SlideShare a Scribd company logo

2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs

APIsecure_ Official
APIsecure_ Official

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Exploiting multi-step business logic vulnerabilities in APIs Inon Shkedy, API Security Project Lead at OWASP

1 of 36
Download to read offline
1
Multistep Business Logic Vulnerabilities In APIs Inon Shkedy Security Researcher
2
▪ Head of Security Research @ Traceable.ai ▪ Co-author of OWASP Top 10 for APIs ▪ 9+ Years in AppSec; 200+ Pen Tests ▪ I’ve grown up with APIs Whoami? INON SHKEDY Security Researcher Government, Military, Financial Multi Page Apps, On Prem, Waterfall, Less APIs Startups, Tier 1 Companies Single Page Apps, Cloud, CI/CD, Mostly APIs
3
Working as a security researcher for a small startup ▪ Harder to show value when you protect ▪ Need to find something as fast a possible (POCs are time-limited) ▪ Customers already have security teams & programs ▪ Finding Critical Vulns in minimum time ▪ Many B2B APIs
4
What are business logic vulnerabilities? ▪ No strict definitions ▪ App Business Logic: ▪ Defines the users and their roles ▪ Defines how different features can manipulate different types of data ▪ How each user should use each feature (legitimately) ▪ BL Vulns: ▪ Leverage innocent features to harm the app ▪ Often related to Authorization
5
BL Vulns & APIs ▪ It’s much easier to understand the full context of the application through APIs App Business Logic: ▪ Predictable ▪ Documentation ▪ Self explanatory ▪ Pentesters should always be curious about the API and all the features ▪ They often exist in the most niche features of the API
6
▪ Abuse of the following features: ▪ Import Users from CSV file ▪ File Upload ▪ Async background jobs ▪ Leveraging the nature of REST APIs to bypass security mechanisms Exposing plain text passwords of users
7
Fleet App Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings
8
User Menu - Always a Good Place to Begin With Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings ▪ Profile ▪ Organization ▪ Privacy ▪ Help Hey Piney
9
“Tenants” in B2B SaaS APIs SHOPIFY’S TENANTS ▪ Users ▪ Roles ▪ Products POKEMON STORE ▪ Users ▪ Roles ▪ Products DBZ STORE ▪ Users ▪ Roles ▪ Products TECH STORE SHOPIFY
10
Fleet App Manage Org ▪ USERS ▪ Roles ▪ Contacts ▪ Org Settings ORG Name: Super Duper Deliveries Users: NAME ROLE PHONE EMAIL Hugo Admin 1234 Some@name Bugo User 3456 Some@name Import Users From EXCEL/CSV File Download CSV sample file
11
Download Sample & Upload to S3
12
▪ The uploaded list contains plain-text passwords! Import Users from CSV file
13
Create a File Object on API Evidence that the CSV file is stored on the server!
14
Initiate Import Process using file ID Async background job is created!
15
Browser Checks On Job Behind The Scenes Async job is checked by the browser
16
Job is Complete Async Jobs are very common in B2B APIs Look for the heaviest operations
17
Async Jobs in B2B APIs SHOPIFY’S BACKGROUND JOBS Import Catalog From Magento SHOPIFY Upload Large Video Upload Large Video ▪ Used to prevent the annoying “Loading…” User Experience ▪ Implemented over REST ▪ JS Application keeps checking when job is done behind the scenes
18
▪ Access jobs of other users ▪ Access files of other jobs Let’s Get Malicious
19
Access All Jobs ▪ Returned jobs of other users 😈 ▪ Returned too many irrelevant jobs 😔 ▪ Need to find a way to search in results Leverage The Predictable nature of REST APIs
20
Leverage the Predictable nature of REST APIs GET /users/1122 → GET /users Extract all users GET /api/v3/users → GET /api/v2/users Find old versions GET /users/1122 → DELETE /users/1122 Find Admin Endpoints
21
Leverage Filters REST API EPs often share the same behaviors and patterns ▪ API EPs often support Filters by default. Leverage them 😈
22
Summary Of Phase #1 ▪ API stores files based on file_id ▪ There’s a BFLA on “GET /api/rpc/async/jobs” that exposes jobs of other users, including the job’s: ▪ Job_id ▪ File_id ▪ Org_id ▪ Challenge: How can we download a file based on its ID?? ▪ (Unfortunately, not part of the natural process of importing users)
23
Expand your test - look for more features! Manage Org ▪ Users ▪ Roles ▪ Contacts ▪ ORG SETTINGS ORG Name: Super Duper Deliveries Upload Logo ▪ Look for other features allowing file upload! ▪ They might share the underlying file storage mechanism
24
Logo Upload API Call Looks familiar? It’s also based On file ID
25
CSV upload vs. Image Upload Let’s take a look at the Image download process! CSV upload Image Upload Based on file ID Downloadable
26
View Logo ▪ We found a way to download a file based on an ID 😈 ▪ EP receives a URL from which to download the Image EP Receives a file path, and extracts the Image content from it
27
Direct Access to File Path Just to make our lives easier
28
Access The CSV File Instead Of Image ▪ Upload logo feature & upload uses features share the same underlying mechanism == great news! 😈 ▪ I can access my own file ▪ Let’s try to access a file from a different job
29
Access The CSV File Instead Of Image Previous gap leaks file_id of a CSV file from other users. Let’s try to download it //from previous step
30
We Received An ERROR :( Why can we access our own file, but not a file of someone else?
31
Mapping Between ORG → Unique Folder Org Host header Org ID Folder superduper.fleet.com aab1da6e-092f-49af-9aa0-260131482c94 var/media/969f601c91d946cca3b e6ef7ed5a1f29c03abf5deaac438 2a3ba008d3ead5f86/documents ▪ Mapping is done based on the org name in host header 🤔 ▪ BFLA provides us only the org_id of the victim 😔 ▪ How can we find the org name based on an org ID?
32
Feature To Find Org Name Based On ID 😈 //from previous step Job of the victim includes org_id
