Conference:  Global AppSec Dublin 2023

Authors: Matt Tesauro

2023-02-16

API security testing and defense strategies

• APIs are web apps without a UI, so testing them requires knowledge of HTTP
• Data attacks involve injecting data into a JSON structure, while structural attacks involve manipulating the structure itself
• Gaps in API security testing and defense make it a highly productive area for testing
• Runtime and testing are important for defenders, with posture, insufficient logging and monitoring being strong tools
• API security tools are available for testing and defense

Conference:  Global AppSec San Francisco 2022

Authors: Zohar Shchar, Dmitry Ryskin

2022-11-18

When doing application security for an API–centric enterprise spanning over thousands of micro services, Dynamic Application Security Testing (DAST) is almost a must-have. However, DAST products often fail to execute even the most rudimentary tests on internal endpoints that require a complex user flow. If an API call requires an ID that was obtained in the response BODY 5 HTTP calls ago, the chances a traditional DAST will be able to test your API are slim.In this talk we’ll present our approach for solving this issue, by leveraging existing headless-chrome test suites (built by the engineers as part of the R&D flow) to serve as the attack surface for our custom DAST solution, Krampus. By using Chromium interceptors, we were able to introduce appsec payloads into HTTP requests issued during the execution of normal 'user flow' test scenarios (and pick up the results) and have an effective DAST for internal API's and endpoints.It wasn't smooth sailing, though, with many challenges along the way. Particularly, we realized that replicating each API call & param with a separate test will mean that the number of our test calls grows exponentially, pushing up both cost and overhead. As many of our API’s also include dynamic params as part of the path, we had to build an API asset DB to understand if and when a specific URL was already tested (code for which we plan to release as open source).At the end of the talk the participants will have the tools to leverage similar testing suites in their own orgs to drastically improve the quality & coverage of the automatic testing in their environment.

Conference:  OWASP 20th Anniversary Event

Authors: Isabelle Mauny

2021-09-24

APIs present new vulnerabilities and require specific security measures to protect data

• APIs have changed the way we write applications and moved security controls to the client side, leaving data vulnerable
• APIs create new vulnerabilities and require specific security measures
• Data protection is a critical issue for APIs, and validation of data inputs is necessary
• Parlor is an example of a social network that suffered a data breach due to zero authentication, no rate limiting, and sequential IDs

Conference:  OWASP 20th Anniversary Event

Authors: Kavisha Sheth

2021-09-24

Kavisha is a Security Analyst by profession. She is a cloud security and machine learning enthusiast who dabbles in an application and API security and is passionate about helping customers in securing their IT assets. She spends time findings vulnerabilities and doing research for the same. She has been recognized by the Government of India for helping them in securing their websites. She has also been listed in the list of top security researchers of the nation, in a recent newsletter of NCIIPC RVDP.She believes in giving back to the community and frequently finds audiences to talk. She is also a cybersecurity speaker and love to share her views on various infosec threads. She has spoken at various security events and around the world including Defcon Cloud village, OWASP Bay area, OWASP Sofia, Null Bangalore, Bsides Noida, Infosec girl, and so on.