apidays Hong Kong 2022 - API-First Digital Transformation & Platform Economy August 24 & 25, 2022 Attack API Architecture Alvin Tam, EASG Committee at Hong Kong Computer Society ------------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

1. Attack API
Architecture
Alvin TAM
Executive Committee
Enterprise Architecture special group
Hong Kong Computer Society
(ExCo EASG HKCS)
Attack vector created by storyset - www.freepik.com

2. API
Attack
happening
Everyday

3. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
API
Security Flaws
Can Result in
Data Breaches

4. Key Issues
What are the problems
with API security?
How can APIs be secured?
How about the
API Security Architecture?
?

5. OWASP API Security Top 10
Broken object level authorization
Broken authentication
Excessive data exposure
Lack of resources and rate limiting
Broken function level authorization
Mass assignment
Security misconfiguration
Injection
Improper asset management
Insufficient logging and monitoring
01
02
03
04
05
06
07
08
09
10
What happens if
you increment that
number?
/patient/333555
You can have a check with an
open source
https://github.com/OWASP/crAPI

6. APIs
How are our API Architectures being
attacked?
Website/Single Page
Application
IoT Devices
Mobile App
Cloud Service
Keys:
1
4
3
2
2
2
1
2
3
4
Unsecured API keys in
repositories and
storage
Hard-coded
credentials (incl. API
Keys) in applications
API logic flaws
Sniffed API calls
Plus all traditional
web application
attacks!

7. Hackers have a lot of ways to attack
• Hackers can
• Attacking Authentication
• Fuzzing
• Broken object-level authorization (BOLA)
• Broken Function Level Authorization
• Blind Mass Assignment Attack
• Change product price
• Injection
• XXS
• SQL Injection

8. Attacking Authentication
• Password Brute-Force Attacks
• Password Forget password OTP attacks
• Brute-Forcing Predictable Tokens
POST /identity/api/auth/v3/check-otp
HTTP/1.1
Host: 192.168.195.130:8888
User-Agent: Mozilla/5.0 (x11; Linux x86_64;
rv: 78.0) Gecko/20100101
Accept: */*
Accept -Language: en-US, en;q=0.5
Accept-Encoding: gzip,deflate
Referer: http://111.222.101:8888/forgot-
password
Content-Type: application/json
Origin: http://111.222.101.100:8888
Content-Length: 62
Connection: close
{
"email":"a@email.com",
"otp":"1234",
"password": "Newpassword"
}
Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJpc3MiOiJoYWNrYXBpcy5pbyIsImV4c
CI6IDE1ODM2Mzc0ODgsInVzZXJuYW1lIj
oiU2N1dHRsZXBoMXNoIiwic3VwZXJhZG
1pbiI6dHJ1ZX0.1c514f4967142c27e4e57
b612a7872003fa6cbc7257b3b74da17a8b
4dc1d2ab9

9. Fuzzing
• Targeted fuzzing payloads are aimed at provoking a response from specific
technologies and types of vulnerabilities. Targeted fuzzing payload types might
include API object or variable names, cross-site scripting (XSS) payloads,
directories, file extensions, HTTP request methods, JSON or XML data, SQL or No
SQL commands, or commands for particular operating systems.
• Sending various symbols (-_!@#$%^&*();':''|,./?>) Sending characters from
unexpected languages (漢, さ, Ж, Ѫ, Ѭ, Ѧ, Ѩ, Ѯ)
• There are two fuzzing techniques: fuzzing wide and fuzzing deep. Fuzzing wide is
the act of sending an input across all of an API’s unique requests in an attempt to
discover a vulnerability. Fuzzing deep is the act of thoroughly testing an individual
request with a variety of inputs, replacing headers, parameters, query strings,
endpoint paths, and the body of the request with your payloads. You can think of
fuzzing wide as testing a mile wide but an inch deep and fuzzing deep as testing an
inch wide but a mile deep.

