SlideShare a Scribd company logo

API Testing and Hacking (1).pdf

V
Vishwas N

This document discusses API testing and security. It notes that while development has sped up, security has been overlooked. APIs connect many systems and components, so they are vulnerable if not properly secured. The document recommends testing APIs for common vulnerabilities, emphasizing authorization, and "hacking your own API" to identify issues before attackers do. APIs must be developed with security in mind from the start.

Engineering
1 of 26
Downloaded 46 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Most read
20
21
22
23
Most read
24
25
26
API Testing and Hacking By : Vishwas Narayan
Developer Testers Q/A
We Developed faster failed quicker and implemented faster(thanks to devops engineers) But we Forgot Security We worked liked machines and forgot we are human beings We have “trust” for Each other
is a Vulnerability • Connections • Users • Content • URLs • Files in the endpoints • New files • Devices • …. Firewall AuthN AuthZ URL Filtering IDS/ IPS Anti-virus Sandboxing IoT Security Cryptography Trust issues lies everywhere
Software is Eating the world
Software is Eating the world Custom Code Open Source Software Infrastructure as Code Container Manifest Files Scaling Platforms Software Patches ● 80-90 percent of the code is open source ● 80% of the code is found in the Indirect Dependency ● Millions of the imports ● Agile is a Curse to Some Extent of the Development ● The Beauty of the Code is its Scalable and Reusable ● Happy Dev and Happy Bugs in the Production ● Agile is a Blessing Custom Wrappers / Frameworks
We all built solutions? Think web 3.0
Open Port number 22 with Web3.0 Application implemented
What's Dangerous is
What's even more Dangerous is
Source : A6: Security Misconfiguration ❗ - Top 10 OWASP 2017 (wallarm.com)
We have to learn how to miconfigure
What is an API? ● API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. ● Interface can be thought of as a contract of service between two applications. ● This contract defines how the two communicate with each other using requests and responses. According to Wikipedia “An application programming interface is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.”
Simple Analogy ● It's a Socket that communicates with the different services. ● Its a Source of Communication that takes the front end and connected the backend of the different services ● Its a doesn't care source that is coming in the picture its just a dumb formator of the code that needs more security ● Today's blessing of multiple language and abstraction as an API is a Curse.
Let's Create Some API and learn about it Lets Learn
Let's worship this ● Global state of the internet security DDoS attack reports | Akamai ● How to send API key in the header of python request? - Stack Overflow ● Postman Sending Request onto the API ● Postman Sending AUTH token ● Automating the postman Calls ● Akamai State of the Internet Report
Never treat a API like a Web Server
Most Common term in API Testing and Hacking is IDOR or BOLA
Can I get the document of Customer ID :1001 Of Course take it Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
Can I get the document of Customer ID :1001 Response 200 OK You can take the data Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
Hacker now understand the API slang
Always Turn off the Developer Mode
API Breaches in BOLA If a Client API manually specify an Object ID then it is potentially a BOLA Vulnerability.
API Testing and Hacking (1).pdf
Some Postman Hacks are GET /api/Student_ID/{marks} - To fetch the no auth Values here POST /api/Student_ID/{marks}/add_marks - adding marks to the ID POST /api/Student_ID/{marks}/add_grade - adding grade bypassing marks
How to FIX? ● Test API for the OWASP top 10 ● Authorization should be the most emphasis in the security practice ● Hack your own API ● SAST and DAST properly ● Stop relying on the Jailbroken Device Detection

More Related Content

What's hot (20)

PPTX
Api Testing
Vishwanath KC
 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPTX
API Testing for everyone.pptx
Pricilla Bilavendran
 
PPTX
Api testing
Keshav Kashyap
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PPTX
Rest API Testing
upadhyay_25
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
Automate REST API Testing
TechWell
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PDF
Web security uploadv1
Setia Juli Irzal Ismail
 
