Download as PDF, PPTX
More Related Content
Similar to API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
- 1. API Testing andHacking By : Vishwas Narayan
- 2.
- 3. We Developed fasterfailed quicker and implemented faster(thanks to devops engineers) But we Forgot Security We worked liked machines and forgot we are human beings We have “trust” for Each other
- 4. is a Vulnerability •Connections • Users • Content • URLs • Files in the endpoints • New files • Devices • …. Firewall AuthN AuthZ URL Filtering IDS/ IPS Anti-virus Sandboxing IoT Security Cryptography Trust issues lies everywhere
- 5. Software is Eatingthe world
- 6. Software is Eatingthe world Custom Code Open Source Software Infrastructure as Code Container Manifest Files Scaling Platforms Software Patches ● 80-90 percent of the code is open source ● 80% of the code is found in the Indirect Dependency ● Millions of the imports ● Agile is a Curse to Some Extent of the Development ● The Beauty of the Code is its Scalable and Reusable ● Happy Dev and Happy Bugs in the Production ● Agile is a Blessing Custom Wrappers / Frameworks
- 7. We all builtsolutions? Think web 3.0
- 8. Open Port number22 with Web3.0 Application implemented
- 9.
- 10. What's even moreDangerous is
- 11. Source : A6:Security Misconfiguration ❗ - Top 10 OWASP 2017 (wallarm.com)
- 12. We have tolearn how to miconfigure
- 13. What is anAPI? ● API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. ● Interface can be thought of as a contract of service between two applications. ● This contract defines how the two communicate with each other using requests and responses. According to Wikipedia “An application programming interface is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.”
- 14. Simple Analogy ● It'sa Socket that communicates with the different services. ● Its a Source of Communication that takes the front end and connected the backend of the different services ● Its a doesn't care source that is coming in the picture its just a dumb formator of the code that needs more security ● Today's blessing of multiple language and abstraction as an API is a Curse.
- 15. Let's Create SomeAPI and learn about it Lets Learn
- 16. Let's worship this ●Global state of the internet security DDoS attack reports | Akamai ● How to send API key in the header of python request? - Stack Overflow ● Postman Sending Request onto the API ● Postman Sending AUTH token ● Automating the postman Calls ● Akamai State of the Internet Report
- 17. Never treat aAPI like a Web Server
- 18. Most Common termin API Testing and Hacking is IDOR or BOLA
- 19. Can I getthe document of Customer ID :1001 Of Course take it Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
- 20. Can I getthe document of Customer ID :1001 Response 200 OK You can take the data Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
- 21. Hacker now understandthe API slang
- 22. Always Turn offthe Developer Mode
- 23. API Breaches inBOLA If a Client API manually specify an Object ID then it is potentially a BOLA Vulnerability.
- 25. Some Postman Hacksare GET /api/Student_ID/{marks} - To fetch the no auth Values here POST /api/Student_ID/{marks}/add_marks - adding marks to the ID POST /api/Student_ID/{marks}/add_grade - adding grade bypassing marks
- 26. How to FIX? ●Test API for the OWASP top 10 ● Authorization should be the most emphasis in the security practice ● Hack your own API ● SAST and DAST properly ● Stop relying on the Jailbroken Device Detection