SlideShare a Scribd company logo

Pentesting Rest API's by :- Gaurang Bhatnagar

OWASP Delhi
OWASP Delhi

Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks

1 of 38
Downloaded 140 times
1
PENTESTING REST API’S ~ GAURANG BHATNAGAR
2
AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
3
Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
4
API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
5
API STANDARDS
6
REST API REST - Representation State Transfer Data is sent as JSON
7
FINGERPRINTING & DISCOVERING API
8
WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
Most read
9
FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
10
DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

11
Debug API: API Testing Tools DEBUGGING AND FUZZING
12
AUTOMATING TESTS: FUZZING FUZZAPI
13
AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
14
BYPASSING THE ALGORITHM HS256 RS256 None RS256 HS256 Two key pair One key
15
CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
16
JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
17
JWT ATTACKS TESTBED https://pentesterlab.com/exercises/jwt
18
AUTHORIZATION ATTACKS ON API
19
HOW OAUTH WORKS?
20
OAUTH ATTACKS Access token leakage (Via Open Redirect)
21
OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

22
MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
23
BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

24
MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
25
ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
26
1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
27
2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
28
ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
29
MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
30
TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
31
IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
32
BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
33
CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
34
CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
35
XML EXTERNAL ENTITY (XXE)
36
XML EXTERNAL ENTITY (XXE)
Most read
37
XML EXTERNAL ENTITY (XXE)
Most read
38
VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop
PENTESTING REST API’S ~ GAURANG BHATNAGAR
AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
API STANDARDS
REST API REST - Representation State Transfer Data is sent as JSON
FINGERPRINTING & DISCOVERING API
WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

Debug API: API Testing Tools DEBUGGING AND FUZZING
AUTOMATING TESTS: FUZZING FUZZAPI
AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
BYPASSING THE ALGORITHM HS256 RS256 None RS256 HS256 Two key pair One key
CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
JWT ATTACKS TESTBED https://pentesterlab.com/exercises/jwt
AUTHORIZATION ATTACKS ON API
HOW OAUTH WORKS?
OAUTH ATTACKS Access token leakage (Via Open Redirect)
OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop
Ad

Recommended

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
An Introduction To Automated API Testing
An Introduction To Automated API TestingAn Introduction To Automated API Testing
An Introduction To Automated API Testing
Sauce Labs
 
RESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and JenkinsRESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and Jenkins
QASymphony
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Api presentation
Api presentationApi presentation
Api presentation
Tiago Cardoso
 
Junit
JunitJunit
Junit
FAROOK Samath
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
Amit Dubey
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
Ken Yee
 

More Related Content

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
An Introduction To Automated API Testing
An Introduction To Automated API TestingAn Introduction To Automated API Testing
An Introduction To Automated API Testing
Sauce Labs
 
RESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and JenkinsRESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and Jenkins
QASymphony
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Api presentation
Api presentationApi presentation
Api presentation
Tiago Cardoso
 
Junit
JunitJunit
Junit
FAROOK Samath
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
Amit Dubey
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
An Introduction To Automated API Testing
An Introduction To Automated API TestingAn Introduction To Automated API Testing
An Introduction To Automated API Testing
Sauce Labs
 
RESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and JenkinsRESTful API Testing using Postman, Newman, and Jenkins
RESTful API Testing using Postman, Newman, and Jenkins
QASymphony
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Api presentation
Api presentationApi presentation
Api presentation
Tiago Cardoso
 
Junit
JunitJunit
Junit
FAROOK Samath
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
Amit Dubey
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 

Similar to Pentesting Rest API's by :- Gaurang Bhatnagar (20)

2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
Ken Yee
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
luisw19
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Java Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and Mobile
Elias Nogueira
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Dennis de Greef
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
Vishwas N
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
Ken Yee
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
luisw19
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Java Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and Mobile
Elias Nogueira
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Dennis de Greef
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
Vishwas N
 
Ad

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 
Ad

Recently uploaded (17)

Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 
Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 

Pentesting Rest API's by :- Gaurang Bhatnagar

  • 1. PENTESTING REST API’S ~ GAURANG BHATNAGAR
  • 2. AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
  • 3. Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
  • 4. API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
  • 6. REST API REST - Representation State Transfer Data is sent as JSON
  • 8. WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
  • 9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
  • 10. DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

  • 11. Debug API: API Testing Tools DEBUGGING AND FUZZING
  • 13. AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
  • 15. CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
  • 16. JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
  • 20. OAUTH ATTACKS Access token leakage (Via Open Redirect)
  • 21. OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

  • 22. MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
  • 23. BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

  • 24. MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
  • 25. ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
  • 26. 1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
  • 27. 2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
  • 28. ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
  • 29. MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
  • 30. TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
  • 31. IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
  • 32. BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
  • 33. CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
  • 34. CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
  • 38. VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop