Analyzing the OWASP API

Security Top 10 for Pen Testers

Agenda
• What Are APIs?
• Types of APIs
• Traditional Web Applications vs. APIs
• API Security Challenges
• OWASP API Security Project & Top Ten
• How To Test
• Other Tips & Tricks
#WhoAmI
• Davin Jackson (Twitter & IG @Djax_Alpha)
• Father, Husband, Air Force Veteran, Hacker, Mentor
• Contributor at AlphaCyberSecurity.tech
• Security Architect & Penetration Tester at Greensky
• Hobbies - Comic Books, Movies/TV, Gaming
APIs
What Are APIs?
What Are APIs?
• An Application Programming Interface (API) is a
set of rules or protocols that allow programs and
applications to communicate with each other.

• Simply put, an API is one piece of code talking to

another piece of code.
The “Waiter”
Example
• When you go to a restaurant, you look on the
menu to see what is being offered.
• A waiter then takes your order.
• Next, the waiter brings your order to the
kitchen who prepares your order.
• When ready, the waiter brings your order to
you
Who Uses APIs
Types of APIs
• SOAP
• REST
• GraphQL
REST APIs Characteristics
• RESTful APIs are “stateless”
• REST primarily uses JavaScript Object Notation, or
JSON

{
"firstname": “Jason",
"lastname": “Smith",
"totalprice": 120,
"depositpaid": true,
"bookingdates": {
"checkin": "2018-05-07",
"checkout": "2019-05-09"
}
}
CRUD
• CRUD is an acronym for Create, Retrieve, Update, Delete

Operation HTTP Method RESTful Web Service (API)

CREATE PUT/POST POST

READ or RETRIEVE GET GET

UPDATE PUT/POST/PATCH PUT

DELETE DELETE DELETE

APIs vs Traditional
Web Applications
 Vulnerability Solution
APIs vs Traditional
Web Applications SQLi Object Relational
Mapping (ORM)
(cont.)
Path Cloud Based Storage
• Some of the more popular web
application vulnerabilities are Manipulation
not common with APIs
XSS (Reflected), Using Authorization
CSRF Headers instead of
Cookies

XXE REST Architecture

(JSON)
APIs Face Their Own Challenges
• More info = More data at risk of being exposed
• APIs are easy to discover
• APIs can be accessed from several different endpoint
• Constant changes and releases, different clients or devices
• As a result, APIs are harder to secure
It’s Going To Get Worse
• IoT, Smart Homes and autonomous vehicles will make APIs
even more popular. And so will the attacks

• According to Gartner, APIs will account for 90% of the

attack surface. By 2022, APIs will become the most frequent
attack vector!

*Source - (https://www.gartner.com/en/documents/3956746/api-security-what-you-
need-to-do-to-protect-your-apis)
It’s Going To Get Worse
• IoT, Smart Homes and autonomous vehicles will make APIs even
more popular. And so will the attacks

• According to Gartner, APIs will account for 90% of the attack

surface. By 2022, APIs will become the most frequent attack
vector!

*Source - (https://www.gartner.com/en/documents/3956746/api-security-what-you-need-to-do-to-
protect-your-apis)

• However, attacks are happening right NOW!!!

Recent Breaches Due to
API Vulnerabilities
APIs Are Critical
and MUST Be
Secured…
Whether it is a security team looking
to secure their application or a bug
hunter finding bugs in these
programs. There must be a secure
strategy put in place to manage and
protect APIs and the systems and
applications that use them!
The OWASP API
Security Project
• OWASP is a nonprofit organization that
works to improve the security of web
applications and software.
• Erez Yalon and Inon Shkedy created the
OWASP API Security Project, and the
OWASP API Security Top Ten.
Source - https://owasp.org/www-project-api-
security/
OWASP API Security Top Ten
• A1 Broken Object Level Authorization
• A2 Broken Authentication
• A3 Excessive Data Exposure
• A4 Lack of Resources and Rate Limiting
• A5 Broken Function Level Authorization
• A6 Mass Assignment
• A7 Security Misconfiguration
• A8 Injection
• A9 Improper Assets Management
• A10 Insufficient Logging & Monitoring
 So, We Know the
Vulnerabilities. But…
“ Testing APIs is somewhat new & a little
different from Web Pen Testing”
• No “Screen” to look at
• Testers must have a better
understanding of the API or app to
successfully discover and exploit
vulnerabilities
 Recommended Tools for API Pen Testing
Postman
• Popular API Development and
Testing Tool
Recommended
Tools (cont.)

Burp Suite
• Web Application Proxy
and Testing Tool
Recommended Tools
for API Pen Testing

Postman AND Burp Suite!!!

Recommended Tools for
API Pen Testing
REST API Vulnerability Scanners
• W3af
• Astra
• FuzzAPI
• Vooki
Recommended
Tools (cont.)
• cURL
• JWT.io
• Burp Extensions (Autorize, JWT
Attacker, Turbo Intruder, Auto
Repeater)
• SQLMap
• Fuzzing Wordlists (SecLists,
fuzzdb, api_wordlist, etc..)
Before You Start…
• Collect any Documentation or Notes on the
target APIs
• Gather any user tokens/accounts needed
• Come up w/ a Testing Methodology
• P.O.I.S.E.D. or S.T.R.I.D.E Methodologies are a
good example
TESTING THE OWASP API
SECURITY TOP TEN
1. Broken Object Level
Authorization
• BOLA is an access control
vulnerability that occur when user
supplied input is used to access
other resources that they should not
have access to regularly.

• BOLA is more commonly as Insecure

Direct Object References (IDOR)
1. Broken Object Level
Authorization (cont.)
Example 2
1
• Found Encoded Student ID in URL
• Decoded Student ID
• Ran Intruder to find other IDs w/ Base64
Encoding 3

• Accessed User ID 93’s Grades

4
1. Broken Object
Level
Authorization
(cont.)
Real World Example
• T-Mobile (2017)
• Attacker discovered Phone # =
User ID
Source -
https://www.vice.com/en_us/article/7xky
yz/t-mobile-customer-data-bug-hackers-
no-excuse
 How To Fix

• Implement authorization checks with user

policies and hierarchy.
1. Broken Object
Level Authorization • Do not practice using user IDs in the API
request calls.
(cont.)
• Use random, unguessable IDs (UUIDs).

• Check authorization for clients requesting

access.
2. Broken
Authentication
• Poor implementation of authentication
methods.

• Sensitive authentication details like

auth tokens and passwords in URL

• Misconfigured JWT ( {“alg”:”NONE”} )

• The app permits weak passwords

and/or encryption keys
 2. Broken Authentication
(cont.)
Examples
• Access Token being used in the URL
• User using a weak password to
authenticate to the application. Weak
passwords are easy to guess or brute-
force
2. Broken Authentication
(cont.)

How To Fix

• Use secure methods to authenticate to APIs.

• Consider using Multi-Factor Authentication and

Captchas.

• Use temporary access tokens.

• Use strict rate-limiting for authentication and

implement lockout policies.
 3. Excessive Data Exposure
• APIs can expose too much data.
• Excessive data exposure can result in attackers using those extra details
to gather information they should not have or use it to formulate a
more sophisticated attack.
 3. Excessive Data Exposure
(cont.)

Example
• API response displays sensitive information.
• * More on this later
3. Excessive Data Exposure (cont.)
How To Fix

• Filter data of all API responses, including error responses

• Limit the exposure of sensitive data or Personally

Identifiable Information (PII).

• Enforce response checks to prevent accidental leaks of data

or exceptions.

• NEVER rely on client side to filter sensitive data!!!

4. Lack of Resources
and Rate Limiting
• This occurs when developers do
not implement rate limiting
measures in the code that would
protect the API or application
from attacks like denial of service
or brute-force attacks.
4. Lack of Resources
and Rate Limiting
(cont.)
Example
• We know the username, but not the password
4. Lack of Resources
and Rate Limiting
(cont.)
• Set up Burp’s Intruder component to brute-force
the password field.
 4. Lack of Resources and Rate Limiting (cont.)
• Upload a custom wordlist and run the Intruder attack.
• The brute-force attack was a success and we have gained access to the user’s account!

+ =
4. Lack of Resources and Rate
Limiting (cont.)
How To Fix

• Define proper rate limiting.

• Limit payload sizes.

• Define and enforce limits for resources

• Perform Rate-Limiting tests regularly

5. Broken Function Level Authorization
• BFLA attacks are similar to BOLA or IDOR attacks

• BFLA attacks focuses on exploiting the roles and access used

in the API.
 Example
5. Broken Function Level
Authorization (cont.)
 Example
5. Broken Function Level
Authorization (cont.)
5. Broken Function Level Authorization (cont.)

How To Fix
• Avoid function-level authorization.
• Deny all access by default.
• Only allow authorize users to the appropriate groups or roles.
• Perform regular tests on authorization.
6. Mass
Assignment
• When APIs expose resources
or variables, attackers can use
these to craft their requests
and calls to access resources
they aren’t supposed to.
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
Example
6. Mass Assignment (cont.)
How To Fix
• Avoid exposing internal variables or object names
as input.

• Approve properties that the client can update.

7. Security
Misconfiguration
• Misconfigured security settings in APIs or
applications can lead to attackers exploiting
those vulnerable settings to exploit the
application.
7. Security
Misconfiguration
(cont.)
Example
• Used Vooki Vulnerability Scanner
• Scanner discovered API using unencrypted
communications (HTTP)
 How To Fix
7. Security
Misconfiguration • Establish and practice hardening and patching
procedures.
(cont.)
• Disable unnecessary applications and
features.

• Restrict administrative access / practice least

privilege

• Regularly test for security misconfigurations

using scanning tools and manual testing.
8. Injection • Injection attacks occur when developers
fail to sanitize user input properly.
8. Injection (cont.)
Example
• Application uses MongoDB and
vulnerable to NoSQL Injection Attacks
8. Injection (cont.)

