Offensive API Penetration Testing

Sunny Singh, Lead Security Engineer at Calibo, shows multiple offensive ways to break APIs manually and with tools by following the OWASP Top 10 API Vulnerabilities.

This is the era of cutting edge technologies where APIs are the most crucial part. Security comes first for any organisation hence breaking APIs ourselves before Hackers do, is most important. Sunny Singh, Lead Security Engineer at Calibo, shows multiple offensive ways to break APIs manually and with tools by following the OWASP Top 10 API Vulnerabilities.

Agenda

  1. Introduction
  2. API Security Lab Setup
  3. API Penetration Testing Tools
  4. OWASP Top 10 API Vulnerabilities
  5. API Security Resources

Introduction:

Introduction by speaker Sunny Singh, Lead Security Engineer, Calibo, https://www.linkedin.com/in/sunny-singh-13925a130/. Calibo' Lazsa Pro-Code Product Platform-as-a Service (pPaaS) simplifies and accelerates the end-to-end product development lifecycle right from conceptualization through deployment. Sunny works as a principal security engineer at cybert.in and leads a team of security engineers at Skyewall. Any time left over from that is devoted to bug bounty hunting.

This talk is about how to setup the API security function, including the lab setup to practice the api security and or penetration testing, the popular tools used to perform the pen test and the standards to follow to ensure you are doing security right. Also included are helpful resources.

Shortcut to section: https://youtu.be/Hfd3KcP1gQg?t=189

API Security Lab Setup

API Security Lab Setup

Shortcut to section: https://youtu.be/Hfd3KcP1gQg?t=465

vAPI vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises. https://github.com/roottusk/vapi

VAmPI VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com. https://github.com/erev0s/VAmPI

REST API Goat This is a "Goat" project so you can get familiar with REST API testing. There is an included Postman project so you can see how everything is meant to be called. https://github.com/optiv/rest-api-goat

API Penetration Testing Tools:

API Penetration Testing Tools

Shortcut to section: https://youtu.be/Hfd3KcP1gQg?t=546

Burp Suite Web security testing tools. https://portswigger.net/burp

Postman Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. https://www.postman.com/

APIFuzzer APIFuzzer reads your OpenAPI or Swagger API definition and step by step fuzzes the fields to validate if your application can cope with the fuzzed parameters. Does not require coding. https://github.com/KissPeter/APIFuzzer

KiteRunner Contextual Content Discovery Tool https://github.com/assetnote/kiterunner

Ffuf FFUF, or “Fuzz Faster you Fool” is an open source web fuzzing tool, intended for discovering elements and content within web applications, or web servers. https://github.com/ffuf/ffuf

Automatic API Attack tool Imperva's customizable API attack tool takes an API specification as an input, and generates and runs attacks that are based on it as an output. https://github.com/imperva/automatic-api-attack-tool

Burp Extensions:

InQL Scanner A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script or as a Burp Suite extension. https://github.com/doyensec/inql

Wsdler WSDL Parser extension for Burp https://github.com/NetSPI/Wsdler

OWASP Top 10 API Vulnerabilities

OWASP Top 10 API Vulnerabilities

Shortcut to section: https://www.youtube.com/watch?v=Hfd3KcP1gQg&t=711s

  • Broken object level authorisation
  • Broken authentication
  • Excessive data exposure
  • Lack of resources and rate limiting
  • Broken function level authorisation
  • Mass assignment
  • Security misconfiguration
  • Injection
  • Improper assets management
  • Insufficient logging and monitoring

API Security Resources:

API Security Resources

Shortcut to section: https://youtu.be/Hfd3KcP1gQg?t=1230

APIsecurity.io API Security Articles. The Latest API Security News, Vulnerabilities & Best Practices. APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology. Our developer-friendly tools help you to assess how secure your APIs really are and to remediate all vulnerabilities at design and runtime. https://apisecurity.io

Kara-4search Injection attack testing toolkit https://github.com/Kara-4search/NewNtdllBypassinlineHook_CSharp

Social Analyzer An API, CLI, and Web App for analyzing & finding a person's profile across +1000 social media \ websites. It includes different analysis and detection modules, and you can choose which modules to use during the investigation process. https://github.com/qeeqbox/social-analyzer

Swagger-EZ A tool geared towards pentesting APIs using OpenAPI definitions. https://github.com/RhinoSecurityLabs/Swagger-EZ

awesome-api-security The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community. https://github.com/arainho/awesome-api-security

31-days-of-API-Security-Tips This challenge is Inon Shkedy's 31 days API Security Tips https://github.com/inonshk/31-days-of-API-Security-Tips

Chopin External Network Pentest Automation using Shodan API and other tools. https://github.com/az0mb13/Chopin

Watch the full recording of Sunny's presentation: