api security project · - focusing on application security - strong believer in spreading security...
TRANSCRIPT
![Page 1: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/1.jpg)
KICK OFF
API Security Project
![Page 2: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/2.jpg)
Project Leaders
Erez Yalon
- Research Group Lead @ Checkmarx
- Focusing on Application Security
- Strong believer in spreading security awareness
Inon Shkedy
- Head of Research @ Salt Security
- 7 Years of research and pentestingexperience
- I’ve grown up with APIs
![Page 3: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/3.jpg)
Today’s Agenda
● How APIs based apps are different?
Deserve their own project?
● Roadmap
● Creation process
● API Security Top 10
● Acknowledgements
● Call for contributors
![Page 4: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/4.jpg)
How API Based Apps are Different?
Client devices are becoming stronger
Logic moves from Backend to Frontend(together with some vulnerabilities)
![Page 5: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/5.jpg)
Traditional vs. Modern
TraditionalApplication
ModernApplication
Get
HTML
API Get
Raw
![Page 6: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/6.jpg)
How API Based Apps are Different?● The server is used more as a proxy for data● The rendering component is the client, not the server
● Clients consume raw data● APIs expose the underlying implementation of the app● The user’s state is usually maintained and monitored by the
client● More parameters are sent in each HTTP request (object ID’s,
filters)
![Page 7: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/7.jpg)
How API Based Apps are Different?
● The REST API standard● Standardized & generic● Predictable entry points ● One entry point (URL) can be used for multiple purposes
![Page 8: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/8.jpg)
How API Based Apps are Different?Traditional vulnerabilities are less common in API based apps:• SQLi – Increasing use of ORMs• CSRF – Authorization headers instead of cookies• Path Manipulations – Cloud based storage• Classic IT Security Issues - SaaS
![Page 9: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/9.jpg)
Roadmap – Planned Projects
● API Secrity Top 10● API Security Cheat Sheet● crAPI (Completely Ridiculous API
- an intentionally vulnerable API project)
![Page 10: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/10.jpg)
RoadmapTop 10 Cheat Sheet crAPI
2019 Q1 Prepare
2019 Q2 Kick-Off Prepare
2019 Q3 RC Kick-Off Prepare
2019 Q4 V1.0 Collaborate Kick-Off
2020 Q1 V1.0 Collaborate
2020 Q2 V1.0
![Page 11: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/11.jpg)
The creation process of the Top10
● Internal knowledge and experience
● Internal data collection (Bug bounties reports, published incidents, etc.)
● Call for Data
● Call for comments
![Page 12: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/12.jpg)
API Security Top 10● A1: Broken Object Level Access Control ● A2: Broken Authentication● A3: Improper Data Filtering● A4: Lack of Resources & Rate Limiting● A5: Missing Function/Resource Level Access Control● A6: Mass Assignment● A7: Security Misconfiguration● A8: Injection● A9: Improper Assets Management● A10: Insufficient Logging & Monitoring
![Page 13: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/13.jpg)
A1: Broken Object Level Access Control ● APIs consume a lot of object IDs by design:
○ URL params (/api/users/717) / Query Params (/download_file?id=111)○ Body params / HTTP Headers (user-id:717)
● Old “tricks” don’t work in APIs○ Viewstate○ The client-side maintain the user’s state
● Known also as:○ IDOR○ Forceful Browsing○ Parameter Tampering○ Broken Authorization
![Page 14: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/14.jpg)
A2: Broken Authentication
● As in OWASP TOP 10 2017 - A2
![Page 15: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/15.jpg)
A3: Improper Data Filtering
● Client-side data filteringAPIs tend to return more data than required. This data is usually now shown to the user, but can be easily sniffed by a web proxy
● Filters manipulationThe FE usually maintains the user’s state. The client sends more filters to the BE in order to reflect the user’s state.
![Page 16: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/16.jpg)
A4: Lack of Resources & Rate Limiting
● Might lead to DOS, Brute force attack
![Page 17: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/17.jpg)
A5: Missing Function/Resource Level Access Control● As in OWASP TOP 10 2013 - A7
● Popular in APIs because:○ Easier to predict the entry points (GET → DELETE)
(/api/v1/users → api/v1/admins)○ Complex user policies and roles
Sensitive ResourceGET /api/v1/financial_reports
Sensitive FunctionGET /api/v1/users/export_all
![Page 18: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/18.jpg)
A6: Mass Assignment
● Modern frameworks encourage developers to use mass assignment techniques
● Easier to exploit in APIs○ We can usually can find a GET request that returns all the
properties of an object
![Page 19: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/19.jpg)
A7: Security Misconfiguration
● Improper CORS ● Unnecessary HTTP methods ● Detailed Errors
![Page 20: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/20.jpg)
A8: Injection
● The most common inject flow (SQLi) is becoming less and less common because of ORMs
● Same as A1 - OWASP TOP TEN 2017
![Page 21: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/21.jpg)
A9: Improper Assets Management
● CI/CD → APIs change all the time:○ Lack of documentation
● Cloud + Deployment automation (k8s) → super easy to deploy APIs○ Shadow APIs○ Application servers / full environments that have been
forgotten
![Page 22: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/22.jpg)
A10: Insufficient Logging & Monitoring
● Same as A10 - OWASP TOP 10 2017
![Page 23: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/23.jpg)
AcknowledgementsCurrent Draft Creation
Checkmarx – Erez Yalon, David Sopas, Paulo SilvaSALT Security – Inon Shkedy, Chris Westphel
Reviewers42Crunch - Matthieu EstradeImperva - Ziv GrinbergShay Chen Philippe De RyckStefan Mantel Sagar Popat
<YOUR NAME HERE>
![Page 24: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/24.jpg)
Call for Discussions
Mailing List
https://groups.google.com/a/owasp.org/d/forum/api-security-project
![Page 25: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/25.jpg)
Call for Contributions
GitHub Project
https://github.com/OWASP/API-Security/blob/develop/CONTRIBUTING.md
![Page 26: API Security Project · - Focusing on Application Security - Strong believer in spreading security awareness Inon Shkedy - Head of Research @ Salt Security - 7 Years of research and](https://reader033.vdocuments.site/reader033/viewer/2022041809/5e56b6402ceb7a2a681ae114/html5/thumbnails/26.jpg)
KICK OFF
API Security Project
Thank You!