APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
•
0 j'aime•129 vues
APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Opening Keynote: Your Technical Debt is My Bug Bounty - Some fun hacker stories and the future of API hacking Dr. Katie Paxton-Fear, Lecturer in Cyber Security, Speaker & Ethical Hacker ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/
Recommandé
Recommandé
Contenu connexe
Similaire à APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
Similaire à APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear (20)
Plus de apidays
Plus de apidays (20)
Dernier
Dernier (20)
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
- 1. YOUR TECHNICAL DEBT IS MY BUG BOUNTY Katie Paxton-Fear @insiderphd
- 2. ABOUT ME • My name is Katie (she/her) • I have a PhD in Defence and Security and a background in NLP/AI/ML • I used to be a developer before I realised I didn’t like my job • Accidentally fell into cyber security • Not sure how to get out, I have passed the event horizon • Well known hacker with a YouTube channel
- 3. BUG BOUNTY IN A NUTSHELL • I get invites by companies to hack them • I hack them and tell them about how I did it • I get paid per vulnerability I find • If I don’t find anything I don’t get paid • Targets tend to be very mature and will only accept flaws – not best practices • Think big silicon valley companies
- 4. READ THE DOCS Or how I figured out the exact software version of a dependency of a dependency with just API requests
- 7. --------------------------cec8e8123c05ba25 Content-Disposition: form-data; name="operations" { "query": "mutation ($file: Upload!) { singleUpload(file: $file) { id } }", "variables": { "file": null } } --------------------------cec8e8123c05ba25 Content-Disposition: form-data; name="map" { "0": ["variables.file"] } --------------------------cec8e8123c05ba25 Content-Disposition: form-data; name="0"; filename="a.txt" Content-Type: text/plain Alpha file content. --------------------------cec8e8123c05ba25-- GRAPHQL MULTIPART FORM? BASICALLY: IT’S WEIRD
- 8. WHEN IN DOUBT GOOGLE
- 10. NARROWING DOWN THE OPTIONS
- 11. I AM A SECURITY RESEARCHER
- 12. JACKSON DATABIND
- 13.
- 14. THINKING CRUD
- 16. CRUD IN ACTION
- 17. EDIT FORM SUBMIT 403 ACCESS FORBIDDEN
- 18. WHAT IF IT’S PRIVATE???
- 19.
- 20. QUIZICIAL Balancing performance against security
- 22. EFFICENCY
- 23. BATCHING
- 25. Automation
- 26.
- 27. THE TRUTH ABOUT API HACKING IT’S NOT SPECIAL
- 28. WE ASSUME APIS ARE SPECIAL • They LOOK different • They have a different use case • JSON is scary • They’re the same as any website • Yes they look different • But the vulnerabilities aren’t wildly different
- 29. BUT I DON’T KNOW BURP / POSTMAN YOU DON’T NEED TO LEARN SOMETHING NEW YOU CAN USE WHAT YOU ALREADY KNOW
- 30. API BUG HUNTING • I can categorise my bugs into 2 broad categories • Issues between the interface and the API • API will return more data than the UI shows • Access control • More boring to talk about but very common
- 31. MOST API HACKING IS MORE THINKING THAN TECHNICAL
- 32. SAYING THAT…
- 33. I WANT TO LEARN The college course you wish you could take Web Hacking 101 – FREE ON YOUTUBE Launching 19th
- 34. WHAT NEXT FOR API SECURITY? • Many systems are no longer designed • But a mess of APIs, no-code services, IFTTT, etc… • Race for new and shiny often means limited security • If your system is a collection of SAAS where does your responsibility start? • The weaknesses between services • E.g. prompt injection between Bing Chat and ChatGPT’s API
- 35. WE ASKED PEOPLE ABOUT NOVEL TECHNOLOGY • The participants spoke a lot about how technology like AI has security risks • They even highlighted specific vulnerabilities like model poisoning • But even when prompted they didn't speak about HOW these would be connected • API security is seen by a lot of folks as a "solved" problem, or even that it doesn't matter • Thinking more about data at rest vs in transit • Maybe bias? Maybe APIs are dull? • We don't know! • Is this research you'd like to be involved in? Please register your interest! We'd love to get more API folks involved https://forms.office.com/e/LYmbcfNTWe
- 36. TLDR: APIS ARE VULNERABLE • That's it • That's the tweet