The document discusses FuzzAPI, an open-source tool designed to automate API penetration testing and enhance developers' capabilities in identifying vulnerabilities during the development process. Key features include testing for common vulnerabilities such as XSS and SQL injection, as well as integration with continuous development practices. The authors emphasize the importance of collaboration between developers and penetration testers for effective security practices.
About us
Abhijeth Dugginapeddi
@abhijeth
ApplicationSecurity
Likes training, spreading awareness
Got some bugs in Google/FB/Yahoo/Microsoft etc
Among top 5 bug hunters on Synack
Srinivas Rao Kotipalli
@srini0x00
Security Engineer
Author, Speaker, Trainer
Blogs at androidpentesting.com
Author of “Hacking Android”
Lalith Rallabhandi
@lalithr95
Developer Intern
Blogger, Coder, Security Enthusiast
Does bounties when free and found bugs
With Microsoft/Google/FB/Badoo etc
3.
Only @abhijeth @srini0x00and @lalithr95 are
responsible for whatever is on the slides
Nobody else is responsible for anything else we
say
On a seriousnote
• What is fuzzAPI
• How to use fuzzAPI
• Need for automating Pen Testing APIs
• Developer vs Pen tester use cases
• Continuous Integration
• Spread the smile ☺
9.
#fuzzAPI
• Open SourceREST API Fuzzer
• Test for vulnerabilities while writing your code
• Helps Pen testers to fasten their testing
• Covers most top attacks on APIs
• Built in Ruby on Rails
10.
Rest API PenetrationTesting
Authorization Authentication
Input validations Others ☺
Common
checks
• There arecompanies/teams who deploy code
to production >10 times every day
• Developers can do basic testing
• Penetration testers can save a lot of time
• Penetration testers can work on logical stuff
• Easier to fix vulnerabilities sooner than later
Continuous Integration
Fuzzapi sample approachfor Rate limiting
• Fuzzapi sends multiple sample requests and waits for timeout/error
• Failure in limiting requests allows to perform this check
Developer’s eye SecurityEngineer’s eye
Work with developers to
help them configure stuff
Add more checks ☺
Use it while doing security
testing
Train developers to
understand/fix vulns
Having scrum meetings about
findings/fixes
Customizing fuzzapi according
to organization’s requirement
Add more checks ☺
Testing APIs while writing
code
39.
Roadmap for fuzzapi/us
Addmore checks
Write more blogs
Make more tutorial videos
Write more tools
Repeat
40.
Oh yea btw:D Don’t you want links to download?
API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer
fuzzapi: https://github.com/lalithr95/Fuzzapi
For queries/concerns/feedback/rant:
Twitter:
@abhijeth
@lalithr95
@srini0x00
41.
It’s 2016 andif you still don’t know about bug
bounties/responsible disclosures, you should say hi to these guys
@Bugcrowd @synack @Hacker0x01
42.
Thanks ☺
and allthe security folks for contributing to the open source community