Scribd
Upload
4 views

Hacking Web APIs

The document is a presentation on hacking web APIs, detailing various vulnerabilities such as Insecure Direct Object Reference, SQL Injection, and Cross Site Scripting. It includes live demos and emphasizes the importance of secure coding practices and adhering to OWASP guidelines. The presenter, Matt Scheurer, shares insights from his extensive experience in computer security and incident response.

Uploaded by

Mashrur
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Hacking Web APIs

The document is a presentation on hacking web APIs, detailing various vulnerabilities such as Insecure Direct Object Reference, SQL Injection, and Cross Site Scripting. It includes live demos and emphasizes the importance of secure coding practices and adhering to OWASP guidelines. The presenter, Matt Scheurer, shares insights from his extensive experience in computer security and incident response.

Uploaded by

Mashrur
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

Hacking Web APIs (v1.

1)

Wednesday May, 08 2024


Cincinnati OWASP Chapter

I mean have
No sir.
you gotten any insight as
He says he does this
to why a bright guy like this
sort of thing for fun.
would hack some vulnerable
Web APIs?

- Matt Scheurer
What
AboutI do...
Me
I work for a big well-known I am also a Podcast Host for
organization...

S||
||
As Vice President (VP) of
https://threatreel.com
Computer Security and Incident
Connect / Contact / Follow Matt:
Response (IR). However, I have
many years of hands-on
https://www.linkedin.com/in/mattscheurer
technical experience, including
Digital Forensics & Incident
https://twitter.com/c3rkah
Response (DFIR).
Where I volunteer...
I am an Official

Advisory Board: Information


Technology and Cybersecurity
https://www.mywccc.org/
Advocate
https://www.hackingisnotacrime.org

Women’s Security Alliance


(WomSA) Technical Mentor
https://www.womsa.org
Disclaimer!
Yes, I have a day job.
However…
Opinions expressed are
based solely on my own
independent security BLAME
research and do not
express or reflect the views
or opinions of my employer.
Other Disclaimers
The informational material presented is for
I work here:

educational purposes only. The presenter is not


responsible for its use or misuse. No warranties
or guarantees implied or otherwise are in effect.
Use of these tools, techniques and technologies
As a Sr.
are at your own risk!
Systems Security Engineer
*** Live Demo Alert ***
This presentation
features “Live Demos”,
because the speaker
is...
*** Live Demo Alert ***
This presentation
features “Live Demos”,
because the speaker
is...
*** Live Demo Alert ***
This presentation
features “Live Demos”,
because the speaker
is...
*** Live Demo Alert ***
This presentation
features “Live Demos”,
because the speaker
is...
*** Live Demo Alert ***
Please pick 2…
*** Live Demo Alert ***
Please pick 2…

So I am not just Crazy!


What is an API?
An API is an “Application Programming Interface”. API’s
allow access or interaction between systems. They often
provide developers and power users with a means to
access or leverage data and services on external or
cloud-based systems and services. API’s may grant read,
write, or modify privileges depending on design,
configuration, implementation, and applied permissions.
What is an API?

Matt’s K.I.S.S.
Definition Paul Peter
Gene Ace
What is an API?

Matt’s K.I.S.S.
Definition Paul Peter
Gene Ace

No, not that KISS…
What is an API?

Matt’s K.I.S.S.
Definition Paul Peter
Gene Ace

No, not that KISS…
– Though, admittedly, I
do like their music!
What is an API?
An API is an “Application Programming Interface” which
allows external interaction with data.
What is REST?

REST is an acronym for REpresentational State
Transfer.

Web Services that conform to the REST
architectural style, called RESTful Web
Services, provide interoperability between
computer systems on the Internet.
What is the Tiredful API?
TheI work
Tiredful
here:
API is an intentionally broken web
app by design. The purpose of the application is to
teach developers, QA testers, or security
professionals about flaws present in Web Services
(REST API) due to insecure coding practices.
As a Sr.
Systems Security Engineer
Tiredful API Vulnerabilities

Information
I work here:
Disclosure

Insecure Direct Object Reference (IDOR)

Access Control

Throttling

SQL Injection (SQLi)
As a Sr.
Systems Security Engineer

Cross Site Scripting (XSS)
House Keeping

For demo purposes, I am using a web browser
I work here:

with the REST Client extension



Some challenges require authentication under
an account with appropriate access
– Exercises involving access to protected data
Asrequire
a Sr. an access key
Systems Security Engineer
Authentication Control

OAuth 2.0 Access
– The token credentials consist of an access token
and token secret used in lieu of a username and
password
– The required “token_type” typically uses the string
“Bearer” under most implementations
Stolen Access Tokens

