, and long random tokens.

API Testing: The heart of functional testing" with Bj RollisonTEST Huddle

View webinar: http://www.eurostarconferences.com/community/member/webinar-archive/webinar-81-api-testing-the-heart-of-functional-testing An API, or Application Programming Interface, is a collection of functions that provide much of the functional capabilities in complex software systems. Most customers are accustomed to interacting with a graphical user interface on the computer. But, many customers do not realize the much of the functionality of a program comes from APIs in the operating system or program's dynamic-link libraries (DLL). So, if the business logic or core functionality is exposed via an API call then and if we want to find functional bugs sooner than API testing may be an approach that provides additional value in your overall test strategy. Additionally, API testing can start even before the user interface is complete so functional capabilities can be tested while designers are hashing out the "look and feel." API testing will not replace testing through the user interface, but it can augment your test strategy and provide a solid foundation of automated tests that increase your confidence in the functional quality of your product.

InnerSource - Using open source best practices to help your companyEric Caron

Once a company has more than 1 department developing code, a problem inevitably arises: How do you share source code that's mutually used? There are many different thoughts on the matter, but one that's starting to gain a significant amount of attention is "InnerSource". PayPal defines InnerSource as: "InnerSource takes the lessons learned from developing open source software and applies them to the way companies develop software internally. As developers have become accustomed to working on world class open source software, there is a strong desire to bring those practices back inside the firewall and apply them to software that companies may be reluctant to release. For companies building mostly closed source software, InnerSource can be a great tool to help break down silos, encourage internal collaboration, accelerate new engineer on-boarding, and identify opportunities to contribute software back to the open source world." In this talk I cover how to get from where you are ("Hey, we've got some source code that multiple people find useful!"), where you're going ("Look, we're more popular than ReactJS"), and some hurdles along the way ("Oh shoot, it looks like there is already a library to convert FLAC to MP3s..."). I give real-world examples of doing it right, and leave with some takeaways that people can immediately implement at their own companies.

Zap ScanningSuresh Kumar

This document summarizes a master's thesis that presents a solution for scanning sequences of HTTP requests in the open source penetration testing tool ZAP (Zed Attack Proxy). The thesis documents the analysis, design, and implementation phases of adding multi-step scanning functionality to ZAP. It also explains how different test scenarios were used to verify the functionality. The proposed solution serves as a proof-of-concept that could later be integrated into the publicly available version of ZAP.

SSRF exploit the trust relationshipn|u - The Open Security Community

This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist

OpenAPI 3.0, And What It Means for the Future of SwaggerSmartBear

OpenAPI 3.0, which is based on the original Swagger 2.0 specification, is meant to provide a standard format to unify how an industry defines and describes RESTful APIs. The release of OAS 3.0 marks a significant milestone in the growth of the API economy — bringing together collaborators from across industries, to evolve the specification to meet the needs of API developers and consumers across the world in an open and transparent manner. We hosted a free Swagger training: OpenAPI 3.0, And What it Means for the Future of Swagger. More than 2,000 people signed up to learn more about the new specification, and to find out about what’s coming next for Swagger and SwaggerHub! You can watch the full recording of the presentation here: https://swaggerhub.com/blog/api-resources/openapi-3-0-video-tutorial/

OpenId Connect ProtocolMichael Furman

Neat tricks to bypass CSRF-protectionMikhail Egorov

Kong APIPatrick Pierson

Kong is an open source API gateway that acts as a single entry point for API requests. It handles requests by either proxying them directly to services or fanning out requests to multiple services. It runs in front of RESTful APIs and extends their functionality through plugins. Kong listens on ports 8000 for HTTP, 8443 for HTTPS, 8001 for its admin API, and 7946 and 7373 for inter-node communication. The document discusses setting up Kong with Docker, viewing logs, and the architecture of a Kong implementation with an API and management container on each host behind private and public load balancers. Next steps discussed are using Kongfig for configuration management and comparing Kong to just using Nginx.

[오픈소스컨설팅] 스카우터 사용자 가이드 2020Ji-Woong Choi

Kubernetes networking & SecurityVietnam Open Infrastructure User Group

This document discusses Kubernetes networking and security. It covers Docker networking and how all containers can communicate without NAT. It also discusses Kubernetes networking using Kubenet, Flannel, and Calico. Specifically, it explains how Kubenet provides networking between pods, how Flannel assigns each host a subnet and routes traffic between nodes, and how Calico uses IPIP encapsulation or routing to provide connectivity between pods.

4 Major Advantages of API TestingQASource

Running distributed tests with k6.pdfLibbySchulze

Kong API Gateway Chris Mague

Kong API Gateway is a solution that proxies APIs to address problems like lack of visibility into API usage and inability to stop abusive consumers. It provides features like authentication, security controls, rate limiting, request transformation, and logging to various outputs. It is open source, uses trusted technologies, and has considerations around additional components, latency, and plugin customization. Improvements could include better monitoring and moving more to response rate limiting.

Playwright: A New Test Automation Framework for the Modern WebApplitools

Event-based API Patterns and Practices - AsyncAPI Online ConferenceLaunchAny

This document discusses API design patterns for event-based APIs. It begins with an introduction to the author and overview of popular API styles. It then covers several options for asynchronous API design like webhooks, server-sent events, websockets, and streaming protocols. The remainder discusses specific patterns for event payload design including thin notifications, hypermedia links, schema evolution, and separating internal and external events. It emphasizes putting careful design into event formats as they form a contract like an API.

Clean architectures with fast api pyconesAlvaro Del Castillo

This document discusses using FastAPI as the mechanism for exposing APIs in a hexagonal architecture. It provides an overview of FastAPI's key features like automatic documentation, data validation with Pydantic, dependency injection, and background tasks. It also shows how FastAPI fits into the hexagonal architecture pattern by calling use cases in the application layer which work with the domain layer. The benefits of this approach are improved isolation of the domain/business logic from external mechanisms, as well as improved scalability and readiness for change.

API 101 - Understanding APIs3scale

The document is a transcript from an API 101 workshop that provides an introduction to APIs. In the workshop, two presenters discuss what APIs are, the business benefits of APIs, REST architecture, and tips for API design and developer success. They cover topics such as API history, how APIs enable applications and services, examples of companies that built platforms using APIs, REST principles like HTTP verbs and response formats, and best practices for marketing and supporting developers. The workshop includes presentations, examples, and opportunities for audience Q&A.

Introduction to Web Application Penetration TestingAnurag Srivastava

Api security teodorcotruta

API Security Teodor Cotruta discusses API security and provides an overview of key concepts. The document discusses how API security involves protecting APIs against unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It also outlines methods for implementing API security such as HTTP authentication, TLS, identity delegation, OAuth 1.0, OAuth 2.0, Federation, SAML, JWT, OpenID Connect, JWToken, JWSignature and JWEncryption.

IBM Datapower Security Scenarios - Using JWT to secure microservicessandipg123

This document discusses securing microservices with JSON Web Tokens (JWT) using IBM Datapower. It provides an overview of the deployment topology used, including Datapower, Docker containers for MQ Server and Datapower, and SOAPUI for testing. It then describes setting up Datapower policies for creating and validating JWTs with signing and encryption. Testing is done by sending requests to Datapower to generate and validate tokens.

Pentesting RESTful WebServices v1.0n|u - The Open Security Community

This document discusses RESTful web services and provides guidance on testing them. It defines REST and its key aspects, including resources, verbs, media types and status codes. It outlines common problems with REST penetration testing and recommends using tools like cURL and browser add-ons for testing. The document also covers authentication, authorization, input validation, output encoding and other important areas to focus testing on.

Securty Testing For RESTful ApplicationsSource Conference

This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.

More Related Content

What's hot (20)

API Testing: The heart of functional testing" with Bj RollisonTEST Huddle

InnerSource - Using open source best practices to help your companyEric Caron

Zap ScanningSuresh Kumar

SSRF exploit the trust relationshipn|u - The Open Security Community

OpenAPI 3.0, And What It Means for the Future of SwaggerSmartBear

OpenId Connect ProtocolMichael Furman

Neat tricks to bypass CSRF-protectionMikhail Egorov

Kong APIPatrick Pierson

[오픈소스컨설팅] 스카우터 사용자 가이드 2020Ji-Woong Choi

Kubernetes networking & SecurityVietnam Open Infrastructure User Group

4 Major Advantages of API TestingQASource

Running distributed tests with k6.pdfLibbySchulze

Kong API Gateway Chris Mague

Playwright: A New Test Automation Framework for the Modern WebApplitools

Event-based API Patterns and Practices - AsyncAPI Online ConferenceLaunchAny

Clean architectures with fast api pyconesAlvaro Del Castillo

API 101 - Understanding APIs3scale

Introduction to Web Application Penetration TestingAnurag Srivastava

Api security teodorcotruta

IBM Datapower Security Scenarios - Using JWT to secure microservicessandipg123

API Testing: The heart of functional testing" with Bj RollisonTEST Huddle

InnerSource - Using open source best practices to help your companyEric Caron

Zap ScanningSuresh Kumar

SSRF exploit the trust relationshipn|u - The Open Security Community

OpenAPI 3.0, And What It Means for the Future of SwaggerSmartBear

OpenId Connect ProtocolMichael Furman

Neat tricks to bypass CSRF-protectionMikhail Egorov

Kong APIPatrick Pierson

[오픈소스컨설팅] 스카우터 사용자 가이드 2020Ji-Woong Choi

Kubernetes networking & SecurityVietnam Open Infrastructure User Group

4 Major Advantages of API TestingQASource

Running distributed tests with k6.pdfLibbySchulze

Kong API Gateway Chris Mague

Playwright: A New Test Automation Framework for the Modern WebApplitools

Event-based API Patterns and Practices - AsyncAPI Online ConferenceLaunchAny

Clean architectures with fast api pyconesAlvaro Del Castillo

API 101 - Understanding APIs3scale

Introduction to Web Application Penetration TestingAnurag Srivastava

Api security teodorcotruta

IBM Datapower Security Scenarios - Using JWT to secure microservicessandipg123

Viewers also liked (20)

Pentesting RESTful WebServices v1.0n|u - The Open Security Community

Securty Testing For RESTful ApplicationsSource Conference

Pentesting RESTful webservicesMohammed A. Imran

Getting Started with API Security TestingSmartBear

JSON Injectionn|u - The Open Security Community

The document discusses JSON injection security concerns. It describes what JSON is and how it is commonly used to transmit structured data between servers and web applications. The main security risks discussed are: (1) using eval() to parse JSON, which can enable JavaScript code injection attacks; (2) sensitive JSON data being stolen through JSON array hacks or CSRF attacks; (3) potential data theft, forgery, or misuse if JSON data is compromised. It provides recommendations for securing applications such as using a JSON parser instead of eval(), validating JSON with regular expressions, making JSON responses non-array objects, and only allowing JSON data requests via POST. Examples of past exploits exploiting JSON vulnerabilities at Gmail and Twitter are also briefly mentioned

Syntribos API Security Test AutomationMatthew Valdes

Matthew Valdes presented Syntribos, an open source security test automation framework for APIs. Syntribos is designed to automatically fuzz HTTP requests using customizable test strings. It is implemented using the OpenCafe automation framework and allows configuration of API endpoints, authentication, request payloads, validation checks, and extensible data sources. Syntribos aims to help with security testing of APIs by facilitating automated testing at scale with unlimited and customizable data sources.

API TestingBikash Sharma

API testing verifies the functionality, usability, security, and performance of application programming interfaces (APIs). Key aspects to test include input parameters, error handling, response times, authentication, and documentation. Automated testing scripts should be created to regularly test APIs for bugs such as unhandled errors, security vulnerabilities, incorrect responses, and reliability issues. Thorough API testing requires considering parameter combinations, output validation across systems, and exception handling.

REST API testing with SpecFlowAiste Stikliute

Api testingKeshav Kashyap

pwnd.shChandrapal Badshah

PWND.sh is an interactive post-exploitation framework written in BASH that allows penetration testers to easily maintain persistence and move laterally on compromised Linux systems. It provides functions like port scanning, installing remote and local backdoors, searching for sensitive files, and exfiltrating data. PWND.sh has no dependencies, works across platforms, and can be loaded in-memory or on disk. It integrates with other tools and allows for custom plugins to be created and added to the project repository on GitHub.

06 application security fundamentals - part 2 - security mechanisms - sessi...appsec

Attack chaining for web exploitation #c0c0n2015Abhijeth D

API TESTcopremesis

This document provides a "cheat sheet" of commands for the vi text editor. It summarizes vi commands for invoking vi, navigating between command and input modes, file management, window motions, cursor motions, changes, deletions, rearranging text, recovering deletions, undoing changes, searching, replacing text, and setting parameters. The cheat sheet is intended to provide users with concise reminders of essential vi commands and functions.

API TESTcopremesis

How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D

Automation testing API in JavaWix.com

This document discusses automating API testing in Java. It covers key topics like what an API is, different types of web services like SOAP and REST, how HTTP works with request methods and status codes, and different approaches to API testing including using software, command line tools, and programming. API testing ensures proper functioning of application programming interfaces and is important for machine-to-machine communication.

Automation framework ITeLearn

The document compares three testing frameworks: data-driven, keyword-driven, and hybrid. In a data-driven framework, test scripts read data from an Excel file and write results to another Excel file. A keyword-driven framework uses a test steps Excel file to read keywords and write test cases. A hybrid framework combines elements of both data-driven and keyword-driven frameworks by allowing test scripts to read both keywords and data.

Bug Bounty Programs For The WebMichael Coates

Presented at OWASP AppSecUSA 2011 It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good. This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market? In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.

WSO2 Test Automation Framework : Approach and AdoptionWSO2

The document discusses WSO2's test automation framework. It provides an overview of the framework's requirements, history, approach, architecture, and structure. The framework is designed to make automation easy, organized, relevant and optimized. It supports integration, platform, and cloud-based deployment testing across multiple WSO2 products. Key aspects include flexible execution modes, a context provider, server management, the automation API, utilities, and reporting. Challenges and future areas of focus are also presented, along with demonstrations of sample tests.

A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew

Pentesting RESTful WebServices v1.0n|u - The Open Security Community

Securty Testing For RESTful ApplicationsSource Conference

Pentesting RESTful webservicesMohammed A. Imran

Getting Started with API Security TestingSmartBear

JSON Injectionn|u - The Open Security Community

Syntribos API Security Test AutomationMatthew Valdes

API TestingBikash Sharma

REST API testing with SpecFlowAiste Stikliute

Api testingKeshav Kashyap

pwnd.shChandrapal Badshah

06 application security fundamentals - part 2 - security mechanisms - sessi...appsec

Attack chaining for web exploitation #c0c0n2015Abhijeth D

API TESTcopremesis

How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D

Automation testing API in JavaWix.com

Automation framework ITeLearn

Bug Bounty Programs For The WebMichael Coates

WSO2 Test Automation Framework : Approach and AdoptionWSO2

A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew

Similar to Automated API pentesting using fuzzapi (20)

Flavius olaru logicless ui prototyping with node jsCodecamp Romania

This document discusses Logicless Prototyping with NodeJS, a tool for building high-fidelity UI prototypes using HTML, CSS, JavaScript, and NodeJS. It describes the benefits of prototyping, different prototyping methods and tools, and introduces Logicless Prototypr which uses NodeJS, Express, and Handlebars to create interactive prototypes that mock data and server-side services. The document concludes by outlining future plans to improve Logicless Prototypr.

