Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Detect OWASP vulnerabilities i...

APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahul Dhawan

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Workshop: Detect OWASP vulnerabilities in your APIs with Postman
Rahul Dhawan, Senior Security Engineer at Postman

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Detect OWASP vulnerabilities in your APIs with Postman Presented by

    Rahul Dhawan Senior Security Engineer @ Postman
  2. Agenda API Security Top 10 Vulnerabilities 1 Detection 2 Practical

    Demo 3 Mitigation 4 Real World Implications 5
  3. Authentication and Authorization Authentication is the process of verifying the

    identity of a user , typically through the use of login credentials such as usernames and passwords. “ Authorization, on the other hand, is the process of determining what actions a user is allowed to perform based on their identity and privileges. “
  4. • The lack of proper authorization checks allows attackers to

    access the specified resource. • BOLA vulnerability can cause various attacks such as unauthorized access to sensitive resources, known as privilege escalation. A1: Broken Object Level Authorization (BOLA or IDOR)
  5. • Identify All Objects and Resources. • Focus on user_id

    and Object_id in the API. • Use automation techniques to examine user access on an API by utilizing diverse user credentials combinations • Manually test for Authorisation bypass Detection
  6. • Implement a proper authorization mechanism that relies on the

    user policies and hierarchy. • Implement Role-Based Access Control (RBAC) • Apply the Principle of Least Privilege • Prefer to use random and unpredictable values as UUID for Object IDs. • Add Access Control Check in the unit test coverage Prevention
  7. • Poor Implementation of Authentication methods • Sensitive Details like

    Auth token, API keys or password in the Request parameters • Misconfigured JWT {“Alg”:”none”} A2: Broken User Authentication
  8. • Look for missing or ineffective authentication controls: • Check

    for user or password enumeration: • Test for broken session management: • Check for weak password policies Detection
  9. • Protect all authentication endpoint with rate-limit having strict rate-limit

    policy. Also Implement lockout mechanism • Implement MFA where ever possible • Implement Captcha mechanism at your authentication endpoints. Prevention
  10. • Allows unprivileged users to access other privileged users’ resources

    and functions • Different access control policies for different user personas • Incorrect implementation of Role-Based Access Controls (RBAC) • APIs relying on client to do the permission checks for different user roles A5: Broken Function level Authorisation
  11. • Use Manual Testing to find misconfiguration in RBAC implementation.

    • Write an automated script to cover every possible permutation of Role Based Accessed on a function • Test for common attack techniques Detection
  12. • Use Principle of Least privilege while designing Access Control

    Policy. • Use a centralized authorization mechanism • Validate and sanitize user input • Perform regular test on different group of APIs. • Add complete coverage of access control check in your unit tests. Prevention
  13. • Poor configuration of the API servers allows attackers to

    exploit them. • Issues involved are: ◦ Missing CORS policy ◦ Misconfigured CSP policy ◦ leaving debug mode enabled ◦ misconfigured TLS ◦ Using default or weak password A7: Security misconfigurations
  14. • CORS Misconfiguration Template • Security Header Template • Directory

    Traversal Template • CSP Evaluator Template • TLS Version Monitor • Open Redirect Checks Detection using Postman
  15. • Correctly Configure CORS, CSP and Security Headers • Apply

    Principle of Least privilege, avoid using wildcards. • Use Latest version of TLS • Add security tests in your unit test to catch misconfiguration in preprod environment. Prevention
  16. • Occurs when untrusted data is directly used to query

    database. • Easy to detect issue but can get tricky to craft payload to query database. A8: Injection
  17. • SQL Injection Template • employ scanners or fuzzers to

    evaluate the validation of user input Detection using Postman
  18. • Sanitise every untrusted input. • Special characters should be

    escaped • Prefer a safe API that provides a parameterized interface. • Validate the response. • Prefer a safe API that provides a parameterized interface Prevention
  19. postman.com @getpostman OWASP API Security Top 10 API Security Testing

    in Postman Automation using Postman Wrapping Up Visit Postman Security Workspace
  20. Reference • OWASP API Security Top 10 • OWASP Juice

    Shop • Postman Interceptor • Postman Security Workspace • OWASP API Security top 10 Workspace • Postman Flows