MITRE ATT&CK, Tactic: TA0006
– Credential Access
– https://attack.mitre.org/tactics/TA0006/
Getting Started
1)Browse
I work here:
to the local Tiredful API home page
• By default, http://127.0.0.1:8000/
2)Click on “User Token”
3)Login to obtain a user token (i.e., ‘batman’)
4)Note
As a Sr.the returned “access_token” value
Systems Security Engineer
Information Disclosure

Sensitive
I work here:
data examples
– Financial data (i.e., PCI, account data, credit cards)
– Personally Identifiable Information (PII)
– System / Stacktrace Information

Reconnaissance
As a Sr.
Systems Security Engineer
OWASP Mappings

OWASP Top 10
I work here:

– A02:2021 - Cryptographic Failures



OWASP API Top 10
– API3:2023 - Broken Object Property Level Authorization

As a Sr.
Systems Security Engineer
Demo 1 / 6
Scenario:
I work here:
Information Disclosure
Objective: Try to get stacktrace information.

As a Sr.
Systems Security Engineer
Insecure Direct Object Reference

IDOR Risks
I work here:

– Failure to restrict access appropriately


– Threat actors exploiting flaws to gain unauthorized
access to data or traversing other parts of a system

As a Sr.
Systems Security Engineer
OWASP Mappings

OWASP Top 10
I work here:

– A01:2021 - Broken Access Control



OWASP API Top 10
– API1:2023 - Broken Object Level Authorization

As a Sr.
Systems Security Engineer
Demo 2 / 6
Scenario: Insecure Direct Object Reference (IDOR)
I work here:

Objective: Try to access exam results of another user.

As a Sr.
Systems Security Engineer
Access Control

Risks
I work here:

– Allowing unintended access from the way a system


or application was designed
– Failure to restrict protected or administrative actions
to authorized users
As a Sr.
Systems Security Engineer
OWASP Mappings

OWASP Top 10
I work here:

– A01:2021 - Broken Access Control



OWASP API Top 10
– API5:2023 - Broken Function Level Authorization

As a Sr.
Systems Security Engineer
Demo 3 / 6
Scenario: Access Control
I work here:

Objective: Try to execute an operation which should be


only allowed to admin users.

As a Sr.
Systems Security Engineer
Throttling

Risks
I work here:

– Denial of Service (DoS)



A way to flood system resources which effectively makes
a system unavailable

Prevents legitimate users from access to a system

As a Sr.
Systems Security Engineer
MITRE ATT&CK Mappings

MITRE ATT&CK
I work here:

– T1499: Endpoint Denial of Service



T1499.003: Application Exhaustion Flood

As a Sr.
Systems Security Engineer
Demo 4 / 6
Scenario: Throttling (a.k.a. Rate Limit Implementation)
I work here:

Objective: Force server to respond with HTTP response


code 429 to abuse system resources by launching a DoS
attack.
NOTE: A HTTP 429 response code means "Too Many
Requests".
As a Sr.
Systems Security Engineer
SQL Injection

SQLi Risks
I work here:

– Vulnerabilities which allow unauthorized access to a


back-end database
– Abuses

Data exfiltration, destruction, or manipulation
As a Sr.
Systems Security Engineer
OWASP Mappings

OWASP Top 10
I work here:

– A03:2021 - Injection

As a Sr.
Systems Security Engineer
Demo 5 / 6
Scenario: SQL Injection (a.k.a. "SQLi")
I work here:

Objective: Find table names of the SQLite database.

As a Sr.
Systems Security Engineer
Cross Site Scripting

Cross Site Scripting (XSS) Risks
I work here:

– Performs automatic code execution in client


browsers upon access
– Stolen credentials or form data
– Execution of exploit kit payloads
As a Sr.
Systems Security Engineer
OWASP Mappings

OWASP Top 10
I work here:

– A03:2021 - Injection

As a Sr.
Systems Security Engineer
Demo 6 / 6
Scenario: Cross Site Scripting (XSS)
I work here:

Objective: Find parameters accepting cross site scripting


meta-characters.

As a Sr.
Systems Security Engineer
Trending API Risks

Accidentally/Publicly exposed APIs
– Allows for direct API access
– Circumvents front-end web & web app security

Shadow APIs
– Deployed outside of standards and controls
Reducing these risks

Recommendations
– Adopting a secure development life cycle

Having a security champion on each dev team

Testing as early in the SDLC process as possible
– Adhering to the Principle of Least Privilege
– OWASP resources

https://owasp.org/
Questions
Who?
What? 8
When?
Where?
1
Why? 01
010

How?
Hacking Web APIs (v1.1)

Wednesday May, 08 2024


Cincinnati OWASP Chapter

I mean have
No sir.
you gotten any insight as
He says he does this
to why a bright guy like this
sort of thing for fun.
would hack some vulnerable
Web APIs?

Thank you for attending!

You might also like