Introduction to API Security - Intergalactic

Postman
PostmanPostman
Attendees are muted Ask questions under Q&A A recording of this session will be shared Post-event feedback survey To do this work yourself after the session, log into your Postman account (go.postman.co) 1 2 3 4 5 Housekeeping @getpostman
All rights reserved by Postman Inc Introduction to API Security Yash Mehta Security Engineer II Harshit Kochar Application Security Engineer
APPLICATION SECURITY ENGINEER, POSTMAN Harshit Kochar SECURITY ENGINEER II, POSTMAN Yash Mehta linkedin.com/in/harshit-kochar/ twitter.com/yashcmehta
● How long have you been using Postman? ○ I am new to Postman ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
● How long have you been using and building APIs? ○ I have not built or used an API before ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
● How long have you been working in a security role? ○ I am not in a security role right now ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
@getpostman What is API Security? OWASP Top 10 2023 Identify and understand vulnerabilities using Postman Leverage Postman for automating API security tests Q & A 1 2 3 4 5 Agenda
@getpostman What is API Security ● APIs are everywhere ● Security is one of the most important factor when it comes to integrating an API ● Increased API adoption significantly expands the Attack Surface
@getpostman OWASP Top 10 API Security Risks – 2023 image from nonamesecurity.com
@getpostman Key OWASP update #1 - Broken Object Property Level Authorization ● Authorization issues remain the biggest risk for API security ● Implementing authorization in APIs is becoming more challenging ○ Increase in complexity of authorization ○ Decentralized mechanism of implementation ● BOPLA extends unrestricted access to object properties that should have been restricted
@getpostman Key OWASP update #1 - Broken Object Property Level Authorization image from nonamesecurity.com
@getpostman Key OWASP update #2 - Server-Side Request Forgery (SSRF) Occurs when APIs process requests from user-controlled URLs and fetch internal/ remote server resources without validating the user request first image from portswigger.net
@getpostman Key OWASP update #3 - Unrestricted Access to Sensitive Business Flows ● Drastic rise in automated threats ● An API is vulnerable if sensitive functionality is exposed in such a way that harm could occur if excessive automated use occurs
@getpostman Key OWASP update #4 - Unsafe Consumption of APIs ● Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards ● In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly
@getpostman Introduction to GraphQL ● Open Source Query Language ● Server-side runtime (typically served over HTTP)
1. Design your GraphQL schema 2. Connect your resolvers to data sources 3. Ask for exactly what you want @getpostman How does GraphQL work? “GraphQL makes it easier for developers to get the data they need without needing to know which sources it’s coming from”
● Performance ○ Prevents over-fetching ○ Prevents under-fetching ● Developer experience ○ Hierarchical & Declarative ○ Strongly typed ○ Versioning ● Architecture ○ Decouples the client from the server ○ Single source of truth ○ Scalable with federation ○ Introspection @getpostman Advantages of GraphQL
@getpostman Common GraphQL attack vectors ● Introspection ● Information Disclosure ● Missing Access Controls ● Bypass Rate-limiting ● Denial of Service
@getpostman Identify and understand GraphQL vulnerabilities using Postman We’re going to be using a version of GraphQL that was made (on purpose) with vulnerabilities ● github.com/dolevf/Damn-Vulnerable-GraphQL-Application Postman Collection we’re going to use to send these vulnerabilities: ● postman.com/devrel/workspace/graphql-security-101/collection/645d1d3 3d3f0b63ec09ffb98
@getpostman Exploit a vulnerable GraphQL application
@getpostman Leverage Postman for automating API security tests
Postman’s YouTube channel for lots of content about APIs youtube.com/@postman Upcoming Intergalactic Sessions postman.com/events/intergalactic OWASP API Top Ten, 2023 owasp.org/API-Security/editions/2023/en/0x00-header Postman Community Forum for additional questions / feedback community.postman.com @getpostman Additional Resources
Please tell us about your experience! FEEDBACK SURVEY go.pstmn.io/intro-to-api-security @getpostman
Q&A @getpostman go.pstmn.io/intro-to-api-security linkedin.com/in/harshit-kochar twitter.com/yashcmehta
Thank You @getpostman
Introduction to API Security - Intergalactic
Icons hotspot Cloud API Money Trophy Optimize Company Company Arrow 1 Adoption Support Video Bootcamp Experiment Rocket Bug Repository Newman Arrow 2 Learning Interceptor Postman API Roadmap Intelligence Workspaces CS Control API Key Token Scanning Solution Security SCIM Report Marketing Log Alien Governance Engineering Domain Capture Design Data Product
1 What is API-First? 2 Intro to API schemas 3 Generating API elements from schemas 5 Q&A 4 Resources @getpostman Agenda
1 de 28

