Downloaded 241 times
Uploaded byAbhijeth D
Automated API pentesting using fuzzapi
The document discusses FuzzAPI, an open-source tool designed to automate API penetration testing and enhance developers' capabilities in identifying vulnerabilities during the development process. Key features include testing for common vulnerabilities such as XSS and SQL injection, as well as integration with continuous development practices. The authors emphasize the importance of collaboration between developers and penetration testers for effective security practices.
In this document
Powered by AI
Overview of automating API penetration testing with Fuzzapi, its purpose, and introduction of presenters.
Fuzzapi is an open-source REST API fuzzer that tests for vulnerabilities in APIs, covering key attack types.
Reasons for automating penetration testing, including frequent deployments and efficiency for testers.
Fuzzapi capabilities including checks for security vulnerabilities and methods for testing rate limiting and privilege escalation.
Integration of Fuzzapi in CI/CD pipelines, collaboration between developers and security teams for effective vulnerability management.
Links to download Fuzzapi tools and acknowledgements of contributors in the security and open source communities.
More Related Content
Similar to Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
- 1. Automating API PenTesting using Fuzzapi just another tool?
- 2. About us Abhijeth Dugginapeddi @abhijeth ApplicationSecurity Likes training, spreading awareness Got some bugs in Google/FB/Yahoo/Microsoft etc Among top 5 bug hunters on Synack Srinivas Rao Kotipalli @srini0x00 Security Engineer Author, Speaker, Trainer Blogs at androidpentesting.com Author of “Hacking Android” Lalith Rallabhandi @lalithr95 Developer Intern Blogger, Coder, Security Enthusiast Does bounties when free and found bugs With Microsoft/Google/FB/Badoo etc
- 3. Only @abhijeth @srini0x00and @lalithr95 are responsible for whatever is on the slides Nobody else is responsible for anything else we say
- 4.
- 5.
- 6.
- 7.
- 8. On a seriousnote • What is fuzzAPI • How to use fuzzAPI • Need for automating Pen Testing APIs • Developer vs Pen tester use cases • Continuous Integration • Spread the smile ☺
- 9. #fuzzAPI • Open SourceREST API Fuzzer • Test for vulnerabilities while writing your code • Helps Pen testers to fasten their testing • Covers most top attacks on APIs • Built in Ruby on Rails
- 10. Rest API PenetrationTesting Authorization Authentication Input validations Others ☺ Common checks
- 11.
- 12. This is Twitter Source:@wesecureapp
- 13.
- 14.
- 15.
- 16. Can you automatesuch attacks?
- 17.
- 18. But why doyou want to automate?
- 19. People don’t havetime Source: giphy
- 20. • There arecompanies/teams who deploy code to production >10 times every day • Developers can do basic testing • Penetration testers can save a lot of time • Penetration testers can work on logical stuff • Easier to fix vulnerabilities sooner than later Continuous Integration
- 21.
- 22. No But a partof it can be automated.
- 23. Cool stuff aboutFuzzapi Access Control Violation XXE Other regular vulns like XSS/SQLi.. etc Privilege Escalation Rate limiting
- 24. Not so coolstuff!!
- 25.
- 26. #if demo doesn’twork
- 27. #if demo doesn’twork
- 28. #if demo doesn’twork
- 29. How stuff works API_Fuzzer– Ruby gem Fuzzapi -- Rails application
- 30.
- 31.
- 32. Fuzzapi approach forXXE • XxeCheck performs a call with payload to internal server • If status: OK – fuzzapi confirms XXE
- 33. Fuzzapi sample approachfor Privilege Escalation
- 34. Fuzzapi sample approachfor Rate limiting • Fuzzapi sends multiple sample requests and waits for timeout/error • Failure in limiting requests allows to perform this check
- 35.
- 36. Continuous integration --Rails!!! • Identify test requests • Use API_Fuzzer module with test request • Run scans
- 37. Developer’s eye SecurityEngineer’s eye Work with developers to help them configure stuff Add more checks ☺ Use it while doing security testing Train developers to understand/fix vulns Having scrum meetings about findings/fixes Customizing fuzzapi according to organization’s requirement Add more checks ☺ Testing APIs while writing code
- 39. Roadmap for fuzzapi/us Addmore checks Write more blogs Make more tutorial videos Write more tools Repeat
- 40. Oh yea btw:D Don’t you want links to download? API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer fuzzapi: https://github.com/lalithr95/Fuzzapi For queries/concerns/feedback/rant: Twitter: @abhijeth @lalithr95 @srini0x00
- 41. It’s 2016 andif you still don’t know about bug bounties/responsible disclosures, you should say hi to these guys @Bugcrowd @synack @Hacker0x01
- 42. Thanks ☺ and allthe security folks for contributing to the open source community
Editor's Notes
- #24 https://intland.com/wp-content/uploads/2014/09/blog-140923-dependencies-336x336.png