10. Broken object-level authorization (BOLA)
• Broken object-level authorization (BOLA) vulnerabilities
occur when a user is able to access other users' data due to
the flaws in authorization controls validating access to data
objects.
• Get /api/v1/user/account?id=100001
• Get /api/v1/user/account?id=100002
• Get /api/v1/user/account?id=100003
• …..

11. Broken Function Level Authorization
• Finding BFLAs Hunting for BFLA involves
searching for functionality to which you should
not have access. A BFLA vulnerability might
allow you to update object values, delete data,
and perform actions as other users. To check for
it, try to alter or delete resources or gain access
to functionality that belongs to another user or
privilege level.
• Create, read, update, or delete resources as
UserA.
• Swap out your UserA token for UserB’s.
• Send GET, PUT, POST, and DELETE requests
for UserA’s resources using UserB’s token.
• Check UserA’s resources to validate changes
have been made by using UserB’s token.
Request:
GET /api/picture/2
Token: UserA_token
Response:
200 OK
{
"_id": 2,
"name": "development
flower",
"creator_id": 2,
"username": "UserA",
"money_made": 0.35,
"likes": 0
}

12. Blind Mass Assignment Attack
• If you cannot find variable names in the locations discussed, you could perform a blind
mass assignment attack. In such an attack, you’ll attempt to brute-force possible variable
names through fuzzing. Send a single request with many possible variables, like the
following, and see what sticks:
POST /api/v1/register
--snip--
{
"username":"hAPI_hacker",
"email":"hapi@hacker.com",
"admin": true,
"admin":1,
"isadmin": true,
"role":"admin",
"role":"administrator",
"user_priv": "admin",
"password":"Password1!"
}
PUT /api/v1/account/update
Token:UserA-Token
--snip--
{
"username": "Brock",
"address": "456 Onyx Dr",
"city": "Pewter Town",
"region": "Kanto",
"email": "ash@email.com",
"mfa": false
}
• If an API is vulnerable, it might
ignore the irrelevant variables
and accept the variable that
matches the expected name and
format.

13. Change the product price
• POST /identity/api/auth/signup
• POST /workshop/api/shop/orders
• POST /workshop/api/merchant/contact_mechanic
POST /workshop/api/shop/products HTTP/1.1
Host: 192.168.195.130:8888
Authorization: Bearer UserA-Token
{
"name":"MassAssignment SPECIAL",
"price":-5000,
"image_url":"https://example.com/chickendinner.jpg
"
}
POST /workshop/api/shop/products HTTP/1.1
Host: 197.164.150.110:8888
Authorization: Bearer UserA-Token
{
"name":"TEST1",
"price":25,
"image_url":"string",
"credit":1337
}

14. Injection
• Database injection techniques such as SQL injection take advantage of
SQL databases, whereas NoSQL injection takes advantage of NoSQL
databases.
• Cross-site scripting (XSS) attacks insert scripts into web pages that run
on a user’s browser. Cross-API scripting (XAS) is similar to XSS but
leverages third-party applications ingested by the API you’re attacking.
• Command injection is an attack against the web server operating
system that allows you to send it operating system commands.

15. Cross Site Scripting (XXS)
• Here are a few examples of XSS payloads:
<script>alert("xss")</script>
<script>alert(1);</script>
<%00script>alert(1)</%00script>
SCRIPT>alert("XSS");///SCRIPT>
• Payload Box XSS payload list This list contains
over 2,700 XSS scripts that could trigger a
successful XSS attack
(https://github.com/payloadbox/xss-payload-list).
POST /api/profile/update HTTP/1.1
Host: hapihackingblog.com
Authorization: hAPI.hacker.token
Content-Type: application/json
{
"fname": "hAPI",
"lname": "Hacker",
"city": "<script>alert("xas")</script>"
}

16. SQL / No SQL Injection
• SELECT * FROM userdb WHERE
username = ‘hacker' AND password
= 'Password1!'
• SELECT * FROM userdb WHERE
username = ‘hacker' OR 1=1-- -
No SQL
POST
/community/api/v2/coupon/validate-
coupon HTTP/1.1
--snip--
{"coupon_code":"%7b$where%22%
3a%22sleep(1000)%22%7d"}
Then you can go inside the site in
API, e.g.
POST /login HTTP/1.1
Host: 192.168.195.132:8000
--snip--
user=hapi%40hacker.com&pass=§
Password1%21§

17. Key Issues
What are the problems
with API security?
How can APIs be secured?
How about the
API Security Architecture?