Introduction to API Security - Intergalactic

Descargar para leer sin conexión
Internet

Introduction to API Security - Intergalactic

Postman
PostmanPostman

Recomendados

Advanced Testing por
Advanced TestingAdvanced Testing
Advanced TestingPostman
310 vistas39 diapositivas
Graph Gurus 15: Introducing TigerGraph 2.4 por
Graph Gurus 15: Introducing TigerGraph 2.4 Graph Gurus 15: Introducing TigerGraph 2.4
Graph Gurus 15: Introducing TigerGraph 2.4 TigerGraph
395 vistas39 diapositivas
Intergalactic - Collaboration and Governance for API Teams por
Intergalactic - Collaboration and Governance for API TeamsIntergalactic - Collaboration and Governance for API Teams
Intergalactic - Collaboration and Governance for API TeamsPostman
67 vistas17 diapositivas
Agile Secure Development por
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
829 vistas30 diapositivas
The Beginner’s Guide To Spring Cloud por
The Beginner’s Guide To Spring CloudThe Beginner’s Guide To Spring Cloud
The Beginner’s Guide To Spring CloudVMware Tanzu
2K vistas17 diapositivas
Platform Security IRL: Busting Buzzwords & Building Better por
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
1.5K vistas39 diapositivas

Más contenido relacionado

Similar a Introduction to API Security - Intergalactic

Six Simple Steps to Service Level Objectives (SLOs) por
Six Simple Steps to Service Level Objectives (SLOs)Six Simple Steps to Service Level Objectives (SLOs)
Six Simple Steps to Service Level Objectives (SLOs)VMware Tanzu
1.3K vistas26 diapositivas
Sakar Patnaik_1.5_testing_Manual_Automation_Selenium por
Sakar Patnaik_1.5_testing_Manual_Automation_SeleniumSakar Patnaik_1.5_testing_Manual_Automation_Selenium
Sakar Patnaik_1.5_testing_Manual_Automation_SeleniumSAKAR PATNAIK
222 vistas4 diapositivas
Secure Salesforce: Lightning Components Best Practices por
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
4.7K vistas22 diapositivas
Peeling the Onion: Making Sense of the Layers of API Security por
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
2.6K vistas34 diapositivas
The other side of elegant websites por
The other side of elegant websitesThe other side of elegant websites
The other side of elegant websitesAnwar Malgave
201 vistas18 diapositivas
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме... por
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...JSFestUA
506 vistas84 diapositivas

Similar a Introduction to API Security - Intergalactic(20)

Six Simple Steps to Service Level Objectives (SLOs) por VMware Tanzu
Six Simple Steps to Service Level Objectives (SLOs)Six Simple Steps to Service Level Objectives (SLOs)
Six Simple Steps to Service Level Objectives (SLOs)
VMware Tanzu1.3K vistas
Sakar Patnaik_1.5_testing_Manual_Automation_Selenium por SAKAR PATNAIK
Sakar Patnaik_1.5_testing_Manual_Automation_SeleniumSakar Patnaik_1.5_testing_Manual_Automation_Selenium
Sakar Patnaik_1.5_testing_Manual_Automation_Selenium
SAKAR PATNAIK222 vistas
Secure Salesforce: Lightning Components Best Practices por Salesforce Developers
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers4.7K vistas
Peeling the Onion: Making Sense of the Layers of API Security por Matt Tesauro
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro2.6K vistas
The other side of elegant websites por Anwar Malgave
The other side of elegant websitesThe other side of elegant websites
The other side of elegant websites
Anwar Malgave201 vistas
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме... por JSFestUA
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...
JS Fest 2018. Тимофей Лавренюк. Делаем веб приложение лучше с помощью совреме...
JSFestUA506 vistas
Fragments-Plug the vulnerabilities in your App por Appsecco
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco94 vistas
PWA - Progressive WordPress Apps por Fellyph Cintra
PWA - Progressive WordPress AppsPWA - Progressive WordPress Apps
PWA - Progressive WordPress Apps
Fellyph Cintra480 vistas
Anypoint DataGraph - Consume & Re-use your APIs faster | MuleSoft Mysore Meet... por MysoreMuleSoftMeetup
Anypoint DataGraph - Consume & Re-use your APIs faster | MuleSoft Mysore Meet...Anypoint DataGraph - Consume & Re-use your APIs faster | MuleSoft Mysore Meet...
Anypoint DataGraph - Consume & Re-use your APIs faster | MuleSoft Mysore Meet...
MysoreMuleSoftMeetup185 vistas
Innovating Faster with Continuous Application Security por Jeff Williams
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams305 vistas
Measures to ensure Cyber Security in a serverless environment por Fibonalabs
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
Fibonalabs6 vistas
Cypress Best Pratices for Test Automation por Knoldus Inc.
Cypress Best Pratices for Test AutomationCypress Best Pratices for Test Automation
Cypress Best Pratices for Test Automation
Knoldus Inc.46 vistas
Scaling security in a cloud environment v0.5 (Sep 2017) por Dinis Cruz
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz255 vistas
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod... por All Things Open
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
All Things Open904 vistas
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian) por dtz001
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
dtz00161 vistas
Modern messaging with RabbitMQ, Spring Cloud and Reactor por acogoluegnes
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactor
acogoluegnes148 vistas
Eradicate Flaky Tests - AppiumConf 2021 por Anand Bagmar
Eradicate Flaky Tests - AppiumConf 2021Eradicate Flaky Tests - AppiumConf 2021
Eradicate Flaky Tests - AppiumConf 2021
Anand Bagmar241 vistas
Discover365 Integration Presentation por James Garrett
Discover365 Integration PresentationDiscover365 Integration Presentation
Discover365 Integration Presentation
James Garrett230 vistas
Designing Good API Experiences Session 24 por Postman
Designing Good API Experiences Session 24Designing Good API Experiences Session 24
Designing Good API Experiences Session 24
Postman106 vistas
Neeraj Kumar_Resume por Neeraj Kumar
Neeraj Kumar_ResumeNeeraj Kumar_Resume
Neeraj Kumar_Resume
Neeraj Kumar208 vistas

Más de Postman

Five Things You SHOULD Know About Postman por
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
36 vistas43 diapositivas
Integration-, Snapshot- and Performance-Testing APIs por
Integration-, Snapshot- and Performance-Testing APIs Integration-, Snapshot- and Performance-Testing APIs
Integration-, Snapshot- and Performance-Testing APIs Postman
26 vistas12 diapositivas
How ChatGPT led OpenAPI's Recent Spike in Popularity por
How ChatGPT led OpenAPI's Recent Spike in PopularityHow ChatGPT led OpenAPI's Recent Spike in Popularity
How ChatGPT led OpenAPI's Recent Spike in PopularityPostman
40 vistas34 diapositivas
Exploring Postman’s VS Code Extension por
Exploring Postman’s VS Code ExtensionExploring Postman’s VS Code Extension
Exploring Postman’s VS Code ExtensionPostman
4 vistas17 diapositivas
2023 State of the API Report: Key Findings and Trends por
2023 State of the API Report: Key Findings and Trends2023 State of the API Report: Key Findings and Trends
2023 State of the API Report: Key Findings and TrendsPostman
32 vistas19 diapositivas
Nordic- APIOps is here What will you build in an API First World por
Nordic- APIOps is here What will you build in an API First World Nordic- APIOps is here What will you build in an API First World
Nordic- APIOps is here What will you build in an API First World Postman
40 vistas39 diapositivas

Más de Postman(20)

Five Things You SHOULD Know About Postman por Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman36 vistas
Integration-, Snapshot- and Performance-Testing APIs por Postman
Integration-, Snapshot- and Performance-Testing APIs Integration-, Snapshot- and Performance-Testing APIs
Integration-, Snapshot- and Performance-Testing APIs
Postman26 vistas
How ChatGPT led OpenAPI's Recent Spike in Popularity por Postman
How ChatGPT led OpenAPI's Recent Spike in PopularityHow ChatGPT led OpenAPI's Recent Spike in Popularity
How ChatGPT led OpenAPI's Recent Spike in Popularity
Postman40 vistas
Exploring Postman’s VS Code Extension por Postman
Exploring Postman’s VS Code ExtensionExploring Postman’s VS Code Extension
Exploring Postman’s VS Code Extension
Postman4 vistas
2023 State of the API Report: Key Findings and Trends por Postman
2023 State of the API Report: Key Findings and Trends2023 State of the API Report: Key Findings and Trends
2023 State of the API Report: Key Findings and Trends
Postman32 vistas
Nordic- APIOps is here What will you build in an API First World por Postman
Nordic- APIOps is here What will you build in an API First World Nordic- APIOps is here What will you build in an API First World
Nordic- APIOps is here What will you build in an API First World
Postman40 vistas
Testing and Developing gRPC APIs por Postman
Testing and Developing gRPC APIsTesting and Developing gRPC APIs
Testing and Developing gRPC APIs
Postman28 vistas
Testing and Developing GraphQL APIs por Postman
Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIs
Postman73 vistas
Unboxing What's New in Postman Q2 por Postman
Unboxing What's New in Postman Q2Unboxing What's New in Postman Q2
Unboxing What's New in Postman Q2
Postman26 vistas
Postman An Introduction for Developers, April 2023 por Postman
Postman An Introduction for Developers, April 2023Postman An Introduction for Developers, April 2023
Postman An Introduction for Developers, April 2023
Postman51 vistas
Postman Intergalactic - API Observability por Postman
Postman Intergalactic - API ObservabilityPostman Intergalactic - API Observability
Postman Intergalactic - API Observability
Postman105 vistas
Postman Intergalactic - API Observability por Postman
Postman Intergalactic - API ObservabilityPostman Intergalactic - API Observability
Postman Intergalactic - API Observability
Postman69 vistas
Postman An Introduction for Testers, October 26 2022.pptx por Postman
Postman An Introduction for Testers, October 26 2022.pptxPostman An Introduction for Testers, October 26 2022.pptx
Postman An Introduction for Testers, October 26 2022.pptx
Postman414 vistas
Unboxing What’s New in Postman v10 por Postman
Unboxing What’s New in Postman v10Unboxing What’s New in Postman v10
Unboxing What’s New in Postman v10
Postman123 vistas
Space Camp - API Contract Testing por Postman
Space Camp - API Contract TestingSpace Camp - API Contract Testing
Space Camp - API Contract Testing
Postman293 vistas
Space Camp June 2022 - API First.pdf por Postman
Space Camp June 2022 - API First.pdfSpace Camp June 2022 - API First.pdf
Space Camp June 2022 - API First.pdf
Postman171 vistas
API Lifecycle, Part 2: Monitor and Deploy an API por Postman
API Lifecycle, Part 2: Monitor and Deploy an APIAPI Lifecycle, Part 2: Monitor and Deploy an API
API Lifecycle, Part 2: Monitor and Deploy an API
Postman130 vistas
Unboxing What's New in Q2 por Postman
Unboxing What's New in Q2Unboxing What's New in Q2
Unboxing What's New in Q2
Postman93 vistas
Space Camp :: API Lifecycle, Part I: Build and Test an API por Postman
Space Camp :: API Lifecycle, Part I: Build and Test an APISpace Camp :: API Lifecycle, Part I: Build and Test an API
Space Camp :: API Lifecycle, Part I: Build and Test an API
Postman259 vistas
OpenAPI Intro (1).pdf por Postman
OpenAPI Intro (1).pdfOpenAPI Intro (1).pdf
OpenAPI Intro (1).pdf
Postman247 vistas

Último

information por
informationinformation
informationkhelgishekhar
9 vistas4 diapositivas
Affiliate Marketing por
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
16 vistas30 diapositivas
IETF 118: Starlink Protocol Performance por
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
354 vistas22 diapositivas
PORTFOLIO 1 (Bret Michael Pepito).pdf por
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdfbrejess0410
8 vistas6 diapositivas
Is Entireweb better than Google por
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Googlesebastianthomasbejan
12 vistas1 diapositiva
Building trust in our information ecosystem: who do we trust in an emergency por
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
106 vistas18 diapositivas

Último(9)

information por khelgishekhar
informationinformation
information
khelgishekhar9 vistas
Affiliate Marketing por Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka16 vistas
IETF 118: Starlink Protocol Performance por APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC354 vistas
PORTFOLIO 1 (Bret Michael Pepito).pdf por brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04108 vistas
Is Entireweb better than Google por sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan12 vistas
Building trust in our information ecosystem: who do we trust in an emergency por Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat106 vistas
How to think like a threat actor for Kubernetes.pptx por LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 vistas
Marketing and Community Building in Web3 por Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast12 vistas
WEB 2.O TOOLS: Empowering education.pptx por narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2116 vistas