Well Crafted API Models – Key to Streamlining WorkflowsAxway

[Srijan Wednesday Webinar] Mastering Mobile Test Automation with AppiumSrijan Technologies

Speaker: Justin Ison Check out the complete session slides here: http://www.srijan.net/webinar/mobile-... This session dives into the history of Appium, and it's pros and cons. The speaker also looks at how to write a good test setup and collect meaningful data points. We look at quick demos and comparisons of how Appium significantly reduces test times. And you definitely should hang around till the Q&A session, where participants pitch in with their issues and queries. The speaker answers all the questions, sharing additional information and tips on Appium.

Developing Brilliant and Powerful APIs in Ruby & PythonSmartBear

This document summarizes a presentation about developing brilliant APIs in Ruby and Python. It discusses choosing between Ruby and Python for APIs and frameworks like Rails, Grape, Flask and Django. It also covers API documentation, testing, and API sandboxing tools. The presentation concludes that Ruby+Rails is best for large projects while Python is great for smaller, as-needed APIs and scripting. It emphasizes the importance of documentation and how Ready! API can help test and sandbox APIs across technologies.

AI assisted testing using postman and openAI.pdfsivaganeshsivakumar1

The document discusses using AI and OpenAI APIs to assist with software testing. It provides an overview of AI types like narrow, general and super intelligence. It also discusses generative AI and common tools for text, image, video and code generation. The document demonstrates how to use OpenAI APIs with Postman, including exploring ideas for API fuzzing and test result analysis. It shares the current state of AI in testing tools and how AI could help with other testing activities beyond automation.

Testing API's: Tools & Tips & Tricks (Oh My!)Ford Prior

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

KrishnaToolComparisionPPT.pdfQA or the Highway

The document compares four automation tools: Selenium, Playwright, Cypress, and TestCafe. It provides a detailed comparison matrix covering aspects like supported languages, browsers, speed, APIs, fault tolerance, CI/CD integration, communities, learning curves, and ecosystems. The conclusion is that Playwright is a solid pick for end-to-end testing due to its flexibility, auto waits features, large and active community. Cypress can be easily adopted but has some limitations. While Selenium is widely used, newer tools like Playwright are faster and more reliable. The best tool depends on an application, team and test requirements.

Inside Story: Scratching the Black Box - APIRavisuriya .

This document discusses web application programming interfaces (APIs) and strategies for testing them. It begins by defining APIs and describing their history and evolution. Models are presented as useful tools for understanding APIs and developing test strategies. An example API is demonstrated and modeled at different levels, and a test model and strategy are outlined. Guidance is provided on questions to consider when testing APIs. The document concludes by thanking the audience.

Espresso testingvodqancr

Espresso is a testing framework for Android that makes it easy to write reliable UI tests. It was developed by Google and released in 2013. The document discusses what Espresso is, similar automation frameworks, advantages of Espresso, and how to set it up and write tests using its API. Key aspects of the API are finding views with matchers, interacting with views using actions, and asserting view states with matchers.

Manual JavaScript Analysis Is A BugLewis Ardern

When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.

apidays LIVE Australia 2021 - Designing Embedded Platforms by Jeremy Glassenb...apidays

Selenium topic 1- Selenium BasicITProfessional Academy

This document provides an overview and introduction to a Selenium automation testing course offered by IT Professional Academy. The summary includes: - IT Professional Academy is a team of highly skilled trainers that provide both classroom and online training in areas like software testing, big data, Linux, and more. They provide job assistance services. - The Selenium automation testing course covers topics like introduction to automation testing, Selenium components, Selenium IDE, WebDriver, validations, assertions, framework development, and more. - The document demonstrates using Selenium IDE for recording and playing back tests on a demo site. It also provides examples of locating elements, storing values, verifying tests, and converting recorded tests to Java code using WebDriver.

API Testing with Frisby and MochaLyudmila Anisimova

Acceptance & Functional Testing with Codeception - SunshinePHP 2016Joe Ferguson

The document discusses using Codeception for acceptance and functional testing. It introduces Codeception and the different types of testing including unit, functional, and acceptance testing. It then provides examples of writing functional tests for a login feature and acceptance tests using PhantomJS to test interactions on a real browser. Screenshots are included when acceptance tests fail to help debug issues.

Api complete life cycle with api securitypqrs1234

Always up to date, testable and maintainable documentation with OpenAPIGOG.com dev team

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon

The document discusses building an application vulnerability toolchain for SecDevOps. It advocates leveraging existing security tools like SAST and DAST scanners through automation to reuse human effort. The author describes their process of identifying how to test applications based on factors like the stack and platform. They also discuss instrumenting and testing REST APIs, building custom automation, correlating data from multiple scans and tools in a NoSQL database, and using tools like Docker, Selenium and OWASP ZAP through their APIs.

Acceptance & Functional Testing with Codeception - Devspace 2015 Joe Ferguson

The document discusses using Codeception for acceptance and functional testing. It begins with an introduction to the speaker and defines unit, functional, and acceptance testing. It then demonstrates how to install and configure Codeception, generate tests for a sample Laravel application, and run different types of tests including functional API tests and acceptance tests using PhantomJS. Challenges with acceptance tests like speed and pinpointing failures are also addressed. Resources for further learning about Codeception and testing are provided.

Code Palousa presentation- "Giving Digital Eyes to your Synthetic Tests"Christopher Hamm

My project combines open source technologies of Tensorflow with major computer vision model to create a powerful computer vision API. In the project, it can evaluate confidence levels for each labels using good training data. The practical application example will include the computer vision API integrated with a Selenium test script setup. The end result is a robust visual testing tool that can determine if a page compares better to a working state vs a failing state.

Flavius olaru logicless ui prototyping with node jsCodecamp Romania

Well Crafted API Models – Key to Streamlining WorkflowsAxway

[Srijan Wednesday Webinar] Mastering Mobile Test Automation with AppiumSrijan Technologies

Developing Brilliant and Powerful APIs in Ruby & PythonSmartBear

AI assisted testing using postman and openAI.pdfsivaganeshsivakumar1

Testing API's: Tools & Tips & Tricks (Oh My!)Ford Prior

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

KrishnaToolComparisionPPT.pdfQA or the Highway

Inside Story: Scratching the Black Box - APIRavisuriya .

Espresso testingvodqancr

Manual JavaScript Analysis Is A BugLewis Ardern

apidays LIVE Australia 2021 - Designing Embedded Platforms by Jeremy Glassenb...apidays

Selenium topic 1- Selenium BasicITProfessional Academy

API Testing with Frisby and MochaLyudmila Anisimova

Acceptance & Functional Testing with Codeception - SunshinePHP 2016Joe Ferguson

Api complete life cycle with api securitypqrs1234

Always up to date, testable and maintainable documentation with OpenAPIGOG.com dev team

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon

Acceptance & Functional Testing with Codeception - Devspace 2015 Joe Ferguson

Code Palousa presentation- "Giving Digital Eyes to your Synthetic Tests"Christopher Hamm

Recently uploaded (17)

MOBILE PHONE DATA presentation with all necessary detailsbenamorraj

Internet_of_Things_Presentation_by-Humera.pptxcshumerabashir

最新版西班牙加泰罗尼亚国际大学毕业证（UIC毕业证书）原版定制Taqyea

挂科无法毕业鉴于此购买文凭【q薇1954292140】一比一原版(UIC毕业证)加泰罗尼亚国际大学毕业证如何办理改成绩单GPA，文凭购买，毕业证办理，文凭办理只是基础业务。【q薇1954292140】一比一还原国外大学毕业证，定制国外大学学历，制作国外大学文凭，复刻国外大学毕业证书。学位证1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。【办理加泰罗尼亚国际大学成绩单Buy Universitat Internacional de Catalunya Transcripts】购买日韩成绩单、英国大学成绩单、美国大学成绩单、澳洲大学成绩单、加拿大大学成绩单（q微1954292140）新加坡大学成绩单、新西兰大学成绩单、爱尔兰成绩单、西班牙成绩单、德国成绩单。成绩单的意义主要体现在证明学习能力、评估学术背景、展示综合素质、提高录取率，以及是作为留信认证申请材料的一部分。加泰罗尼亚国际大学成绩单能够体现您的的学习能力，包括加泰罗尼亚国际大学课程成绩、专业能力、研究能力。（q微1954292140）具体来说，成绩报告单通常包含学生的学习技能与习惯、各科成绩以及老师评语等部分，因此，成绩单不仅是学生学术能力的证明，也是评估学生是否适合某个教育项目的重要依据！ Buy Universitat Internacional de Catalunya Diploma《正式成绩单论文没过》有文凭却得不到认证。又该怎么办？鉴于此，购买西班牙毕业证【q微1954292140】西班牙文凭购买，西班牙文凭购买，西班牙文凭定制，西班牙文凭补办。专业在线定制西班牙大学文凭，定做西班牙本科文凭，【q微1954292140】复制西班牙Universitat Internacional de Catalunya completion letter。在线快速补办西班牙本科毕业证、硕士文凭证书，购买西班牙学位证、加泰罗尼亚国际大学Offer，西班牙大学文凭在线购买。【主营项目】一、工作未确定，回国需先给父母、亲戚朋友看下文凭的情况，办理毕业证|办理加泰罗尼亚国际大学毕业证（UIC毕业证书）文凭: 买大学毕业证|买大学文凭【q薇1954292140】学位证明书如何办理申请？二、回国进私企、外企、自己做生意的情况，这些单位是不查询毕业证真伪的，而且国内没有渠道去查询国外文凭的真假，也不需要提供真实教育部认证。鉴于此，办理加泰罗尼亚国际大学毕业证【q薇1954292140】西班牙学位证（UIC毕业证书）加泰罗尼亚国际大学毕业证书如何办理国外大学毕业证, 文凭办理, 国外文凭办理, 留信网认证三.材料咨询办理、认证咨询办理加泰罗尼亚国际大学毕业证（UIC毕业证书）请加学历顾问【微信:1954292140】毕业证购买指大学文凭购买，毕业证办理和文凭办理。学院文凭定制，学校原版文凭补办，扫描件文凭定做，100%文凭复刻。经常操作的国家有美国毕业证，英国毕业证，澳洲毕业证，加拿大毕业证，以及德国毕业证，法国毕业证、荷兰毕业证、瑞士毕业证、日本毕业证、韩国毕业证、新西兰毕业证、新加坡毕业证、泰国毕业证、马来西亚毕业证等。包括了本科毕业证，硕士毕业证。

Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxsecretarysocom

On Dec. 4, 1963, the Second Vatican Council solemnly approved its first two documents: the constitution on the Sacred Liturgy, Sacrosanctum Concilium, and the decree Inter Mirifica, regarding the mass media. The latter document is much less known than the former one. Nonetheless, Inter Mirifica offers some crucial principles to guide us in a world where we find ourselves ever more immersed in mass communication: the press, film, television, along with the newer forms of media. During the preparation for Vatican II, the Church keenly realized the importance of this topic, and Pope John XXIII established a special body to work on a text that might articulate the Church’s teaching on the mass media and promote her action in this area. The result of this work was an extensive document, entitled “On the instruments of social communication,” which was presented to the Council on Nov. 23, 1962.

