Contenu connexe

Similaire à APIsecure 2023 - Breaking Vulnerable APIs, Tushar Kulkarni(20)

Plus de apidays(20)


APIsecure 2023 - Breaking Vulnerable APIs, Tushar Kulkarni

  2. AGENDA Introduction Modern WebApp Architectures API as an Attack Vector in 2023 Fortifying APIs Breaking Vulnerable API (vAPI) Demo 2023 Breaking Vulnerable APIs 2
  3. GET /INTRODUCTION HTTP/2.0 • Creator of vAPI • Graduate Student, Indiana University Bloomington • Presented at BlackHat Arsenal, OWASP, HITB etc. • Making and Playing CTFs 2023 Breaking Vulnerable APIs 3 Tushar Kulkarni
  4. The total amount of venture capital raised with companies describing themselves as an API security solution was $578 Million according to the Crunchbase database. - API Secure 2023 Report
  5. MODERN WEB APPLICATION ARCHITECTURES 2023 Breaking Vulnerable APIs 5 Source:
  6. API AS AN ATTACK VECTOR IN WEB APPLICATIONS 2023 Breaking Vulnerable APIs 6 Source:
  7. SOME OF MY FAVORITE VULNERABILITIES❤️ FROM OWASP API TOP 10 2019 2023 Breaking Vulnerable APIs 7 • Mass Assignment • Broken Function Level Authorization • Excessive Data Exposure
  8. FORTIFYING APIS 2023 Breaking Vulnerable APIs 8 • Use Random and Unpredictable GUIDs/UUIDs for storing Objects in Database • Never rely on Client side to Filter Sensitive Data • Enforcing a Limit on How often the Client can Call the API endpoint • Make sure all administrative endpoints validate the user’s role and privileges before performing the action • Avoid functions binding Client-Side data into Code Variables and later into an Object in Database • Enforce a Strong CORS Policy with Custom Unguessable Authorization Headers • Treat every input like it’s DANGEROUS
  9. GUESS WHAT????? 2023 Breaking Vulnerable APIs 9
  10. 2023 Breaking Vulnerable APIs 7 Bug Icon Source :
  11. PROJECT UPDATES 2023 Breaking Vulnerable APIs 11 • New XSS Vulnerability????? • Minor Bug Fixes • Kubernetes Support (Thanks to @AndyG-0)
  12. TECH STACK 2023 Breaking Vulnerable APIs 12
  13. INSTALLATION 2023 Breaking Vulnerable APIs 13 Docker - Make sure you have docker and docker-compose - Go to the root of the project and run docker-compose up -d Manually - Prerequisites include PHP, MySQL - Configure the MySQL credentials and Server port in the .env file of the project - You can run php artisan serve command to start the Laravel Server Kubernetes - helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml
  14. TOOLS REQUIRED TO TEST 2023 Breaking Vulnerable APIs 14 • Postman • Burpsuite / OWASP ZAP
  15. DEMO
  16. REFERENCES AND CONTRIBUTORS 2023 Breaking Vulnerable APIs 16 API Security Weekly: Issue #132 OWASP Vulnerable Web Applications Directory (VWAD) arainho/awesome-api-security: A collection of awesome API Security tools and resources.
  17. THANK YOU , Q&A Tushar Kulkarni @vk_tushar Email: 2023 Breaking Vulnerable APIs 17