Hacking and Defending APIs - Red and Blue make Purple

API security testing and defense strategies

• APIs are web apps without a UI, so testing them requires knowledge of HTTP
• Data attacks involve injecting data into a JSON structure, while structural attacks involve manipulating the structure itself
• Gaps in API security testing and defense make it a highly productive area for testing
• Runtime and testing are important for defenders, with posture, insufficient logging and monitoring being strong tools
• API security tools are available for testing and defense

The speaker injected 32 Meg of space in between two XML tags and took out an API with a single request, illustrating the effectiveness of structural attacks

APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.