PPTX
Security testing
Khizra Sammad
 
PDF
Reasons To Automate API Testing Process
QASource
 
PDF
API Security Best Practices and Guidelines
WSO2
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PPTX
API Security Lifecycle
Apigee | Google Cloud
 
PPTX
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Api Testing
Vishwanath KC
 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Api security-testing
n|u - The Open Security Community
 
API Testing for everyone.pptx
Pricilla Bilavendran
 
Api testing
Keshav Kashyap
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Rest API Testing
upadhyay_25
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Automate REST API Testing
TechWell
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Web security uploadv1
Setia Juli Irzal Ismail
 
Security testing
Khizra Sammad
 
Reasons To Automate API Testing Process
QASource
 
API Security Best Practices and Guidelines
WSO2
 
Security testing fundamentals
Cygnet Infotech
 
OWASP Top 10 2021 What's New
Michael Furman
 
API Security Lifecycle
Apigee | Google Cloud
 
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 

Similar to API Testing and Hacking (1).pdf (20)

PPTX
apidays LIVE India 2022 - The Future of API’s Security.pptx
apidays
 
PDF
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
PPTX
Outpost24 webinar - Api security
Outpost24
 
PDF
Api Testing.pdf
JitendraYadav351971
 
PDF
API testing Notes and features, difference.pdf
kunjukunjuzz904
 
PDF
Modern APIs: The Non-Technical User’s Guide | The Enterprise World
Enterprise world
 
PDF
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
PDF
Top API Security Issues Found During POCs
42Crunch
 
PDF
Api FUNdamentals #MHA2017
JoEllen Carter
 
PPTX
Understanding APIs-2.pptx this is a report of api
khaledchause05
 
PDF
The Ultimate API Publisher's Guide
Pronovix
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
PDF
API Hijacking.pdf
VishwasN6
 
PDF
API Hijacking (1).pdf
Vishwas N
 
PDF
API Hijacking.pdf
Vishwas N
 
apidays LIVE India 2022 - The Future of API’s Security.pptx
apidays
 
API Summit 2021: What to know before you start dating APIs.pdf
NITHIN S.S
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
Outpost24 webinar - Api security
Outpost24
 
Api Testing.pdf
JitendraYadav351971
 
API testing Notes and features, difference.pdf
kunjukunjuzz904
 
Modern APIs: The Non-Technical User’s Guide | The Enterprise World
Enterprise world
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Top API Security Issues Found During POCs
42Crunch
 
Api FUNdamentals #MHA2017
JoEllen Carter
 
Understanding APIs-2.pptx this is a report of api
khaledchause05
 
The Ultimate API Publisher's Guide
Pronovix
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
API Hijacking.pdf
VishwasN6
 
API Hijacking (1).pdf
Vishwas N
 
API Hijacking.pdf
Vishwas N
 

More from Vishwas N (20)

PDF
API Testing and Hacking.pdf
Vishwas N
 
PDF
What should be your approach for solving ML_CV problem statements_.pdf
Vishwas N
 
