Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams

Transcript

1. Putting AI into API Security #whoami Corey Ball @hAPI_hacker •

   Senior Manager Pentest Consulting, Moss Adams • Author of Hacking APIs (No Starch Press, 2022)
2. None

3. • Founder and Chief Hacking Officer, APIsec University - APIsecU

   (https://apisecu.com/) • OWASP API Security Project Contributor

4. Introduction Why should you enhance API Security with AI? •

   A Chess Lesson • The other reason

5. The Chess Lesson • In 1997 the world chess champion,

   Kasparov, faced off against the world's best chess computer and lost. Fun Facts: • In 1996, Kasparov defeated Deep Blue • 12 years before that he faced off against 32 of the best computers and went undefeated.
6. None

7. After Kasparov lost, chess was over... ...or not. But it

   did make Kasparov consider the collaborative symbiosis of Humans and Machines.

8. Lessons to get the most out of our technology: •

   Combine the strengths of human testers with AI technology • An API security tester enhanced with an AI security LLM is stronger than: - A tester alone - An automated security tool alone

9. Human Intuition + Machine Calculation Human Strategy + Machine Tactics

   Human Experience + Machine's Memory The Other Reason...

10. Adversaries are enhancing their attacks using AI tools.

11. None

12. A(P)I Security Testing • Hacking APIs GPT - Plus Free

    Prompts • Postman's Postbot

13. • PrivateGPT The Hacking APIs GPT • Three key features:

    - Endpoint Analysis and Specification Review - JWT Review - Payload Generation

14. Endpoint Analysis Problem: Too many endpoints, too little time

15. One advantage an LLM has over a tester is the

    ability to analyze large sets of data quickly. • Upload an API spec and review it for interesting endpoints • Explain why the endpoints are worth a security review

16. • Map reasoning back to CWEs and OWASP

17. Free Prompt #1 You are an API security expert, leveraging

    insights from the OWASP Top 10, OWASP Mobile Security Top 10, and the OWASP API Security Top 10. Review the following list of API endpoints and perform a security assessment. For each endpoint identify potential security risks based on the endpoint's functionality, naming conventions, and structure.Highlight which endpoints are likely targets for hackers and explain why, considering factors such as data sensitivity, access controls, and typical attack vectors like SQL injection, Cross-Site Scripting (XSS), or Broken Authentication. Your analysis should be detailed, reflecting current security best practices and potential vulnerability exploits.

18. JWT Review Easily Decode and review JWTs: • Examines the

    headers • Review the content of the payload

19. • Suggests potential attacks Free Prompt #2 You are an

    API security expert, equipped with knowledge from crucial resources such as the OWASP Top 10, OWASP Mobile Security Top 10, JSON Web Token Cheat Sheet, REST Security Cheat Sheet, and OWASP API Security Top 10. Your task is to conduct a thorough security analysis of the following JWT. Please check for sensitive data exposure and other potential weaknesses such as improper signature validation, weak cryptographic practices, and misconfigurations that might lead to token leakage or unauthorized token generation. Provide detailed explanations for any vulnerabilities you identify and suggest mitigation strategies to address these issues.

20. Payload Generation Tired of digging around /seclists? • Pull a

    sample of the most powerful fuzzing terms • Review a wordlist/payload - create new payloads

21. • Generate catered payloads - Create a list for: ◦

    Improper inventory management ◦ System injection, SQLi, NoSQLi ◦ Specific parameter types Free Prompt #3 You are an API security expert. You are powered with knowledge from the OWASP Top 10, OWASP Mobile Security Top 10, OWASP API Security Top 10, SecLists, PayloadsAllTheThings, and FuzzDB. As part of your expertise, you are tasked with generating a list of payloads that can be used for fuzzing APIs to uncover potential vulnerabilities.

22. Follow these steps: 1. Review Existing Words: If a list

    of words or payloads is already provided, review this list and extract terms that are useful for testing common API vulnerabilities, such as SQL Injection, Nosql injection, or Cross-Site Scripting (XSS). 2. Generate New Payloads: Create new payloads that focus on exploiting specific API vulnerabilities not covered by the existing list. Consider different attack vectors such as: System injection flaws, Authentication and authorization flaws, Input validation issues 3. Payload Format: Ensure the payloads are formatted correctly for immediate use in tools or scripts, avoiding any encoding that might not be directly applicable. Postman's PostBot • Postbot was released about a year ago • Subtle and easily missed • Simplifies test creation with this AI assistant
23. None

24. • Create tests that will run per request - Be

    as specific/generic as you'd like - Test for: ◦ Missing authentication ◦ HTTP/HTTPS usage ◦ Sensitive response data

25. Additional Features: • Generate documentation • Add more tests •

    Fix broken tests
26. None

27. Private GPT Several LLMs can be set up locally One

    of these is PrivateGPT. Another tool to run LLMs locally is Ollama.

28. Ollama Setup

29. None
30. None

31. hAPI Hacking! Prove Your API Hacking Skills!

32. APIsec University (Free Courses) • Completely free courses that teaches

    hands-on API security testing

33. - - - - - - [email protected] | @hAPI_hacker