Example
• Application uses MongoDB and
vulnerable to NoSQL Injection
Attacks
• Successfully bypassed
authentication with [$ne] query
8. Injection (cont.)

How To Fix

• Perform input validation and proper sanitization for all input.

• Use proper filtering to limit the amount of information in the responses to prevent data
leaks.
9. Improper Assets Management
• Non-production or earlier versions of an API that are still in use
and/or not as well protected as the production or current API are
potential targets for attackers
 9. Improper Assets
Management (cont.)
Example – JustDial (2019)
• Over 100 million users’ personal data
exposed
• Researcher accessed an old unprotected,
public API endpoint of the database
Source -
https://thehackernews.com/2019/04/justdial-
hacked-data-breach.html
9. Improper Assets
Management (cont.)
How To Fix

• Perform regular security reviews of all

APIs
• Keep up-to-date inventory of all API
hosts.
• Limit access to anything that should not
be public like documentation.
• Retire older and unused versions of APIs
10. Insufficient
Logging &
Monitoring
• Without proper logging and
monitoring, attacks can go
unnoticed.
10. Insufficient Logging &
Monitoring (cont.)
How To Fix
• Use standard formats to monitor and log APIs like API
Gateways
• Log input validation failures, failed authentication attempts,
denied access, etc...
• Keep your logs protected like sensitive data
• Monitor your API endpoints across all phases (production,
stage, test, dev). React to security issues identified within
your API.
• Avoid sensitive data in logs
 In Conclusion
• APIs are the future of apps
 In Conclusion

• APIs are the future of apps

• APIs don’t share some of the common web vulnerabilities, but
have their own set of security concerns
 In Conclusion
• APIs are the future of apps
• APIs don’t share some of the common web vulnerabilities, but
have their own set of security concerns
• Practice testing and exploiting these vulnerabilities
 In Conclusion
• APIs are future of apps
• APIs don’t share some of the common web vulnerabilities, but have
their own set of security concerns
• Practice testing and exploiting these vulnerabilities
• Penetration Testers and Security Teams should adopt the OWASP
API Top 10 like they do with the OWASP Top 10 or SANS Top 25
 In Conclusion
• APIs are the future of apps
• APIs don’t share some of the common web vulnerabilities, but have
their own set of security concerns
• Practice testing and exploiting these vulnerabilities
• Penetration Testers and Security Teams should adopt the OWASP
API Top 10 like they do with the OWASP Top 10 or SANS Top 25
Practice, Practice, • OWASP Juice Shop (https://github.com/bkimminich/juice-shop)
Practice • OWASP DevSlop’s Pixi App (https://github.com/DevSlop/Pixi)
• Optiv’s REST API Goat (https://github.com/optiv/rest-api-goat/)
• Tiredful API (https://github.com/payatu/Tiredful-API)
• Damn Vulnerable Web Services
(https://github.com/snoopysecurity/dvws-node)
 Tips
Read / Explore API documentation if it is available:
• What is the API’s purpose? Ask questions about the intended
uses and what applications are currently using the API (if
any).
• Are there Flowcharts or diagrams available

Observe each parameter in every module of API, understand how

the data is transferred from source to destination. Try to play with
the parameter by tampering them.

Test Each HTTP Method (GET, POST, PUT, etc.)

• Pay Attention to the Headers
• Pay Attention to the Responses
• Error Handling (Exception, Error messages being used)
 More Tips
Remember to utilize your proxy and capture all HTTP requests and responses
(Intruder, Repeater)
Fuzz as many endpoints as you can find (In Scope)
Have you tried Brute-force Attacks, Password Sprays or Credential Stuffing?

Send Data the API is NOT expecting

• i.e., if integers, try strings
• Try for SQL/NoSQL errors (“ ’ ”)

Look for low hanging fruit

• if api/user = try /api/admin
• if api/v4 = try api/v3,/v2,/v1
• Are Tokens predictable

Try Scenarios to test the Authentication and Authorization

• Try different Cookies, GUIDs, Tokens, Session IDs, etc. OR…
• Remove Cookies, GUIDs, Tokens, Session IDs
Finally….
• Have a “Child-like” curiosity when testing APIs
• Ask yourself LOTS of questions when analyzing
them
• “Is that TOO MUCH information?”
• “Oooooooh, What’s that?”
• “What happens when I do THIS?”
• “What does this, or this or this do?”

• ……Did I mention reading any available

documentation?
Questions?
Follow Me & Subscribe:
• Blog – https://AlphaCyberSecurity.tech
• Twitter – https://twitter.com/djax_alpha
• Instagram – https://Instagram.com/djax_alpha
• Facebook – https://facebook.com/AlphaCyberSec
• YouTube -
https://www.youtube.com/channel/UCJVQ4X0olUFq0nrxS8Xvijg
• Twitch – https://twitch.tv/djax120
Thank You!