18. Application Developer
A.
Security Team
B.
API Team
C.
Integration Team
D.
Nobody
E.
Who is primarily responsible for API security in
your organization?
Retrospective Question

19. Security in the API Lifecycle
Design
Time
Runtime
API Security
Testing
API Threat
Protection
API
Discovery
(Runtime)
API Discovery
(Design Time)

20. API Security with Mobile and Client-Side Apps
● Avoid credential hardcoding
● Protect from man in the middle
attacks
● Verify the environment App
APIs

21. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Including your Security Team in API Strategy
Is the
Security team
involved?
80%
20%
Yes
No
Percentage of Respondents
Use API
management
solution
Don’t use
API
management
solution
Base 66 32
Yes 88% 66%
No 12% 34%
Statistically significant difference @ 95%
prepare your tech team ready for Security Development

22. Key Issues
What are the problems
with API security?
How can APIs be secured?
How about the
API Security Architecture?

23. ID
Delivering API Security Architecture
Developer
End User
Browser
Mobile
Application to
Application
API Portal
API Gateway
Access
Management
Web
Application
Firewall
API Security
Testing
Discover unsecured APIs
Integrate with API
gateway, provide
proxy/gateway, use
AI/ML to detect unusal
API usage
API Management
In-App
Protection
APIs

24. Scenario:
Mobile APP, Web
and IoT Devices on
API Architecture

25. Create a policy to secure your APIs.
Secure:
Observe your API usage. Learn what “normal” is
for API behavior.
Analyze:
Inventory APIs that have been delivered, or are in
the development process. APIs consumed from
third-parties should also be included.
API
API
Putting it all together
Discover:
1
2
3

26. Three Sides of API Security Architecture
API Security Testing API Protection API Access Control
Key
functionality
Identification of API security
flaws and vulnerabilities
Content validation, threat
detection, traffic throttling
Authentication, authorization,
identity propagation
Key
technologies
used
Dynamic application security
testing (DAST), fuzzing, static
application security testing
(SAST)
Attack signature, reputation-
based control, anomaly
detection, OAS message
validation
OAuth 2.0, OpenID Connect,
JSON Web Tokens
Product
categories
Application security testing
tools, specialized API security
platforms
Web application firewalls, API
management, specialized API
security platforms.
API management, access
management software,
IDaaS.

27. Your API Security Building Blocks
Authentication of the
API client
(e.g., mobile app)
JSON/XML
element encryption
Quota management/
Traffic throttling
Content inspection
Content validation
(JSON schema, XML schema)
Tokenization of sensitive
information
(e.g., patient number)
Automated
attack/Bot detection
Usage plan management Data transformation
Store audit logs Digital signature API key authentication
Fine-grained
authorization
OAuth scope management
Transport security
(TLS/SSL)
Integration with
access management
XML/SOAP security
(WS-security, etc.)
Alerting
(including to SIEM)

28. API
Client Applications
Authentication and
authorization
Validation against
API Definition
Remove sensitive data
from API responses
Validation of API
response
Security
Analytics
platforms
Store Audit Logs
Identity and
access
management
Detection of harmful or
unusual API traffic
Application
firewalls, bot
mitigation, AI/ML
Data masking,
Data
tokenization
uses
uses
uses
uses
Example Policy for API Security Architecture

29. 23 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates.
Recommendations
Include your
security team in
your API platform
team
Consider the
whole picture for
API security
architecture, not
just an API
gateway
Think “North
South” as well as
“East West” for
API security
architecture

30. Enjoy speeding APIs &
being protected from
hackers
Alvin TAM
Executive Committee
Enterprise Architecture special group
Hong Kong Computer Society
(ExCo HKCS)