33
500 ERROR Changing the hostname solved the problem == Plain text passwords are leaked 😈
34
Questions? DM @InonShkedy
35
THANK YOU
36
Multistep Business Logic Vulnerabilities in APIs Some Text Goes Here
Multistep Business Logic Vulnerabilities In APIs Inon Shkedy Security Researcher
▪ Head of Security Research @ Traceable.ai ▪ Co-author of OWASP Top 10 for APIs ▪ 9+ Years in AppSec; 200+ Pen Tests ▪ I’ve grown up with APIs Whoami? INON SHKEDY Security Researcher Government, Military, Financial Multi Page Apps, On Prem, Waterfall, Less APIs Startups, Tier 1 Companies Single Page Apps, Cloud, CI/CD, Mostly APIs
Working as a security researcher for a small startup ▪ Harder to show value when you protect ▪ Need to find something as fast a possible (POCs are time-limited) ▪ Customers already have security teams & programs ▪ Finding Critical Vulns in minimum time ▪ Many B2B APIs
What are business logic vulnerabilities? ▪ No strict definitions ▪ App Business Logic: ▪ Defines the users and their roles ▪ Defines how different features can manipulate different types of data ▪ How each user should use each feature (legitimately) ▪ BL Vulns: ▪ Leverage innocent features to harm the app ▪ Often related to Authorization
BL Vulns & APIs ▪ It’s much easier to understand the full context of the application through APIs App Business Logic: ▪ Predictable ▪ Documentation ▪ Self explanatory ▪ Pentesters should always be curious about the API and all the features ▪ They often exist in the most niche features of the API
▪ Abuse of the following features: ▪ Import Users from CSV file ▪ File Upload ▪ Async background jobs ▪ Leveraging the nature of REST APIs to bypass security mechanisms Exposing plain text passwords of users
Fleet App Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings
User Menu - Always a Good Place to Begin With Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings ▪ Profile ▪ Organization ▪ Privacy ▪ Help Hey Piney
“Tenants” in B2B SaaS APIs SHOPIFY’S TENANTS ▪ Users ▪ Roles ▪ Products POKEMON STORE ▪ Users ▪ Roles ▪ Products DBZ STORE ▪ Users ▪ Roles ▪ Products TECH STORE SHOPIFY
Fleet App Manage Org ▪ USERS ▪ Roles ▪ Contacts ▪ Org Settings ORG Name: Super Duper Deliveries Users: NAME ROLE PHONE EMAIL Hugo Admin 1234 Some@name Bugo User 3456 Some@name Import Users From EXCEL/CSV File Download CSV sample file
Download Sample & Upload to S3
▪ The uploaded list contains plain-text passwords! Import Users from CSV file
Create a File Object on API Evidence that the CSV file is stored on the server!
Initiate Import Process using file ID Async background job is created!
Browser Checks On Job Behind The Scenes Async job is checked by the browser
Job is Complete Async Jobs are very common in B2B APIs Look for the heaviest operations
Async Jobs in B2B APIs SHOPIFY’S BACKGROUND JOBS Import Catalog From Magento SHOPIFY Upload Large Video Upload Large Video ▪ Used to prevent the annoying “Loading…” User Experience ▪ Implemented over REST ▪ JS Application keeps checking when job is done behind the scenes
▪ Access jobs of other users ▪ Access files of other jobs Let’s Get Malicious
Access All Jobs ▪ Returned jobs of other users 😈 ▪ Returned too many irrelevant jobs 😔 ▪ Need to find a way to search in results Leverage The Predictable nature of REST APIs
Leverage the Predictable nature of REST APIs GET /users/1122 → GET /users Extract all users GET /api/v3/users → GET /api/v2/users Find old versions GET /users/1122 → DELETE /users/1122 Find Admin Endpoints
Leverage Filters REST API EPs often share the same behaviors and patterns ▪ API EPs often support Filters by default. Leverage them 😈
Summary Of Phase #1 ▪ API stores files based on file_id ▪ There’s a BFLA on “GET /api/rpc/async/jobs” that exposes jobs of other users, including the job’s: ▪ Job_id ▪ File_id ▪ Org_id ▪ Challenge: How can we download a file based on its ID?? ▪ (Unfortunately, not part of the natural process of importing users)
Expand your test - look for more features! Manage Org ▪ Users ▪ Roles ▪ Contacts ▪ ORG SETTINGS ORG Name: Super Duper Deliveries Upload Logo ▪ Look for other features allowing file upload! ▪ They might share the underlying file storage mechanism
Logo Upload API Call Looks familiar? It’s also based On file ID
CSV upload vs. Image Upload Let’s take a look at the Image download process! CSV upload Image Upload Based on file ID Downloadable
View Logo ▪ We found a way to download a file based on an ID 😈 ▪ EP receives a URL from which to download the Image EP Receives a file path, and extracts the Image content from it
Direct Access to File Path Just to make our lives easier
Access The CSV File Instead Of Image ▪ Upload logo feature & upload uses features share the same underlying mechanism == great news! 😈 ▪ I can access my own file ▪ Let’s try to access a file from a different job
Access The CSV File Instead Of Image Previous gap leaks file_id of a CSV file from other users. Let’s try to download it //from previous step
We Received An ERROR :( Why can we access our own file, but not a file of someone else?
Mapping Between ORG → Unique Folder Org Host header Org ID Folder superduper.fleet.com aab1da6e-092f-49af-9aa0-260131482c94 var/media/969f601c91d946cca3b e6ef7ed5a1f29c03abf5deaac438 2a3ba008d3ead5f86/documents ▪ Mapping is done based on the org name in host header 🤔 ▪ BFLA provides us only the org_id of the victim 😔 ▪ How can we find the org name based on an org ID?
Feature To Find Org Name Based On ID 😈 //from previous step Job of the victim includes org_id
500 ERROR Changing the hostname solved the problem == Plain text passwords are leaked 😈
Questions? DM @InonShkedy
THANK YOU
Multistep Business Logic Vulnerabilities in APIs Some Text Goes Here
Ad

