Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer Society

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio

Eche un vistazo a continuación

1 de 30 Anuncio

apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer Society

Descargar para leer sin conexión

apidays Hong Kong 2022 - API-First Digital Transformation & Platform Economy
August 24 & 25, 2022

Attack API Architecture
Alvin Tam, EASG Committee at Hong Kong Computer Society
------------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Deep dive into the API industry with our reports:
https://www.apidays.global/industry-reports/

Subscribe to our global newsletter:
https://apidays.typeform.com/to/i1MPEW

apidays Hong Kong 2022 - API-First Digital Transformation & Platform Economy
August 24 & 25, 2022

Attack API Architecture
Alvin Tam, EASG Committee at Hong Kong Computer Society
------------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Deep dive into the API industry with our reports:
https://www.apidays.global/industry-reports/

Subscribe to our global newsletter:
https://apidays.typeform.com/to/i1MPEW

Anuncio
Anuncio

Más Contenido Relacionado

Más de apidays (20)

Más reciente (20)

Anuncio

apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer Society

  1. 1. Attack API Architecture Alvin TAM Executive Committee Enterprise Architecture special group Hong Kong Computer Society (ExCo EASG HKCS) Attack vector created by storyset - www.freepik.com
  2. 2. API Attack happening Everyday
  3. 3. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. API Security Flaws Can Result in Data Breaches
  4. 4. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture? ?
  5. 5. OWASP API Security Top 10 Broken object level authorization Broken authentication Excessive data exposure Lack of resources and rate limiting Broken function level authorization Mass assignment Security misconfiguration Injection Improper asset management Insufficient logging and monitoring 01 02 03 04 05 06 07 08 09 10 What happens if you increment that number? /patient/333555 You can have a check with an open source https://github.com/OWASP/crAPI
  6. 6. APIs How are our API Architectures being attacked? Website/Single Page Application IoT Devices Mobile App Cloud Service Keys: 1 4 3 2 2 2 1 2 3 4 Unsecured API keys in repositories and storage Hard-coded credentials (incl. API Keys) in applications API logic flaws Sniffed API calls Plus all traditional web application attacks!
  7. 7. Hackers have a lot of ways to attack • Hackers can • Attacking Authentication • Fuzzing • Broken object-level authorization (BOLA) • Broken Function Level Authorization • Blind Mass Assignment Attack • Change product price • Injection • XXS • SQL Injection
  8. 8. Attacking Authentication • Password Brute-Force Attacks • Password Forget password OTP attacks • Brute-Forcing Predictable Tokens POST /identity/api/auth/v3/check-otp HTTP/1.1 Host: 192.168.195.130:8888 User-Agent: Mozilla/5.0 (x11; Linux x86_64; rv: 78.0) Gecko/20100101 Accept: */* Accept -Language: en-US, en;q=0.5 Accept-Encoding: gzip,deflate Referer: http://111.222.101:8888/forgot- password Content-Type: application/json Origin: http://111.222.101.100:8888 Content-Length: 62 Connection: close { "email":"a@email.com", "otp":"1234", "password": "Newpassword" } Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJoYWNrYXBpcy5pbyIsImV4c CI6IDE1ODM2Mzc0ODgsInVzZXJuYW1lIj oiU2N1dHRsZXBoMXNoIiwic3VwZXJhZG 1pbiI6dHJ1ZX0.1c514f4967142c27e4e57 b612a7872003fa6cbc7257b3b74da17a8b 4dc1d2ab9
  9. 9. Fuzzing • Targeted fuzzing payloads are aimed at provoking a response from specific technologies and types of vulnerabilities. Targeted fuzzing payload types might include API object or variable names, cross-site scripting (XSS) payloads, directories, file extensions, HTTP request methods, JSON or XML data, SQL or No SQL commands, or commands for particular operating systems. • Sending various symbols (-_!@#$%^&*();':''|,./?>) Sending characters from unexpected languages (漢, さ, Ж, Ѫ, Ѭ, Ѧ, Ѩ, Ѯ) • There are two fuzzing techniques: fuzzing wide and fuzzing deep. Fuzzing wide is the act of sending an input across all of an API’s unique requests in an attempt to discover a vulnerability. Fuzzing deep is the act of thoroughly testing an individual request with a variety of inputs, replacing headers, parameters, query strings, endpoint paths, and the body of the request with your payloads. You can think of fuzzing wide as testing a mile wide but an inch deep and fuzzing deep as testing an inch wide but a mile deep.