PDF
Deepfence.pdf
Vishwas N
 
PDF
DevOps - A Purpose for an Institution.pdf
Vishwas N
 
PDF
Dapr.pdf
Vishwas N
 
PDF
linkerd.pdf
Vishwas N
 
PDF
HoloLens.pdf
Vishwas N
 
PDF
Automated Governance for the DevOps Institutions.pdf
Vishwas N
 
PDF
Lets build with DevSecOps Culture.pdf
Vishwas N
 
PDF
Github Actions and Terraform.pdf
Vishwas N
 
PDF
KEDA.pdf
Vishwas N
 
PPTX
Ram bleed the hardware based approach for the hackers
Vishwas N
 
PPTX
Container on azure
Vishwas N
 
PPTX
Deeplearning and dev ops azure
Vishwas N
 
PPTX
Azure data lakes
Vishwas N
 
PPTX
Azure dev ops
Vishwas N
 
PPTX
Azure ai on premises with docker
Vishwas N
 
PPTX
Nlp for the precision medicine
Vishwas N
 
PPTX
Stem cell and the other techniques
Vishwas N
 
PPTX
Stem cells pros and cons
Vishwas N
 
API Testing and Hacking.pdf
Vishwas N
 
What should be your approach for solving ML_CV problem statements_.pdf
Vishwas N
 
Deepfence.pdf
Vishwas N
 
DevOps - A Purpose for an Institution.pdf
Vishwas N
 
Dapr.pdf
Vishwas N
 
linkerd.pdf
Vishwas N
 
HoloLens.pdf
Vishwas N
 
Automated Governance for the DevOps Institutions.pdf
Vishwas N
 
Lets build with DevSecOps Culture.pdf
Vishwas N
 
Github Actions and Terraform.pdf
Vishwas N
 
KEDA.pdf
Vishwas N
 
Ram bleed the hardware based approach for the hackers
Vishwas N
 
Container on azure
Vishwas N
 
Deeplearning and dev ops azure
Vishwas N
 
Azure data lakes
Vishwas N
 
Azure dev ops
Vishwas N
 
Azure ai on premises with docker
Vishwas N
 
Nlp for the precision medicine
Vishwas N
 
Stem cell and the other techniques
Vishwas N
 
Stem cells pros and cons
Vishwas N
 

Recently uploaded (20)

PDF
Design Thinking basics for Engineers.pdf
CMR University
 
PDF
Reasons for the succes of MENARD PRESSUREMETER.pdf
majdiamz
 
PPTX
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
PDF
Data structures notes for unit 2 in computer science.pdf
sshubhamsingh265
 
PDF
WD2(I)-RFQ-GW-1415_ Shifting and Filling of Sand in the Pond at the WD5 Area_...
ShahadathHossain23
 
PPTX
GitOps_Without_K8s_Training_detailed git repository
DanialHabibi2
 
PDF
REINFORCEMENT LEARNING IN DECISION MAKING SEMINAR REPORT
anushaashraf20
 
PDF
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
PPTX
2025 CGI Congres - Surviving agile v05.pptx
Derk-Jan de Grood
 
PPTX
澳洲电子毕业证澳大利亚圣母大学水印成绩单UNDA学生证网上可查学历
Taqyea
 
PPTX
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
PPTX
Numerical-Solutions-of-Ordinary-Differential-Equations.pptx
SAMUKTHAARM
 
PPTX
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
PDF
AI TECHNIQUES FOR IDENTIFYING ALTERATIONS IN THE HUMAN GUT MICROBIOME IN MULT...
vidyalalltv1
 
PPTX
fatigue in aircraft structures-221113192308-0ad6dc8c.pptx
aviatecofficial
 
PPTX
Distribution reservoir and service storage pptx
dhanashree78
 
PDF
Digital water marking system project report
Kamal Acharya
 
PPTX
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
PPTX
Knowledge Representation : Semantic Networks
Amity University, Patna
 
PPTX
Biosensors, BioDevices, Biomediccal.pptx
AsimovRiyaz
 
Design Thinking basics for Engineers.pdf
CMR University
 
Reasons for the succes of MENARD PRESSUREMETER.pdf
majdiamz
 
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
Data structures notes for unit 2 in computer science.pdf
sshubhamsingh265
 
WD2(I)-RFQ-GW-1415_ Shifting and Filling of Sand in the Pond at the WD5 Area_...
ShahadathHossain23
 
GitOps_Without_K8s_Training_detailed git repository
DanialHabibi2
 
REINFORCEMENT LEARNING IN DECISION MAKING SEMINAR REPORT
anushaashraf20
 
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
2025 CGI Congres - Surviving agile v05.pptx
Derk-Jan de Grood
 
澳洲电子毕业证澳大利亚圣母大学水印成绩单UNDA学生证网上可查学历
Taqyea
 
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
Numerical-Solutions-of-Ordinary-Differential-Equations.pptx
SAMUKTHAARM
 
