Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - API Secret Tokens Expos...

Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoine Carossio, Escape

API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains
Tristan Kalos, Co-founder and CEO at Escape
Antoine Carossio, Co-Founder & CTO at Escape

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

May 23, 2024
Tweet

More Decks by apidays

Other Decks in Technology

Transcript

  1. /56 API Secret Tokens Exposed in Frontends Insights from Analyzing

    1 Million Domains Reveal Critical Risks of the Modern Web 1
  2. /56 Why looking for API Secrets in the wild? Detecting

    hard-coded secrets in frontends Critical findings… and millions of $ Recommendations for mitigating risks On today’s agenda 2 1. 2. 3. 4.
  3. /56 3 Tristan Kalos linkedin.com/in/tkalos • Co-founder & CEO of

    Escape • Graduate from UC Berkeley • Ex-Researcher in Artificial Intelligence applied to Cybersecurity • Got hacked, built a cybersecurity startup Antoine Carossio linkedin.com/in/acarossio • Co-founder & CTO of Escape • Graduate from UC Berkeley • Passionate open-source contributor, co-author of GraphQL Armor • Huge Apple fan
  4. /56 Escape - the API Security Platform We help security

    teams discover and secure all their exposed APIs using AI, without an agent
  5. /56 The significant rise of secret sprawl 10 • Tech

    is booming: every company has resources on the web • DevOps teams struggle to deploy assets effectively and security
  6. /56 The significant rise of secret sprawl 11 • Tech

    is booming: every company has resources on the web • DevOps teams struggle to deploy assets effectively and security • Companies of all sizes are affected > Attack vector: Exposed APIs and exposed secrets
  7. /56 What about proprietary & undocumented secrets? 27 Entropy! Javascript

    bundle randomness Proprietary & undocumented secrets? 💀 False positives
  8. /56 28 Only true positive counts as we cannot emit

    confidence Unauthorized to test the tokens Entropy! Proprietary & undocumented secrets? 💀 False positives What about proprietary & undocumented secrets? Javascript bundle randomness
  9. /56 29 Only true positive counts as we cannot emit

    confidence Unauthorized to test the tokens Entropy! Javascript bundle randomness Proprietary & undocumented secrets? 💀 False positives What about proprietary & undocumented secrets? Leveraging AST for high confidence signal
  10. /56 Secret Sauce: Leveraging Abstract Syntax Tree (AST) 30 Goal:

    Restructure the code to understand the context where variables are declared and used
  11. /56 Millions of requests later … 189.5M URLs scanned 35

    4 Domain per second 69 hours Total scanning time 956K Input Domains
  12. /56 Millions of requests later … 189.5M URLs scanned 36

    4 Domain per second 69 hours Total scanning time 956K Input Domains 💰 $100 Computing cost
  13. /56 World-Wide exposure 39 #1 󰎙 with 6.26% of total

    exposed domains #1 EU 󰐗 with 5.89% of total exposed domains
  14. /56 When it rains, it pours… 🌧 41 28 biggest

    number of secrets exposed per domain 1.7 average exposed secrets per “vulnerable“ domain
  15. /56 Some development trends: Javascript Single Build 43 CI/CD tokens

    and environment secrets leaks in Javascript assets + .env
  16. /56 The secrets should not be accessed by the frontend…

    but the backend 50 Frontend OpenAI Key Frontend Backend OpenAI Key ❌ ✅
  17. /56 Store your Secrets in Vaults, not .env files! 53

    Hashicorp Vault AWS Secret Manager
  18. /56 Automation as a Service: Rotating and Scoped Tokens 54

    Vault Key Rotation Vault Dynamic Secret
  19. /56 55 API Discovery & API Security 55 Thank you!

    Any questions? Antoine Carossio linkedin.com/in/acarossio Tristan Kalos linkedin.com/in/tkalos Try it yourself in 1 minute! app.escape.tech