SlideShare una empresa de Scribd logo
1 de 26
I’m An API Hacker, Here’s How
To Go From Making APIs To
Breaking Them
Katie Paxton-Fear
API Security Researcher
Traceable
About
Katie AKA InsiderPhD
● PhD in Cyber Security / AI
● Occasional hacker and content creator
● Found vulnerabilities in software you probably
use every day
● Work at Traceable doing API security education
Neopets to Now
3
API Hacking
● A lot of people will tell you that API hacking is a
specific skill
○ Myself included
● It’s really just thinking through how to abuse the
business logic or permissions of an API
● Everything else is just tricks to do it faster
Find Endpoints
Understand
what the
application does
What are the
‘no’s
Test if that no is
a yes
Write it up so
someone else
can understand
it
Stages of Hacking
API hacker's toolbox
Editing Requests
Postman Burp
Use whatever you feel comfortable using!
Broken Object Level
Authorization
Broken
Authentication
Broken Object
Property Level
Authorization
Unrestricted
Resource
Consumption
Broken Function
Level Authorization
Unrestricted Access
to Sensitive
Business Flows
Server Side Request
Forgery
Security
Misconfiguration
Improper Inventory
Management
Unsafe consumption
of APIs
API Top 10
`
` `
ACCESS CONTROL BUSINESS LOGIC INFORMATION
DISCLOSURE
Common API issues
Why?
● These vulnerabilities are hard to run a scan
to find
○ They need the context of what an API does and
how they work!
● Frameworks have dramatically reduced
injection-type vulnerabilities
○ They’re still bad just less common
● Usually caused by simple mistakes
○ Even sometimes a single line of code
What am I actually doing when I am hacking?
Identifying endpoints I think might be vulnerable
Making small changes to the requests to add a malicious element
Okay this endpoint
lets me input a review
– I should look for
injection vulns
I’ll start by testing
XSS
What am I actually doing when I am hacking?
Seeing if it worked
Going back to the API and trying something else…
Until it works!
The review
endpoint definitely
isn’t vulnerable to
XSS
But the basket
endpoint has a
pretty clear BOLA!
My bugs aren’t complex
13
I’ll never be on the list
14
It’s the little things
15
Sometimes only missing if statements
16
● Everyone in this room eats, sleeps and breathes
APIs in one form or another
● YOU know far more about APIs than the
average API hacker
● You don’t need to buy a fancy course
● I promise these are vulnerabilities you can find
● Let’s talk about some of my 1337 Hax0r findings
If you know APIs you can do API hacking
Crud In Action
Edit Form
SUBMIT
403 ACCESS FORBIDDEN
What if it’s private???
Ecommerce
Doing math
$1.60 * 3 = $4.80
Shopping in 2023
Negative numbers
Add
$59.99
$59.99
$59.99
$-59.99
= 3 Furby’s for the price of 2
-
Doing math
$1.60 * 3 = $4.80
$1.15 * -2= -$2.30
$4.80 + -$2.30 = $2.50
Order Successful!

Más contenido relacionado

Similar a I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie Paxton-Fear, Traceable AI

Your API Sucks! Why developers hang up and how to stop that.
Your API Sucks! Why developers hang up and how to stop that.Your API Sucks! Why developers hang up and how to stop that.
Your API Sucks! Why developers hang up and how to stop that.Apigee | Google Cloud
 
LF_APIStrat17_API Style Guide: The Lord of API Designs
LF_APIStrat17_API Style Guide: The Lord of API DesignsLF_APIStrat17_API Style Guide: The Lord of API Designs
LF_APIStrat17_API Style Guide: The Lord of API DesignsLF_APIStrat
 
Mocking and Monitoring your APIs.pptx
Mocking and Monitoring your APIs.pptxMocking and Monitoring your APIs.pptx
Mocking and Monitoring your APIs.pptxPricilla Bilavendran
 
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-FearAPIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fearapidays
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSecAPIsecure_ Official
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
 
Best practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.shBest practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.shGuillaume Montard
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecurityDeja vu Security
 
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...apidays
 
Auditing Drupal Sites
Auditing Drupal SitesAuditing Drupal Sites
Auditing Drupal SitesExove
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays
 
Top 20 API Testing Interview Questions.pdf
Top 20 API Testing Interview Questions.pdfTop 20 API Testing Interview Questions.pdf
Top 20 API Testing Interview Questions.pdfAnanthReddy38
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...Dana Gardner
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
APIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside OutAPIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside Out3scale
 
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...apidays
 

Similar a I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie Paxton-Fear, Traceable AI (20)

Your API Sucks! Why developers hang up and how to stop that.
Your API Sucks! Why developers hang up and how to stop that.Your API Sucks! Why developers hang up and how to stop that.
Your API Sucks! Why developers hang up and how to stop that.
 
LF_APIStrat17_API Style Guide: The Lord of API Designs
LF_APIStrat17_API Style Guide: The Lord of API DesignsLF_APIStrat17_API Style Guide: The Lord of API Designs
LF_APIStrat17_API Style Guide: The Lord of API Designs
 
Mocking and Monitoring your APIs.pptx
Mocking and Monitoring your APIs.pptxMocking and Monitoring your APIs.pptx
Mocking and Monitoring your APIs.pptx
 
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-FearAPIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
 
Best practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.shBest practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.sh
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu Security
 
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...
APIdays Paris 2018 - The Lord of API Design, Arnaud Lauret, API Handyman & AP...
 
Auditing Drupal Sites
Auditing Drupal SitesAuditing Drupal Sites
Auditing Drupal Sites
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
 
Top 20 API Testing Interview Questions.pdf
Top 20 API Testing Interview Questions.pdfTop 20 API Testing Interview Questions.pdf
Top 20 API Testing Interview Questions.pdf
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
APIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside OutAPIS for Startups - Running your Business Inside Out
APIS for Startups - Running your Business Inside Out
 
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...
apidays LIVE Paris - Agreeing on common standards for trust with APIs by Davi...
 

Más de Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of...Reigniting the API Description Wars with TypeSpec and the Next Generation of...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal –developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal –developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticNordic APIs
 

Más de Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of...Reigniting the API Description Wars with TypeSpec and the Next Generation of...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal –developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal –developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
 

Último

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie Paxton-Fear, Traceable AI

Notas del editor

  1. Have you ever wanted to be the villain or anti-hero? In this talk, we’ll cover how to hack APIs, with permission, of course. First, we’ll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I’ll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.
  2. - I started my career at 7 years old making neopets homepages, was really interested in web dev and wanted to build my own neopets Eventually did a degree in Computer Science, had the opportunity to study cyber security, didn’t take it at this point I knew a lot about websites and my grade was on the line After my degree I worked as a general developer doing full stack PHP development in Laravel, you might be wondering why as a developer I was roped into fixing the mess of cables in the server room on this slide, and so am I Eventually decided to do a PhD in cyber security and AI, and I really saw security as just a thing
  3. Postman Kiterunner FFUF Burp JSON Graphql vogager JSON crack
  4. Have you ever wanted to be the villain or anti-hero? In this talk, we’ll cover how to hack APIs, with permission, of course. First, we’ll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I’ll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.