  10. 10. Broken object-level authorization (BOLA) • Broken object-level authorization (BOLA) vulnerabilities occur when a user is able to access other users' data due to the flaws in authorization controls validating access to data objects. • Get /api/v1/user/account?id=100001 • Get /api/v1/user/account?id=100002 • Get /api/v1/user/account?id=100003 • …..
  11. 11. Broken Function Level Authorization • Finding BFLAs Hunting for BFLA involves searching for functionality to which you should not have access. A BFLA vulnerability might allow you to update object values, delete data, and perform actions as other users. To check for it, try to alter or delete resources or gain access to functionality that belongs to another user or privilege level. • Create, read, update, or delete resources as UserA. • Swap out your UserA token for UserB’s. • Send GET, PUT, POST, and DELETE requests for UserA’s resources using UserB’s token. • Check UserA’s resources to validate changes have been made by using UserB’s token. Request: GET /api/picture/2 Token: UserA_token Response: 200 OK { "_id": 2, "name": "development flower", "creator_id": 2, "username": "UserA", "money_made": 0.35, "likes": 0 }
  12. 12. Blind Mass Assignment Attack • If you cannot find variable names in the locations discussed, you could perform a blind mass assignment attack. In such an attack, you’ll attempt to brute-force possible variable names through fuzzing. Send a single request with many possible variables, like the following, and see what sticks: POST /api/v1/register --snip-- { "username":"hAPI_hacker", "email":"hapi@hacker.com", "admin": true, "admin":1, "isadmin": true, "role":"admin", "role":"administrator", "user_priv": "admin", "password":"Password1!" } PUT /api/v1/account/update Token:UserA-Token --snip-- { "username": "Brock", "address": "456 Onyx Dr", "city": "Pewter Town", "region": "Kanto", "email": "ash@email.com", "mfa": false } • If an API is vulnerable, it might ignore the irrelevant variables and accept the variable that matches the expected name and format.
  13. 13. Change the product price • POST /identity/api/auth/signup • POST /workshop/api/shop/orders • POST /workshop/api/merchant/contact_mechanic POST /workshop/api/shop/products HTTP/1.1 Host: 192.168.195.130:8888 Authorization: Bearer UserA-Token { "name":"MassAssignment SPECIAL", "price":-5000, "image_url":"https://example.com/chickendinner.jpg " } POST /workshop/api/shop/products HTTP/1.1 Host: 197.164.150.110:8888 Authorization: Bearer UserA-Token { "name":"TEST1", "price":25, "image_url":"string", "credit":1337 }
  14. 14. Injection • Database injection techniques such as SQL injection take advantage of SQL databases, whereas NoSQL injection takes advantage of NoSQL databases. • Cross-site scripting (XSS) attacks insert scripts into web pages that run on a user’s browser. Cross-API scripting (XAS) is similar to XSS but leverages third-party applications ingested by the API you’re attacking. • Command injection is an attack against the web server operating system that allows you to send it operating system commands.
  15. 15. Cross Site Scripting (XXS) • Here are a few examples of XSS payloads: <script>alert("xss")</script> <script>alert(1);</script> <%00script>alert(1)</%00script> SCRIPT>alert("XSS");///SCRIPT> • Payload Box XSS payload list This list contains over 2,700 XSS scripts that could trigger a successful XSS attack (https://github.com/payloadbox/xss-payload-list). POST /api/profile/update HTTP/1.1 Host: hapihackingblog.com Authorization: hAPI.hacker.token Content-Type: application/json { "fname": "hAPI", "lname": "Hacker", "city": "<script>alert("xas")</script>" }
  16. 16. SQL / No SQL Injection • SELECT * FROM userdb WHERE username = ‘hacker' AND password = 'Password1!' • SELECT * FROM userdb WHERE username = ‘hacker' OR 1=1-- - No SQL POST /community/api/v2/coupon/validate- coupon HTTP/1.1 --snip-- {"coupon_code":"%7b$where%22% 3a%22sleep(1000)%22%7d"} Then you can go inside the site in API, e.g. POST /login HTTP/1.1 Host: 192.168.195.132:8000 --snip-- user=hapi%40hacker.com&pass=§ Password1%21§
  17. 17. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture?
  18. 18. Application Developer A. Security Team B. API Team C. Integration Team D. Nobody E. Who is primarily responsible for API security in your organization? Retrospective Question
  19. 19. Security in the API Lifecycle Design Time Runtime API Security Testing API Threat Protection API Discovery (Runtime) API Discovery (Design Time)
  20. 20. API Security with Mobile and Client-Side Apps ● Avoid credential hardcoding ● Protect from man in the middle attacks ● Verify the environment App APIs
  21. 21. © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Including your Security Team in API Strategy Is the Security team involved? 80% 20% Yes No Percentage of Respondents Use API management solution Don’t use API management solution Base 66 32 Yes 88% 66% No 12% 34% Statistically significant difference @ 95% prepare your tech team ready for Security Development
  22. 22. Key Issues What are the problems with API security? How can APIs be secured? How about the API Security Architecture?
  23. 23. ID Delivering API Security Architecture Developer End User Browser Mobile Application to Application API Portal API Gateway Access Management Web Application Firewall API Security Testing Discover unsecured APIs Integrate with API gateway, provide proxy/gateway, use AI/ML to detect unusal API usage API Management In-App Protection APIs
  24. 24. Scenario: Mobile APP, Web and IoT Devices on API Architecture
  25. 25. Create a policy to secure your APIs. Secure: Observe your API usage. Learn what “normal” is for API behavior. Analyze: Inventory APIs that have been delivered, or are in the development process. APIs consumed from third-parties should also be included. API API Putting it all together Discover: 1 2 3
  26. 26. Three Sides of API Security Architecture API Security Testing API Protection API Access Control Key functionality Identification of API security flaws and vulnerabilities Content validation, threat detection, traffic throttling Authentication, authorization, identity propagation Key technologies used Dynamic application security testing (DAST), fuzzing, static application security testing (SAST) Attack signature, reputation- based control, anomaly detection, OAS message validation OAuth 2.0, OpenID Connect, JSON Web Tokens Product categories Application security testing tools, specialized API security platforms Web application firewalls, API management, specialized API security platforms. API management, access management software, IDaaS.
  27. 27. Your API Security Building Blocks Authentication of the API client (e.g., mobile app) JSON/XML element encryption Quota management/ Traffic throttling Content inspection Content validation (JSON schema, XML schema) Tokenization of sensitive information (e.g., patient number) Automated attack/Bot detection Usage plan management Data transformation Store audit logs Digital signature API key authentication Fine-grained authorization OAuth scope management Transport security (TLS/SSL) Integration with access management XML/SOAP security (WS-security, etc.) Alerting (including to SIEM)
  28. 28. API Client Applications Authentication and authorization Validation against API Definition Remove sensitive data from API responses Validation of API response Security Analytics platforms Store Audit Logs Identity and access management Detection of harmful or unusual API traffic Application firewalls, bot mitigation, AI/ML Data masking, Data tokenization uses uses uses uses Example Policy for API Security Architecture
  29. 29. 23 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. Recommendations Include your security team in your API platform team Consider the whole picture for API security architecture, not just an API gateway Think “North South” as well as “East West” for API security architecture
  30. 30. Enjoy speeding APIs & being protected from hackers Alvin TAM Executive Committee Enterprise Architecture special group Hong Kong Computer Society (ExCo HKCS)

×