Recommended

2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Rogue Wave Software
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0
sflynn073
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018
Bill Doerrfeld
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.aiAPIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
Nordic APIs
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
DicodingEvent
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.
CA API Management
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
Patrick Emmons
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
YM API Xperience 2016
YM API Xperience 2016YM API Xperience 2016
YM API Xperience 2016
Anirudh Pandya
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
Jie Liau
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 

More Related Content

Similar to 2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs (20)

APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0
sflynn073
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018
Bill Doerrfeld
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.aiAPIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
Nordic APIs
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
DicodingEvent
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.
CA API Management
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
Patrick Emmons
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
YM API Xperience 2016
YM API Xperience 2016YM API Xperience 2016
YM API Xperience 2016
Anirudh Pandya
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
Jie Liau
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0Manage your ap is securely and easily ibm apim 4.0
Manage your ap is securely and easily ibm apim 4.0
sflynn073
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018Always Mind Your [Developer] Surroundings - API City 2018
Always Mind Your [Developer] Surroundings - API City 2018
Bill Doerrfeld
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.aiAPIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
Nordic APIs
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
DicodingEvent
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.
CA API Management
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
Patrick Emmons
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
YM API Xperience 2016
YM API Xperience 2016YM API Xperience 2016
YM API Xperience 2016
Anirudh Pandya
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
API Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdfAPI Summit 2021: What to know before you start dating APIs.pdf
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
Jie Liau
 

