Hacking And Defending APIs: Red And Blue Make Purple
APIs are a foundational technology in today’s app-driven world and are increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorisation (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender’s point of view, including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defence perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
AI Summary
Key facts
- APIs, while conceptually simple, become very complex in real-world business applications, involving multiple layers and security considerations.
- The security landscape for APIs is distinct from traditional web applications, with specific vulnerabilities like BOLA, broken authentication, and excessive data exposure being prevalent.
- Defending APIs requires a combination of posture management, runtime security monitoring, and proactive testing to effectively mitigate risks.
Ideas
- APIs are ubiquitous and essential for modern applications, yet they introduce complex security challenges that require specialized attention beyond traditional app security.
- The security of APIs is crucial due to their access to sensitive data and their role in data transmission, making them prime targets for attackers.
- Effective API security encompasses understanding API inventory, runtime security monitoring, and proactive security testing to identify and mitigate potential vulnerabilities.
- Common API vulnerabilities include broken object level authorization, broken user authentication, and excessive data exposure, each requiring specific defensive strategies.
- The importance of comprehensive testing and the use of tools like Kite Runner for brute force testing and JWT best practices for secure token handling.
Keywords
- API Security
- Vulnerabilities
- Defensive Measures
- Attack Vectors
- OWASP
Quotes
- “APIs are those data pipelines that is pushing around this new oil.”
- “Browsers have gotten a lot better since I wrote against Netscape... but APIs don't have that necessarily.”
- “If you have an API it will likely get attacked if you put anything that listens on a port on the internet these days.”
- “I had 11 sweaty minutes waiting for the response cuz I thought I Doss them.”
Recommendations
- For organizations and developers, understanding the inventory of APIs and their specific security needs is crucial for effective defense strategies.
- Implementing runtime API security monitoring and proactive security testing can significantly reduce the risk of successful attacks on APIs.
- Utilize specialized tools and resources, such as Kite Runner for brute force testing and adhere to JWT best practices, to enhance API security.
Resources
- Kite Runner — Tool
- JWT Best Practices — Guide
- API Security Tools List — Website
About the speaker
Matt Tesauro
Matt Tesauro is a DevSecOps and AppSec guru who specialises in creating security programs, leveraging automation to maximise team velocity and training emerging and senior security professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement in open-source projects, presentations, trainings and new technology innovation.
As a versatile engineer, Matt’s background spans software development (primarily web development), Linux system administration, penetration testing and application / cloud security. He thrives on tackling industry-defining technical problems.
Read more …