What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...CartCoders

Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...treyka

Epochalypse 2038: Time is Not on Our Side Presented by Trey Darley, Founder – Threshold Continuity Alliance BSides Nairobi – 2025-06-07 The Year 2038 Problem is real — and it's already here. At exactly 03:14:07 UTC on January 19, 2038, 32-bit signed Unix time overflows. Systems that use 32-bit time_t will reset to 1901 and/or fail outright. But this isn’t just about old embedded gear. It’s about trust, cryptographic integrity, log coherence, financial timestamps, system coordination, and the fragile scaffolding of global infrastructure. This talk explores a dangerous and still largely invisible class of vulnerabilities: timestamp fragility and time synchronization failure. We cover: - Why over 60% of global software systems still depend on Unix epoch time - How 2038 bugs can manifest subtly — without a crash, and without warning - Why critical infrastructure (energy, telecom, aviation, finance) is especially at risk - How even modern firmware is being shipped today with latent Y2038 bugs - The implications for TLS certificates, forensic timelines, billing systems, and safety-critical protocols - How time can be maliciously spoofed, delayed, or misaligned — and why legacy NTP is often unauthenticated - A pragmatic call for 2038 rollover testbeds, code audits, and hardened time infrastructure - Recommendations for deploying secure time protocols (NTS, RFC 8915), GPS + Rubidium/Cesium fallback, and air-gapped sync You’ll leave with a grounded understanding of: - Why time isn’t just an input — it’s an untrusted vector - What engineers, regulators, and defenders must do now to avert a long-tail catastrophe - How underserved regions may suffer disproportionately — but also leap ahead by refusing to inherit broken time About the Speaker Trey Darley is the founder of the Threshold Continuity Alliance (TCA), an initiative focused on strategic risk, infrastructure integrity, and time-based vulnerability remediation. A long-time figure in the global cybersecurity community, Trey works at the intersection of symbolic systems, resilience engineering, and future ethics.

ARTIFICIAL INTELLIGENCE.pptx2565567765676areebaimtiazpmas

Vigilanti-Cura-Protecting-the-Faith.pptxsecretarysocom

On the 29th of June, 1936, Pius XI addressed a pontifical encyclical entitled "Vigilanti Cura" to all the Catholic bishops in the United States. This encyclical was dedicated to "The Motion Picture" and justified his intervention by "the lamentable progress of the motion picture art and industry in the portrayal of sin and vice". I've appropriated the title of his encyclical for my film, putting it to a completely different use to that originally intended. The 'photogenic quality' of the Latin terminology has, however, been preserved and, as per Adorno: "like a neon light which has just been switched on, the commercial and promotional nature of contemporary culture glows brightly". Vigilanti Cura is an irreverent film; insolent and deliberately confusing; a grab-bag of immorality. The montage combines a range of archival imagery from Humanite magazine with images sourced from the media (the military parade of the 14th of July, the current sorry crop of political celebrities ...) or from the cinema (the automatic writing of a puzzle composed of motifs borrowed from existing films). Vigilanti Cura ... or merely a tacit admission of the downfall of contemporary man, drowning in a sea of political, social and religious fundamentalisms. Where is he to be found? Locked in a vis-a-vis with depression and ego. Psychoanalysis no longer serves as a pretext for the dissolution of sexual and social taboos; it now provokes withdrawal into an auto-reflexive isolation, to the extent that societal problems get frozen in the mirror of Auto-Medusification. The mirror has become our idol - let's destroy it!

UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation17218

3D Graphics an introduction and details .pptxislamicknowledge5224

Cloud Computing - iCloud by Hamza Anwaar .pptxislamicknowledge5224

Cloud Computing – iCloud Cloud computing is a modern technology that allows users to store and access data over the internet instead of using local storage devices. One of the most popular cloud services is Apple's iCloud, which is specially designed for Apple users. iCloud helps users keep their data safe, accessible, and synchronized across all Apple devices like iPhones, iPads, and MacBooks. It is simple to use, secure, and saves time by automatically backing up important information.

ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackAPNIC

Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfBehzad Hussain

𝐏𝐚𝐭𝐞𝐧𝐭 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝗣𝗮𝘁𝗲𝗻𝘁 𝗡𝗼.: US9767157B2 𝗧𝗶𝘁𝗹𝗲: Predicting Site Quality 𝗔𝘀𝘀𝗶𝗴𝗻𝗲𝗲: Google Inc., Mountain View, CA 𝗜𝗻𝘃𝗲𝗻𝘁𝗼𝗿𝘀: Navneet Panda; Yun Zhou 𝗜𝘀𝘀𝘂𝗲 𝗗𝗮𝘁𝗲: September 19, 2017 𝐀𝐛𝐬𝐭𝐫𝐚𝐜𝐭 This patent describes methods and systems for automatically predicting a quality score for a website (or “site”) that can be used as a ranking signal in search engines: 1. 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝘀𝗶𝘁𝗲 𝗾𝘂𝗮𝗹𝗶𝘁𝘆 𝘀𝗰𝗼𝗿𝗲𝘀 obtained for previously scored sites. 2. 𝗣𝗵𝗿𝗮𝘀𝗲 𝗺𝗼𝗱𝗲𝗹𝘀 that map phrase-specific relative frequency measures to baseline quality scores. 3. 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗲 𝘀𝗰𝗼𝗿𝗶𝗻𝗴 of a new site by applying the phrase model to its phrase frequencies and then predicting its overall site quality score from the aggregate. 𝐒𝐲𝐬𝐭𝐞𝐦 𝐀𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐞 (𝐅𝐢𝐠. 𝟏) 1. 𝗨𝘀𝗲𝗿 𝗗𝗲𝘃𝗶𝗰𝗲 & 𝗡𝗲𝘁𝘄𝗼𝗿𝗸: Users submit queries via a device (e.g., browser) over a network. 2. 𝗦𝗲𝗮𝗿𝗰𝗵 𝗦𝘆𝘀𝘁𝗲𝗺: Contains an Indexing Engine (builds the index database) and a Ranking Engine (ranks results). 3. 𝗦𝗶𝘁𝗲 𝗦𝗰𝗼𝗿𝗶𝗻𝗴 𝗘𝗻𝗴𝗶𝗻𝗲: Computes site quality scores using the phrase model and provides these scores to the ranking engine as part of the ranking signals. 𝐏𝐡𝐫𝐚𝐬𝐞 𝐌𝐨𝐝𝐞𝐥 𝐆𝐞𝐧𝐞𝐫𝐚𝐭𝐢𝐨𝐧 (𝐅𝐢𝐠. 𝟐) 1. 𝗧𝗼𝗸𝗲𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗻-𝗴𝗿𝗮𝗺 𝗘𝘅𝘁𝗿𝗮𝗰𝘁𝗶𝗼𝗻: For each site in a corpus of previously scored sites, extract n-grams (typically 2- to 5-grams) from page content. 2. 𝗥𝗲𝗹𝗮𝘁𝗶𝘃𝗲 𝗙𝗿𝗲𝗾𝘂𝗲𝗻𝗰𝘆 𝗖𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗶𝗼𝗻: For each extracted n-gram, compute its relative frequency as the ratio of pages containing that n-gram to total pages on the site. 3. 𝗕𝘂𝗰𝗸𝗲𝘁 𝗣𝗮𝗿𝘁𝗶𝘁𝗶𝗼𝗻𝗶𝗻𝗴: Group sites into 20–100 buckets based on their relative frequency measures for each n-gram, ensuring roughly equal bucket sizes or equal interval ranges. 4. 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝗦𝗰𝗼𝗿𝗲 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗶𝗼𝗻: For each bucket, calculate an average baseline quality score from the known scores of sites in that bucket. 5. 𝗣𝗵𝗿𝗮𝘀𝗲 𝗠𝗼𝗱𝗲𝗹 𝗖𝗼𝗻𝘀𝘁𝗿𝘂𝗰𝘁𝗶𝗼𝗻: Associate each n-gram with its vector of bucket-average quality scores. Optionally exclude “neutral” phrases whose scores are statistically indistinguishable from the global average. 𝐒𝐢𝐭𝐞 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐏𝐫𝐞𝐝𝐢𝐜𝐭𝐢𝐨𝐧 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 (𝐅𝐢𝐠. 𝟑) 1. 𝗥𝗲𝗹𝗮𝘁𝗶𝘃𝗲 𝗙𝗿𝗲𝗾𝘂𝗲𝗻𝗰𝘆 𝗳𝗼𝗿 𝗡𝗲𝘄 𝗦𝗶𝘁𝗲: Extract the same set of n-grams from the new (previously unscored) site and compute their relative frequencies. 2. 𝗕𝘂𝗰𝗸𝗲𝘁 𝗟𝗼𝗼𝗸𝘂𝗽: For each phrase, map its relative frequency to the corresponding bucket’s average score in the phrase model. 3. 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗲 𝗦𝗰𝗼𝗿𝗲 𝗖𝗼𝗺𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻: Compute an aggregate score across all phrases’ bucket scores—typically via a weighted or unweighted mean. Weights can reflect phrase frequency, distance from a “neutral” score, or limit the influence of overly frequent phrases.

How to Make Money as a Cam Model – Tips, Tools & Real TalkCam Sites Expert

Want to turn your charm, confidence, and camera into a real source of income? This presentation reveals everything you need to know about making money as a cam model — whether you're just starting out or looking to boost your earnings. From choosing the right platform, building your fanbase, and setting up your cam space, to marketing yourself and creating passive income with clips, this guide covers it all. I’ll also share real-world insights from my experience on CamsRating.com. No BS — just proven tips, smart tools, and sexy strategies to get paid doing what you love.

