Professional Documents
Culture Documents
Webcast 116220 PDF
Webcast 116220 PDF
{
"firstname": “Jason",
"lastname": “Smith",
"totalprice": 120,
"depositpaid": true,
"bookingdates": {
"checkin": "2018-05-07",
"checkout": "2019-05-09"
}
}
CRUD
• CRUD is an acronym for Create, Retrieve, Update, Delete
*Source - (https://www.gartner.com/en/documents/3956746/api-security-what-you-
need-to-do-to-protect-your-apis)
It’s Going To Get Worse
• IoT, Smart Homes and autonomous vehicles will make APIs even
more popular. And so will the attacks
*Source - (https://www.gartner.com/en/documents/3956746/api-security-what-you-need-to-do-to-
protect-your-apis)
Burp Suite
• Web Application Proxy
and Testing Tool
Recommended Tools
for API Pen Testing
4
1. Broken Object
Level
Authorization
(cont.)
Real World Example
• T-Mobile (2017)
• Attacker discovered Phone # =
User ID
Source -
https://www.vice.com/en_us/article/7xky
yz/t-mobile-customer-data-bug-hackers-
no-excuse
How To Fix
How To Fix
Example
• API response displays sensitive information.
• * More on this later
3. Excessive Data Exposure (cont.)
How To Fix
+ =
4. Lack of Resources and Rate
Limiting (cont.)
How To Fix
How To Fix
• Avoid function-level authorization.
• Deny all access by default.
• Only allow authorize users to the appropriate groups or roles.
• Perform regular tests on authorization.
6. Mass
Assignment
• When APIs expose resources
or variables, attackers can use
these to craft their requests
and calls to access resources
they aren’t supposed to.
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
How To Fix
• Avoid exposing internal variables or object names
as input.
Example
• Application uses MongoDB and
vulnerable to NoSQL Injection
Attacks
• Successfully bypassed
authentication with [$ne] query
8. Injection (cont.)
How To Fix
• Use proper filtering to limit the amount of information in the responses to prevent data
leaks.
9. Improper Assets Management
• Non-production or earlier versions of an API that are still in use
and/or not as well protected as the production or current API are
potential targets for attackers
9. Improper Assets
Management (cont.)
Example – JustDial (2019)
• Over 100 million users’ personal data
exposed
• Researcher accessed an old unprotected,
public API endpoint of the database
Source -
https://thehackernews.com/2019/04/justdial-
hacked-data-breach.html
9. Improper Assets
Management (cont.)
How To Fix