Web APIs offer organizations new channels to reach customers and extend their businesses, but they also offer new opportunities for abuse. In this presentation we identify the identities, attack surfaces and threats (both new and old) that security professionals need to be aware of in the new world of Web APIs.
38. Injection Attacks
Utilizing input parameters to inject data that compromises
the security of the targeted system.
Examples:
- SQL Injection
- Command Injection
- Code Injection
- Argument Injection
39. API Attack Example:
SQL Injection Attacks: APIs
GET http://host.com/aresource?token=
%E2%80%98or%20%E2%80%981%3D1
GET http://host.com/aresource?token=‘ or ‘1=1
select * from tokens where token = ‘’ or ‘1=1’;
40. APIs May Be A Direct Conduit
40
HTTP
Server
App
Server
Database
App
Objects
Often:
• Self-documenting
• Closely mapped to object space
41. Denial Of Service Attacks
An attack which has the objective of making a service
unavailable to all users
Examples:
- XML/JSON parser attacks
- Jumbo messages
- Server overload
42. Overflow Attack
Intentionally sending too much data in order to exploit a
target systems by exceeding expected boundaries.
Examples:
Buffer Overflow
Cash Overflow
43. Cross Site Scripting (XSS) Attack
Embedding code within a server that will be
transmitted to users.
44. XSS API Example
44
Attacker
Web App Server
(browser+APIs)
Victim: Web
Browser
Client
<SCRIPT …>
1. API injects
script in
3. Browser loads
content with
embedded script
2. Server fails to
perform FIEO: Filter
Input, Escape Output
API
48. Impersonating a registered application in order to access
an API resource.
Examples:
- Guessing application ID by brute force
- Retrieving application ID by sniffing traffic
- Cracking application to retrieve application ID
App Spoofing
49. New platforms, new languages:
• Ruby on Rails
• Node.js
• Scala
• Nginx
• Squid/Varnish/Traffic Manager
By our definition, a Web API includes SOAP, REST, HTTP, CSV… just about any type of interface deployed over the web.
Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
Hypermedia is like building a browser based web for computer programs.You can follow linksYou can provide input based on templatesRather than mapping to a resource + operations you can follow tasks.
Make a slide with an example
Make a slide with an example
In many ways the web API space has become synonymous with a culture of modernity and hipness.
Often times when speaking about APIs to architects who’ve “been around the block” you get a response that there is nothing new in this web API stuff.Maybe you felt that way? I know that in the early days, when I first heard the term I dismissed it as an attempt at rebranding existing technologies.
The developer is the new king.The rise of the developerThe importance of the dev. has grownGood Devs have the power to build the applications that will drive popularity of a service.Influential devs have the power to drive adoption of your service.Attracting talented developers has become a design goal
Different identities
Different identities
A major form of attack is the injection attack.
Just like websites, APIs expose parameters and fields that can be manipulated. As long as there is an SQL based database somewhere in the integration chain you need to mitigate this risk.
A major form of attack is the injection attack.
A major form of attack is the injection attack.
A major form of attack is the injection attack.
Similar to the SQL injection attack, this attack allows an attacker to execute malicious code on the target system. In this example an exposed redirect parameter has been used to force the server’s PHP interpreter to retrieve and execute the attacker’s code.
Similar to the SQL injection attack, this attack allows an attacker to execute malicious code on the target system. In this example an exposed redirect parameter has been used to force the server’s PHP interpreter to retrieve and execute the attacker’s code.