Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - Putting AI into API Sec...

Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams

Putting AI into API Security
Corey Ball, Author and Sr. Manager Pentest at Moss Adams

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

May 14, 2024
Tweet

More Decks by apidays

Other Decks in Technology

Transcript

  1. Putting AI into API Security #whoami Corey Ball @hAPI_hacker •

    Senior Manager Pentest Consulting, Moss Adams • Author of Hacking APIs (No Starch Press, 2022)
  2. • Founder and Chief Hacking Officer, APIsec University - APIsecU

    (https://apisecu.com/) • OWASP API Security Project Contributor
  3. The Chess Lesson • In 1997 the world chess champion,

    Kasparov, faced off against the world's best chess computer and lost. Fun Facts: • In 1996, Kasparov defeated Deep Blue • 12 years before that he faced off against 32 of the best computers and went undefeated.
  4. After Kasparov lost, chess was over... ...or not. But it

    did make Kasparov consider the collaborative symbiosis of Humans and Machines.
  5. Lessons to get the most out of our technology: •

    Combine the strengths of human testers with AI technology • An API security tester enhanced with an AI security LLM is stronger than: - A tester alone - An automated security tool alone
  6. Human Intuition + Machine Calculation Human Strategy + Machine Tactics

    Human Experience + Machine's Memory The Other Reason...
  7. • PrivateGPT The Hacking APIs GPT • Three key features:

    - Endpoint Analysis and Specification Review - JWT Review - Payload Generation
  8. One advantage an LLM has over a tester is the

    ability to analyze large sets of data quickly. • Upload an API spec and review it for interesting endpoints • Explain why the endpoints are worth a security review
  9. Free Prompt #1 You are an API security expert, leveraging

    insights from the OWASP Top 10, OWASP Mobile Security Top 10, and the OWASP API Security Top 10. Review the following list of API endpoints and perform a security assessment. For each endpoint identify potential security risks based on the endpoint's functionality, naming conventions, and structure.Highlight which endpoints are likely targets for hackers and explain why, considering factors such as data sensitivity, access controls, and typical attack vectors like SQL injection, Cross-Site Scripting (XSS), or Broken Authentication. Your analysis should be detailed, reflecting current security best practices and potential vulnerability exploits.
  10. JWT Review Easily Decode and review JWTs: • Examines the

    headers • Review the content of the payload
  11. • Suggests potential attacks Free Prompt #2 You are an

    API security expert, equipped with knowledge from crucial resources such as the OWASP Top 10, OWASP Mobile Security Top 10, JSON Web Token Cheat Sheet, REST Security Cheat Sheet, and OWASP API Security Top 10. Your task is to conduct a thorough security analysis of the following JWT. Please check for sensitive data exposure and other potential weaknesses such as improper signature validation, weak cryptographic practices, and misconfigurations that might lead to token leakage or unauthorized token generation. Provide detailed explanations for any vulnerabilities you identify and suggest mitigation strategies to address these issues.
  12. Payload Generation Tired of digging around /seclists? • Pull a

    sample of the most powerful fuzzing terms • Review a wordlist/payload - create new payloads
  13. • Generate catered payloads - Create a list for: ◦

    Improper inventory management ◦ System injection, SQLi, NoSQLi ◦ Specific parameter types Free Prompt #3 You are an API security expert. You are powered with knowledge from the OWASP Top 10, OWASP Mobile Security Top 10, OWASP API Security Top 10, SecLists, PayloadsAllTheThings, and FuzzDB. As part of your expertise, you are tasked with generating a list of payloads that can be used for fuzzing APIs to uncover potential vulnerabilities.
  14. Follow these steps: 1. Review Existing Words: If a list

    of words or payloads is already provided, review this list and extract terms that are useful for testing common API vulnerabilities, such as SQL Injection, Nosql injection, or Cross-Site Scripting (XSS). 2. Generate New Payloads: Create new payloads that focus on exploiting specific API vulnerabilities not covered by the existing list. Consider different attack vectors such as: System injection flaws, Authentication and authorization flaws, Input validation issues 3. Payload Format: Ensure the payloads are formatted correctly for immediate use in tools or scripts, avoiding any encoding that might not be directly applicable. Postman's PostBot • Postbot was released about a year ago • Subtle and easily missed • Simplifies test creation with this AI assistant
  15. • Create tests that will run per request - Be

    as specific/generic as you'd like - Test for: ◦ Missing authentication ◦ HTTP/HTTPS usage ◦ Sensitive response data
  16. Private GPT Several LLMs can be set up locally One

    of these is PrivateGPT. Another tool to run LLMs locally is Ollama.