APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Opening Keynote: Your Technical Debt is My Bug Bounty - Some fun hacker stories and the future of API hacking
Dr. Katie Paxton-Fear, Lecturer in Cyber Security, Speaker & Ethical Hacker
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
2. ABOUT ME
• My name is Katie (she/her)
• I have a PhD in Defence and Security
and a background in NLP/AI/ML
• I used to be a developer before I
realised I didn’t like my job
• Accidentally fell into cyber security
• Not sure how to get out, I have
passed the event horizon
• Well known hacker with a YouTube
channel
3. BUG BOUNTY IN A NUTSHELL
• I get invites by companies to hack
them
• I hack them and tell them about
how I did it
• I get paid per vulnerability I find
• If I don’t find anything I don’t get
paid
• Targets tend to be very mature and
will only accept flaws – not best
practices
• Think big silicon valley companies
4. READ THE DOCS
Or how I figured out the exact software version of a dependency of a dependency
with just API requests
28. WE ASSUME APIS ARE SPECIAL
• They LOOK different
• They have a different use case
• JSON is scary
• They’re the same as any website
• Yes they look different
• But the vulnerabilities aren’t wildly different
29. BUT I DON’T KNOW BURP / POSTMAN
YOU DON’T NEED TO LEARN SOMETHING NEW
YOU CAN USE WHAT YOU ALREADY KNOW
30. API BUG HUNTING
• I can categorise my bugs into 2
broad categories
• Issues between the interface
and the API
• API will return more data than the
UI shows
• Access control
• More boring to talk about but very
common
33. I WANT TO LEARN
The college course you wish you could take
Web Hacking 101 – FREE ON YOUTUBE
Launching 19th
34. WHAT NEXT FOR API SECURITY?
• Many systems are no longer
designed
• But a mess of APIs, no-code
services, IFTTT, etc…
• Race for new and shiny often
means limited security
• If your system is a collection of SAAS
where does your responsibility start?
• The weaknesses between services
• E.g. prompt injection between Bing
Chat and ChatGPT’s API
35. WE ASKED PEOPLE ABOUT NOVEL
TECHNOLOGY
• The participants spoke a lot about how
technology like AI has security risks
• They even highlighted specific vulnerabilities like
model poisoning
• But even when prompted they didn't speak
about HOW these would be connected
• API security is seen by a lot of folks as a
"solved" problem, or even that it doesn't
matter
• Thinking more about data at rest vs in transit
• Maybe bias? Maybe APIs are dull?
• We don't know!
• Is this research you'd like to be involved in?
Please register your interest! We'd love to get
more API folks involved
https://forms.office.com/e/LYmbcfNTWe
36. TLDR: APIS ARE VULNERABLE
• That's it
• That's the tweet