Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Detect OWASP vulnerabilities i...

APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahul Dhawan

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Workshop: Detect OWASP vulnerabilities in your APIs with Postman
Rahul Dhawan, Senior Security Engineer at Postman

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Avatar for apidays

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Detect OWASP vulnerabilities in your APIs with Postman Presented by

    Rahul Dhawan Senior Security Engineer @ Postman
  2. Agenda API Security Top 10 Vulnerabilities 1 Detection 2 Practical

    Demo 3 Mitigation 4 Real World Implications 5
  3. Authentication and Authorization Authentication is the process of verifying the

    identity of a user , typically through the use of login credentials such as usernames and passwords. “ Authorization, on the other hand, is the process of determining what actions a user is allowed to perform based on their identity and privileges. “
  4. • The lack of proper authorization checks allows attackers to

    access the specified resource. • BOLA vulnerability can cause various attacks such as unauthorized access to sensitive resources, known as privilege escalation. A1: Broken Object Level Authorization (BOLA or IDOR)
  5. • Identify All Objects and Resources. • Focus on user_id

    and Object_id in the API. • Use automation techniques to examine user access on an API by utilizing diverse user credentials combinations • Manually test for Authorisation bypass Detection
  6. • Implement a proper authorization mechanism that relies on the

    user policies and hierarchy. • Implement Role-Based Access Control (RBAC) • Apply the Principle of Least Privilege • Prefer to use random and unpredictable values as UUID for Object IDs. • Add Access Control Check in the unit test coverage Prevention
  7. • Poor Implementation of Authentication methods • Sensitive Details like

    Auth token, API keys or password in the Request parameters • Misconfigured JWT {“Alg”:”none”} A2: Broken User Authentication
  8. • Look for missing or ineffective authentication controls: • Check

    for user or password enumeration: • Test for broken session management: • Check for weak password policies Detection
  9. • Protect all authentication endpoint with rate-limit having strict rate-limit

    policy. Also Implement lockout mechanism • Implement MFA where ever possible • Implement Captcha mechanism at your authentication endpoints. Prevention
  10. • Allows unprivileged users to access other privileged users’ resources

    and functions • Different access control policies for different user personas • Incorrect implementation of Role-Based Access Controls (RBAC) • APIs relying on client to do the permission checks for different user roles A5: Broken Function level Authorisation
  11. • Use Manual Testing to find misconfiguration in RBAC implementation.

    • Write an automated script to cover every possible permutation of Role Based Accessed on a function • Test for common attack techniques Detection
  12. • Use Principle of Least privilege while designing Access Control

    Policy. • Use a centralized authorization mechanism • Validate and sanitize user input • Perform regular test on different group of APIs. • Add complete coverage of access control check in your unit tests. Prevention
  13. • Poor configuration of the API servers allows attackers to

    exploit them. • Issues involved are: ◦ Missing CORS policy ◦ Misconfigured CSP policy ◦ leaving debug mode enabled ◦ misconfigured TLS ◦ Using default or weak password A7: Security misconfigurations
  14. • CORS Misconfiguration Template • Security Header Template • Directory

    Traversal Template • CSP Evaluator Template • TLS Version Monitor • Open Redirect Checks Detection using Postman
  15. • Correctly Configure CORS, CSP and Security Headers • Apply

    Principle of Least privilege, avoid using wildcards. • Use Latest version of TLS • Add security tests in your unit test to catch misconfiguration in preprod environment. Prevention
  16. • Occurs when untrusted data is directly used to query

    database. • Easy to detect issue but can get tricky to craft payload to query database. A8: Injection
  17. • SQL Injection Template • employ scanners or fuzzers to

    evaluate the validation of user input Detection using Postman
  18. • Sanitise every untrusted input. • Special characters should be

    escaped • Prefer a safe API that provides a parameterized interface. • Validate the response. • Prefer a safe API that provides a parameterized interface Prevention
  19. postman.com @getpostman OWASP API Security Top 10 API Security Testing

    in Postman Automation using Postman Wrapping Up Visit Postman Security Workspace
  20. Reference • OWASP API Security Top 10 • OWASP Juice

    Shop • Postman Interceptor • Postman Security Workspace • OWASP API Security top 10 Workspace • Postman Flows