Common Security API Issues and How to Mitigate Them Using Postman
Download as PDF, PPTX0 likes2,051 views
The document discusses common API vulnerabilities, their severity, and mitigation strategies using Postman. It highlights key vulnerabilities from the OWASP API Top 10 list, including broken authentication and authorization issues, and emphasizes the importance of an API-first workflow for security teams. The presentation also introduces automation techniques for security testing through Postman's monitoring features.
More Related Content
Similar to Common Security API Issues and How to Mitigate Them Using Postman (20)
Common Security API Issues and How to Mitigate Them Using Postman
- 1. Common API Vulnerabilities How to effectively use Postman for API security testing Ronak Odhaviya Presented by Security Engineer
- 3. Takeaways 1 Common API vulnerabilities, how severe they are, and how simple it is to mitigate them using Postman 2 How you can make your security team really happy by using an API-first workflow 3 How you can automate most of your API security tests using Postman and make your life easy
- 4. History of API Security 1 OWASP included broken authentication in its “Top 10” of 2017 2 OWASP created a separate API Top 10 list in 2019 3 Gartner research: “By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.” 4 Broken authentication attacks accounted for many of the worst data breaches published in 2020.
- 5. owasp.org/www-project-api-security OWASP API Top 10 (2019) 1 Broken Object Level Authorization 2 Broken User Authentication 3 Excessive Data Exposure 4 Lack of Resources & Rate Limiting 5 Broken Function Level Authorization 6 Mass Assignment 7 Security Misconfiguration 8 Injection 9 Improper Assets Management 10 Insufficient Logging & Monitoring 3 Broken Function Level Authorization
- 6. Broken User Authentication ● 2nd in OWASP API Top 10 2019 ● Refers to vulnerabilities allowing an attacker access to other user’s identity ● Weakness in session management or credential management ● Weak API keys or hard-coded access tokens in the code ● Vulnerability in Microsoft Outlook allowed hackers to read other users’ Outlook email messages
- 13. Broken Object Level Authorization ● 1st in OWASP API Top 10 2019 ● Authentication vs. Authorization ● Also known as an Insecure Direct Object Reference (IDOR) ● Allows attackers to access any object given the ID of the resource ● Combined with enumeration attacks, it has the capability to retrieve the entire object database ● BOLA in YouTube bug that allowed unlisted uploads to any channel
- 17. Broken Function Level Authorization ● 5th in OWASP API Top 10 2019 ● Allows unprivileged users to access other privileged users’ resources and functions ● Different access control policies for different user personas ● Incorrect implementation of Role-Based Access Controls (RBAC) ● APIs relying on client to do the permission checks for different user roles ● Presumptive trust between microservices to do the permission check ● The bug in 1Password allowed guest users unauthorised access
- 20. How can we automate these tests?
- 22. Add Your Security Tests in Tests
- 24. Automate Tests Using Monitor
- 28. When an API fails your security test, you receive an email. You can also set-up a Slack or other integrations.
- 29. Wrapping Up