Automated API pentesting using fuzzapi
Download as PPTX, PDF12 likes10,362 views
The document discusses FuzzAPI, an open-source tool designed to automate API penetration testing and enhance developers' capabilities in identifying vulnerabilities during the development process. Key features include testing for common vulnerabilities such as XSS and SQL injection, as well as integration with continuous development practices. The authors emphasize the importance of collaboration between developers and penetration testers for effective security practices.
Automated API pentesting using fuzzapi
- 1. Automating API Pen Testing using Fuzzapi just another tool?
- 2. About us Abhijeth Dugginapeddi @abhijeth Application Security Likes training, spreading awareness Got some bugs in Google/FB/Yahoo/Microsoft etc Among top 5 bug hunters on Synack Srinivas Rao Kotipalli @srini0x00 Security Engineer Author, Speaker, Trainer Blogs at androidpentesting.com Author of “Hacking Android” Lalith Rallabhandi @lalithr95 Developer Intern Blogger, Coder, Security Enthusiast Does bounties when free and found bugs With Microsoft/Google/FB/Badoo etc
- 3. Only @abhijeth @srini0x00 and @lalithr95 are responsible for whatever is on the slides Nobody else is responsible for anything else we say
- 5. Source giphy
- 8. On a serious note • What is fuzzAPI • How to use fuzzAPI • Need for automating Pen Testing APIs • Developer vs Pen tester use cases • Continuous Integration • Spread the smile ☺
- 9. #fuzzAPI • Open Source REST API Fuzzer • Test for vulnerabilities while writing your code • Helps Pen testers to fasten their testing • Covers most top attacks on APIs • Built in Ruby on Rails
- 10. Rest API Penetration Testing Authorization Authentication Input validations Others ☺ Common checks
- 11. #welovebugs
- 12. This is Twitter Source: @wesecureapp
- 15. Interesting?
- 16. Can you automate such attacks?
- 17. May be!!
- 18. But why do you want to automate?
- 19. People don’t have time Source: giphy
- 20. • There are companies/teams who deploy code to production >10 times every day • Developers can do basic testing • Penetration testers can save a lot of time • Penetration testers can work on logical stuff • Easier to fix vulnerabilities sooner than later Continuous Integration
- 22. No But a part of it can be automated.
- 23. Cool stuff about Fuzzapi Access Control Violation XXE Other regular vulns like XSS/SQLi.. etc Privilege Escalation Rate limiting
- 24. Not so cool stuff!!
- 26. #if demo doesn’t work
- 27. #if demo doesn’t work
- 28. #if demo doesn’t work
- 29. How stuff works API_Fuzzer – Ruby gem Fuzzapi -- Rails application
- 32. Fuzzapi approach for XXE • XxeCheck performs a call with payload to internal server • If status: OK – fuzzapi confirms XXE
- 33. Fuzzapi sample approach for Privilege Escalation
- 34. Fuzzapi sample approach for Rate limiting • Fuzzapi sends multiple sample requests and waits for timeout/error • Failure in limiting requests allows to perform this check
- 35. Docker :D :D m/
- 36. Continuous integration --Rails !!! • Identify test requests • Use API_Fuzzer module with test request • Run scans
- 37. Developer’s eye Security Engineer’s eye Work with developers to help them configure stuff Add more checks ☺ Use it while doing security testing Train developers to understand/fix vulns Having scrum meetings about findings/fixes Customizing fuzzapi according to organization’s requirement Add more checks ☺ Testing APIs while writing code
- 39. Roadmap for fuzzapi/us Add more checks Write more blogs Make more tutorial videos Write more tools Repeat
- 40. Oh yea btw :D Don’t you want links to download? API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer fuzzapi: https://github.com/lalithr95/Fuzzapi For queries/concerns/feedback/rant: Twitter: @abhijeth @lalithr95 @srini0x00
- 41. It’s 2016 and if you still don’t know about bug bounties/responsible disclosures, you should say hi to these guys @Bugcrowd @synack @Hacker0x01
- 42. Thanks ☺ and all the security folks for contributing to the open source community
Editor's Notes
- #24: https://intland.com/wp-content/uploads/2014/09/blog-140923-dependencies-336x336.png