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
AI TECHNIQUES FOR IDENTIFYING ALTERATIONS IN THE HUMAN GUT MICROBIOME IN MULT...
vidyalalltv1
 
fatigue in aircraft structures-221113192308-0ad6dc8c.pptx
aviatecofficial
 
Distribution reservoir and service storage pptx
dhanashree78
 
Digital water marking system project report
Kamal Acharya
 
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
Knowledge Representation : Semantic Networks
Amity University, Patna
 
Biosensors, BioDevices, Biomediccal.pptx
AsimovRiyaz
 

API Testing and Hacking (1).pdf

  • 1. API Testing and Hacking By : Vishwas Narayan
  • 3. We Developed faster failed quicker and implemented faster(thanks to devops engineers) But we Forgot Security We worked liked machines and forgot we are human beings We have “trust” for Each other
  • 4. is a Vulnerability • Connections • Users • Content • URLs • Files in the endpoints • New files • Devices • …. Firewall AuthN AuthZ URL Filtering IDS/ IPS Anti-virus Sandboxing IoT Security Cryptography Trust issues lies everywhere
  • 5. Software is Eating the world
  • 6. Software is Eating the world Custom Code Open Source Software Infrastructure as Code Container Manifest Files Scaling Platforms Software Patches ● 80-90 percent of the code is open source ● 80% of the code is found in the Indirect Dependency ● Millions of the imports ● Agile is a Curse to Some Extent of the Development ● The Beauty of the Code is its Scalable and Reusable ● Happy Dev and Happy Bugs in the Production ● Agile is a Blessing Custom Wrappers / Frameworks
  • 7. We all built solutions? Think web 3.0
  • 8. Open Port number 22 with Web3.0 Application implemented
  • 10. What's even more Dangerous is
  • 11. Source : A6: Security Misconfiguration ❗ - Top 10 OWASP 2017 (wallarm.com)
  • 12. We have to learn how to miconfigure
  • 13. What is an API? ● API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. ● Interface can be thought of as a contract of service between two applications. ● This contract defines how the two communicate with each other using requests and responses. According to Wikipedia “An application programming interface is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification.”
  • 14. Simple Analogy ● It's a Socket that communicates with the different services. ● Its a Source of Communication that takes the front end and connected the backend of the different services ● Its a doesn't care source that is coming in the picture its just a dumb formator of the code that needs more security ● Today's blessing of multiple language and abstraction as an API is a Curse.
  • 15. Let's Create Some API and learn about it Lets Learn
  • 16. Let's worship this ● Global state of the internet security DDoS attack reports | Akamai ● How to send API key in the header of python request? - Stack Overflow ● Postman Sending Request onto the API ● Postman Sending AUTH token ● Automating the postman Calls ● Akamai State of the Internet Report
  • 17. Never treat a API like a Web Server
  • 18. Most Common term in API Testing and Hacking is IDOR or BOLA
  • 19. Can I get the document of Customer ID :1001 Of Course take it Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
  • 20. Can I get the document of Customer ID :1001 Response 200 OK You can take the data Can I get the document of Customer ID :3001 Server 3 Server 1 Server 2
  • 21. Hacker now understand the API slang
  • 22. Always Turn off the Developer Mode
  • 23. API Breaches in BOLA If a Client API manually specify an Object ID then it is potentially a BOLA Vulnerability.
  • 25. Some Postman Hacks are GET /api/Student_ID/{marks} - To fetch the no auth Values here POST /api/Student_ID/{marks}/add_marks - adding marks to the ID POST /api/Student_ID/{marks}/add_grade - adding grade bypassing marks
  • 26. How to FIX? ● Test API for the OWASP top 10 ● Authorization should be the most emphasis in the security practice ● Hack your own API ● SAST and DAST properly ● Stop relying on the Jailbroken Device Detection