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
Ad

Recently uploaded (20)

Let’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack CommunityLet’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack Community
SanjeetMishra29
 
TrustArc Webinar: Mastering Privacy Contracting
TrustArc Webinar: Mastering Privacy ContractingTrustArc Webinar: Mastering Privacy Contracting
TrustArc Webinar: Mastering Privacy Contracting
TrustArc
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
Fortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in CybersecurityFortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in Cybersecurity
VICTOR MAESTRE RAMIREZ
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Measuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI SuccessMeasuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI Success
Nikki Chapple
 
Droidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing HealthcareDroidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing Healthcare
Droidal LLC
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
AI Emotional Actors: “When Machines Learn to Feel and Perform"
AI Emotional Actors: “When Machines Learn to Feel and Perform"AI Emotional Actors: “When Machines Learn to Feel and Perform"
AI Emotional Actors: “When Machines Learn to Feel and Perform"
AkashKumar809858
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
Gihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai TechnologyGihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai Technology
zainkhurram1111
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure ModesCognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Dr. Tathagat Varma
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Peter Bittner
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Maxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing placeMaxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing place
usersalmanrazdelhi
 
Evaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical ContentEvaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical Content
Paul Groth
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Let’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack CommunityLet’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack Community
SanjeetMishra29
 
TrustArc Webinar: Mastering Privacy Contracting
TrustArc Webinar: Mastering Privacy ContractingTrustArc Webinar: Mastering Privacy Contracting
TrustArc Webinar: Mastering Privacy Contracting
TrustArc
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
Fortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in CybersecurityFortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in Cybersecurity
VICTOR MAESTRE RAMIREZ
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Measuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI SuccessMeasuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI Success
Nikki Chapple
 
Droidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing HealthcareDroidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing Healthcare
Droidal LLC
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
AI Emotional Actors: “When Machines Learn to Feel and Perform"
AI Emotional Actors: “When Machines Learn to Feel and Perform"AI Emotional Actors: “When Machines Learn to Feel and Perform"
AI Emotional Actors: “When Machines Learn to Feel and Perform"
AkashKumar809858
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
Gihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai TechnologyGihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai Technology
zainkhurram1111
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure ModesCognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Dr. Tathagat Varma
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Peter Bittner
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Maxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing placeMaxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing place
usersalmanrazdelhi
 
Evaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical ContentEvaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical Content
Paul Groth
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Ad

2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs

  • 1. Multistep Business Logic Vulnerabilities In APIs Inon Shkedy Security Researcher
  • 2. ▪ Head of Security Research @ Traceable.ai ▪ Co-author of OWASP Top 10 for APIs ▪ 9+ Years in AppSec; 200+ Pen Tests ▪ I’ve grown up with APIs Whoami? INON SHKEDY Security Researcher Government, Military, Financial Multi Page Apps, On Prem, Waterfall, Less APIs Startups, Tier 1 Companies Single Page Apps, Cloud, CI/CD, Mostly APIs
  • 3. Working as a security researcher for a small startup ▪ Harder to show value when you protect ▪ Need to find something as fast a possible (POCs are time-limited) ▪ Customers already have security teams & programs ▪ Finding Critical Vulns in minimum time ▪ Many B2B APIs
  • 4. What are business logic vulnerabilities? ▪ No strict definitions ▪ App Business Logic: ▪ Defines the users and their roles ▪ Defines how different features can manipulate different types of data ▪ How each user should use each feature (legitimately) ▪ BL Vulns: ▪ Leverage innocent features to harm the app ▪ Often related to Authorization
  • 5. BL Vulns & APIs ▪ It’s much easier to understand the full context of the application through APIs App Business Logic: ▪ Predictable ▪ Documentation ▪ Self explanatory ▪ Pentesters should always be curious about the API and all the features ▪ They often exist in the most niche features of the API
  • 6. ▪ Abuse of the following features: ▪ Import Users from CSV file ▪ File Upload ▪ Async background jobs ▪ Leveraging the nature of REST APIs to bypass security mechanisms Exposing plain text passwords of users
  • 7. Fleet App Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings
  • 8. User Menu - Always a Good Place to Begin With Fleet Management ▪ Routes ▪ Trucks ▪ Sensors ▪ Drivers ▪ Settings ▪ Profile ▪ Organization ▪ Privacy ▪ Help Hey Piney
  • 9. “Tenants” in B2B SaaS APIs SHOPIFY’S TENANTS ▪ Users ▪ Roles ▪ Products POKEMON STORE ▪ Users ▪ Roles ▪ Products DBZ STORE ▪ Users ▪ Roles ▪ Products TECH STORE SHOPIFY
  • 10. Fleet App Manage Org ▪ USERS ▪ Roles ▪ Contacts ▪ Org Settings ORG Name: Super Duper Deliveries Users: NAME ROLE PHONE EMAIL Hugo Admin 1234 Some@name Bugo User 3456 Some@name Import Users From EXCEL/CSV File Download CSV sample file
  • 12. ▪ The uploaded list contains plain-text passwords! Import Users from CSV file
  • 13. Create a File Object on API Evidence that the CSV file is stored on the server!
  • 14. Initiate Import Process using file ID Async background job is created!
  • 15. Browser Checks On Job Behind The Scenes Async job is checked by the browser
  • 16. Job is Complete Async Jobs are very common in B2B APIs Look for the heaviest operations
  • 17. Async Jobs in B2B APIs SHOPIFY’S BACKGROUND JOBS Import Catalog From Magento SHOPIFY Upload Large Video Upload Large Video ▪ Used to prevent the annoying “Loading…” User Experience ▪ Implemented over REST ▪ JS Application keeps checking when job is done behind the scenes
  • 18. ▪ Access jobs of other users ▪ Access files of other jobs Let’s Get Malicious
  • 19. Access All Jobs ▪ Returned jobs of other users 😈 ▪ Returned too many irrelevant jobs 😔 ▪ Need to find a way to search in results Leverage The Predictable nature of REST APIs
  • 20. Leverage the Predictable nature of REST APIs GET /users/1122 → GET /users Extract all users GET /api/v3/users → GET /api/v2/users Find old versions GET /users/1122 → DELETE /users/1122 Find Admin Endpoints
  • 21. Leverage Filters REST API EPs often share the same behaviors and patterns ▪ API EPs often support Filters by default. Leverage them 😈
  • 22. Summary Of Phase #1 ▪ API stores files based on file_id ▪ There’s a BFLA on “GET /api/rpc/async/jobs” that exposes jobs of other users, including the job’s: ▪ Job_id ▪ File_id ▪ Org_id ▪ Challenge: How can we download a file based on its ID?? ▪ (Unfortunately, not part of the natural process of importing users)
  • 23. Expand your test - look for more features! Manage Org ▪ Users ▪ Roles ▪ Contacts ▪ ORG SETTINGS ORG Name: Super Duper Deliveries Upload Logo ▪ Look for other features allowing file upload! ▪ They might share the underlying file storage mechanism
  • 24. Logo Upload API Call Looks familiar? It’s also based On file ID
  • 25. CSV upload vs. Image Upload Let’s take a look at the Image download process! CSV upload Image Upload Based on file ID Downloadable
  • 26. View Logo ▪ We found a way to download a file based on an ID 😈 ▪ EP receives a URL from which to download the Image EP Receives a file path, and extracts the Image content from it
  • 27. Direct Access to File Path Just to make our lives easier
  • 28. Access The CSV File Instead Of Image ▪ Upload logo feature & upload uses features share the same underlying mechanism == great news! 😈 ▪ I can access my own file ▪ Let’s try to access a file from a different job
  • 29. Access The CSV File Instead Of Image Previous gap leaks file_id of a CSV file from other users. Let’s try to download it //from previous step
  • 30. We Received An ERROR :( Why can we access our own file, but not a file of someone else?
  • 31. Mapping Between ORG → Unique Folder Org Host header Org ID Folder superduper.fleet.com aab1da6e-092f-49af-9aa0-260131482c94 var/media/969f601c91d946cca3b e6ef7ed5a1f29c03abf5deaac438 2a3ba008d3ead5f86/documents ▪ Mapping is done based on the org name in host header 🤔 ▪ BFLA provides us only the org_id of the victim 😔 ▪ How can we find the org name based on an org ID?
  • 32. Feature To Find Org Name Based On ID 😈 //from previous step Job of the victim includes org_id
  • 33. 500 ERROR Changing the hostname solved the problem == Plain text passwords are leaked 😈
  • 36. Multistep Business Logic Vulnerabilities in APIs Some Text Goes Here