Scribd
Upload
27 views25 pages

Day 4 - Session 01

Day 4 - Session 01

Uploaded by

sferdinandes510
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views25 pages

Day 4 - Session 01

Day 4 - Session 01

Uploaded by

sferdinandes510
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Introduction to

Application Security
EMSC - IS
Introduction to API Security
What is API
Application Programming Interface
What is API

Functional Call (Accept Parameters and Make a Response)


End Points
End Point perform a Single Task
Attached with HTTP Verbs (GET, POST, PUT, DELETE)
Advantages of API
Access from any Source

Optimization

Flexible

Integration and Automation

More Scope for Application

Personalization

Independant from Application


Types of API

Private APIs
Designed to improve solutions and services within an organization
Partner APIs
Open but with in business partners who signed an agreement with the
publisher
Public APIs
Developer-facing or external, are available for any third-party developers
API Specifications

Remote Procedure Call (RPC)


Service Object Access Protocol (SOAP)
Representational State Transfer (REST)
gRPC
GraphQL
API Documentation

Reference manual with all needed information about the API,


including functions, classes, return types, and arguments
Authentication information

Explanations for API endpoints (request)

Examples of requests and responses, error messages, etc.

Code samples ex. Python, Java, PHP, Js etc.

https://swagger.io/docs/specification/about/
Why API Security
Why API Security
New data breach impacts 37 million accounts

“T-Mobile revealed on Thursday that the attacker


started stealing data using the impacted API around
November 25, 2022. The mobile carrier detected the
malicious activity on January 5, 2023. “

"Rather, the impacted API is only able to provide a


limited set of customer account data, including name,
billing address, email, phone number, date of birth, T-
Mobile account number”
OWASP API Top 10

API1:2019 Broken Object Level API6:2019 Mass Assignment


Authorization
API7:2019 Security Misconfiguration
API2:2019 Broken User Authentication
API8:2019 Injection
API3:2019 Excessive Data Exposure
API9:2019 Improper Assets Management

API4:2019 Lack of Resources & Rate API10:2019 Insufficient Logging & Monitoring
Limiting

API5:2019 Broken Function Level


Authorization
Completely ridiculous API (crAPI)

An application for car owners. Users can add, manage their cars, search for car
mechanics, submit servicing request for any car, and purchase car accessories from
the vendor. The WebApp also has a community section where users can contribute
with blog posts and comments.

Microservices Architecture (B2C Application)

Web: Main Ingress service Mailhog: Mail service


Identity: User and authentication endpoints Mongo: NoSQL Database
Community: Community blogs and comments endpoints Postgres: SQL Database
Workshop: Vehicle workshop endpoints
https://owasp.org/crAPI/
Broken Object Level Authorization

GET /User/256
GET /hrServices/<user_Name>/PaySlip

Symptom of Relying on User Supplied parameters


Unauthorized information Disclosure/ Account Takeover
Very Common with APIs
Broken Object Level Authorization

Define and Implement proper Authorization mechanism


Validate whether the logged in user has access to the requested object,
everytime and every function
Design the Responses
Use Random, un-predictable IDs (GUID etc) to represent Objects
Build Test Cases and thorough testing on Authorization
Broken User Authentication

Lack of protection mechanisms


Misimplementation of the mechanism

GET /<user_name>/data

Authorization: Bearer xxxxx

Does not validate the Token, Send Token in URL, Tokens with long TTL
Broken User Authentication

Identify all possible authentication flows


Use standard Authentication mechanisms
Implement multi-factor authentication
Use API Keys only for Client Apps
Implement account lockout / captcha mechanism
Excessive Data Exposure

GET /User/1
{...,”password_hash”:”xxxxxxx”, …}

Responses includes entire data object with PII


Symptom of not identifying and defining the required data for
response and lazy development
Excessive Data Exposure

Never rely on Client Side Hiding or Filtering

Perform Data Classification

Clearly and Carefully define response for each end point

Avoid using toJSON() on objects


Broken Function Level Authorization

Delete /User/1/Video
{...,”user_role”:”admin”, …}

BOLA is like you are able to access some private notes of other
users.
BFLA is like you are able to toggle the function that allows creating,
Modifying, or deleting those notes.
Mass Assignment

Automatically converts client parameters into internal object properties

POST /User/1/Video

{...,”video_name”:”a1”,

“new_existing_property” = “new_value”…}

Permission-related properties: user.is_admin, user.is_vip should only be set by admins.

Process-dependent properties: user.cash should only be set internally after payment verification.

Internal properties: article.created_time should only be set internally by the application.


Injection Attacks

Input validation and Sanitization for all User Parameters


Limit the Number of Returned Records
Define data types and strict Type Conversions
Brute Force Attacks

Public Endpoints are Required but easy target

Implement Throttling, Load Balancing


Validate all the URL parameters
Improper Asset Management

Old API endpoints are still available


Used production DB for Test API endpoints

Maintain a proper Inventory of API endpoints


Incidents

https://www.vice.com/en/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data

https://www.vice.com/en/article/7xkyyz/t-mobile-customer-data-bug-hackers-no-excuse

https://www.pentestpartners.com/security-blog/gps-watch-issues-again/

https://www.pentestpartners.com/security-blog/hackers-in-hot-water-pwning-smart-hot-
tubs-yes-really/

https://apisecurity.io/issue-49-uber-account-takeover-leaky-get-api/

https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-
escalation-from-zero-to-admin-cve-2019-16097/
Questions
[email protected]

You might also like