Introduction to API Security - Intergalactic

  • 1. Attendees are muted Ask questions under Q&A A recording of this session will be shared Post-event feedback survey To do this work yourself after the session, log into your Postman account (go.postman.co) 1 2 3 4 5 Housekeeping @getpostman
  • 2. All rights reserved by Postman Inc Introduction to API Security Yash Mehta Security Engineer II Harshit Kochar Application Security Engineer
  • 3. APPLICATION SECURITY ENGINEER, POSTMAN Harshit Kochar SECURITY ENGINEER II, POSTMAN Yash Mehta linkedin.com/in/harshit-kochar/ twitter.com/yashcmehta
  • 4. ● How long have you been using Postman? ○ I am new to Postman ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
  • 5. ● How long have you been using and building APIs? ○ I have not built or used an API before ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
  • 6. ● How long have you been working in a security role? ○ I am not in a security role right now ○ Less than 6 months ○ 6 months to 1 year ○ 1 year to 3 years ○ 3 years or more @getpostman A little about you
  • 7. @getpostman What is API Security? OWASP Top 10 2023 Identify and understand vulnerabilities using Postman Leverage Postman for automating API security tests Q & A 1 2 3 4 5 Agenda
  • 8. @getpostman What is API Security ● APIs are everywhere ● Security is one of the most important factor when it comes to integrating an API ● Increased API adoption significantly expands the Attack Surface
  • 9. @getpostman OWASP Top 10 API Security Risks – 2023 image from nonamesecurity.com
  • 10. @getpostman Key OWASP update #1 - Broken Object Property Level Authorization ● Authorization issues remain the biggest risk for API security ● Implementing authorization in APIs is becoming more challenging ○ Increase in complexity of authorization ○ Decentralized mechanism of implementation ● BOPLA extends unrestricted access to object properties that should have been restricted
  • 11. @getpostman Key OWASP update #1 - Broken Object Property Level Authorization image from nonamesecurity.com
  • 12. @getpostman Key OWASP update #2 - Server-Side Request Forgery (SSRF) Occurs when APIs process requests from user-controlled URLs and fetch internal/ remote server resources without validating the user request first image from portswigger.net
  • 13. @getpostman Key OWASP update #3 - Unrestricted Access to Sensitive Business Flows ● Drastic rise in automated threats ● An API is vulnerable if sensitive functionality is exposed in such a way that harm could occur if excessive automated use occurs
  • 14. @getpostman Key OWASP update #4 - Unsafe Consumption of APIs ● Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards ● In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly
  • 15. @getpostman Introduction to GraphQL ● Open Source Query Language ● Server-side runtime (typically served over HTTP)
  • 16. 1. Design your GraphQL schema 2. Connect your resolvers to data sources 3. Ask for exactly what you want @getpostman How does GraphQL work? “GraphQL makes it easier for developers to get the data they need without needing to know which sources it’s coming from”
  • 17. ● Performance ○ Prevents over-fetching ○ Prevents under-fetching ● Developer experience ○ Hierarchical & Declarative ○ Strongly typed ○ Versioning ● Architecture ○ Decouples the client from the server ○ Single source of truth ○ Scalable with federation ○ Introspection @getpostman Advantages of GraphQL
  • 18. @getpostman Common GraphQL attack vectors ● Introspection ● Information Disclosure ● Missing Access Controls ● Bypass Rate-limiting ● Denial of Service
  • 19. @getpostman Identify and understand GraphQL vulnerabilities using Postman We’re going to be using a version of GraphQL that was made (on purpose) with vulnerabilities ● github.com/dolevf/Damn-Vulnerable-GraphQL-Application Postman Collection we’re going to use to send these vulnerabilities: ● postman.com/devrel/workspace/graphql-security-101/collection/645d1d3 3d3f0b63ec09ffb98
  • 20. @getpostman Exploit a vulnerable GraphQL application
  • 21. @getpostman Leverage Postman for automating API security tests
  • 22. Postman’s YouTube channel for lots of content about APIs youtube.com/@postman Upcoming Intergalactic Sessions postman.com/events/intergalactic OWASP API Top Ten, 2023 owasp.org/API-Security/editions/2023/en/0x00-header Postman Community Forum for additional questions / feedback community.postman.com @getpostman Additional Resources
  • 23. Please tell us about your experience! FEEDBACK SURVEY go.pstmn.io/intro-to-api-security @getpostman
  • 27. Icons hotspot Cloud API Money Trophy Optimize Company Company Arrow 1 Adoption Support Video Bootcamp Experiment Rocket Bug Repository Newman Arrow 2 Learning Interceptor Postman API Roadmap Intelligence Workspaces CS Control API Key Token Scanning Solution Security SCIM Report Marketing Log Alien Governance Engineering Domain Capture Design Data Product
  • 28. 1 What is API-First? 2 Intro to API schemas 3 Generating API elements from schemas 5 Q&A 4 Resources @getpostman Agenda