10 Latest Technologies and Their Benefits to End.pptxEphraimOOghodero

Networking_Essentials_version_3.0_-_Module_7.pptxelestirmen

Google_Cloud_Computing_Fundamentals.pptxektadangwal2005

MOBILE PHONE DATA presentation with all necessary detailsbenamorraj

Internet_of_Things_Presentation_by-Humera.pptxcshumerabashir

最新版西班牙加泰罗尼亚国际大学毕业证（UIC毕业证书）原版定制Taqyea

Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxsecretarysocom

What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...CartCoders

Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...treyka

ARTIFICIAL INTELLIGENCE.pptx2565567765676areebaimtiazpmas

Vigilanti-Cura-Protecting-the-Faith.pptxsecretarysocom

UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation17218

3D Graphics an introduction and details .pptxislamicknowledge5224

Cloud Computing - iCloud by Hamza Anwaar .pptxislamicknowledge5224

ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackAPNIC

Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfBehzad Hussain

How to Make Money as a Cam Model – Tips, Tools & Real TalkCam Sites Expert

10 Latest Technologies and Their Benefits to End.pptxEphraimOOghodero

Networking_Essentials_version_3.0_-_Module_7.pptxelestirmen

Google_Cloud_Computing_Fundamentals.pptxektadangwal2005

Automated API pentesting using fuzzapi

1. Automating API Pen Testing using Fuzzapi just another tool?

2. About us Abhijeth Dugginapeddi @abhijeth Application Security Likes training, spreading awareness Got some bugs in Google/FB/Yahoo/Microsoft etc Among top 5 bug hunters on Synack Srinivas Rao Kotipalli @srini0x00 Security Engineer Author, Speaker, Trainer Blogs at androidpentesting.com Author of “Hacking Android” Lalith Rallabhandi @lalithr95 Developer Intern Blogger, Coder, Security Enthusiast Does bounties when free and found bugs With Microsoft/Google/FB/Badoo etc

3. Only @abhijeth @srini0x00 and @lalithr95 are responsible for whatever is on the slides Nobody else is responsible for anything else we say

4. Next 45 minutes -Why -What -How

5. Source giphy

6. Source http://vignette2.wikia.nocookie.net/garfield/images/4/43/Garfield_the_Cat.png/revision/latest?cb=2015050 8141623

7. Source reddit

8. On a serious note • What is fuzzAPI • How to use fuzzAPI • Need for automating Pen Testing APIs • Developer vs Pen tester use cases • Continuous Integration • Spread the smile ☺

9. #fuzzAPI • Open Source REST API Fuzzer • Test for vulnerabilities while writing your code • Helps Pen testers to fasten their testing • Covers most top attacks on APIs • Built in Ruby on Rails

10. Rest API Penetration Testing Authorization Authentication Input validations Others ☺ Common checks

11. #welovebugs

12. This is Twitter Source: @wesecureapp

13. Source: @wesecureappSource: @wesecureapp

14. Facebook ☺ Credits: www.pranavhivarekar.in

15. Interesting?

16. Can you automate such attacks?

17. May be!!

18. But why do you want to automate?

19. People don’t have time Source: giphy

20. • There are companies/teams who deploy code to production >10 times every day • Developers can do basic testing • Penetration testers can save a lot of time • Penetration testers can work on logical stuff • Easier to fix vulnerabilities sooner than later Continuous Integration

21. Source memegenerator

22. No But a part of it can be automated.

23. Cool stuff about Fuzzapi Access Control Violation XXE Other regular vulns like XSS/SQLi.. etc Privilege Escalation Rate limiting

24. Not so cool stuff!!

25. Demo Source memegenerator

26. #if demo doesn’t work

27. #if demo doesn’t work

28. #if demo doesn’t work

29. How stuff works API_Fuzzer – Ruby gem Fuzzapi -- Rails application

30. #fuzzapi API_fuzzer gem

31. Code walk through

32. Fuzzapi approach for XXE • XxeCheck performs a call with payload to internal server • If status: OK – fuzzapi confirms XXE

33. Fuzzapi sample approach for Privilege Escalation

34. Fuzzapi sample approach for Rate limiting • Fuzzapi sends multiple sample requests and waits for timeout/error • Failure in limiting requests allows to perform this check

35. Docker :D :D m/

36. Continuous integration --Rails !!! • Identify test requests • Use API_Fuzzer module with test request • Run scans

37. Developer’s eye Security Engineer’s eye Work with developers to help them configure stuff Add more checks ☺ Use it while doing security testing Train developers to understand/fix vulns Having scrum meetings about findings/fixes Customizing fuzzapi according to organization’s requirement Add more checks ☺ Testing APIs while writing code

39. Roadmap for fuzzapi/us Add more checks Write more blogs Make more tutorial videos Write more tools Repeat

40. Oh yea btw :D Don’t you want links to download? API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer fuzzapi: https://github.com/lalithr95/Fuzzapi For queries/concerns/feedback/rant: Twitter: @abhijeth @lalithr95 @srini0x00

41. It’s 2016 and if you still don’t know about bug bounties/responsible disclosures, you should say hi to these guys @Bugcrowd @synack @Hacker0x01

42. Thanks ☺ and all the security folks for contributing to the open source community 

Editor's Notes

#24: https://intland.com/wp-content/uploads/2014/09/blog-140923-dependencies-336x336.png

Automated API pentesting using fuzzapi

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Automated API pentesting using fuzzapi (20)

Recently uploaded (17)

Automated API pentesting using fuzzapi

Editor's Notes