APIsecure 2023 - Detect OWASP vulnerabilities in your APIs with Postman, Rahul Dhawan

Transcript

1. Detect OWASP vulnerabilities in your APIs with Postman Presented by

   Rahul Dhawan Senior Security Engineer @ Postman

2. Senior Security Engineer @ POSTMAN Rahul Dhawan @rahuldhawan291

3. Agenda API Security Top 10 Vulnerabilities 1 Detection 2 Practical

   Demo 3 Mitigation 4 Real World Implications 5

4. Authentication and Authorization Authentication is the process of verifying the

   identity of a user , typically through the use of login credentials such as usernames and passwords. “ Authorization, on the other hand, is the process of determining what actions a user is allowed to perform based on their identity and privileges. “
5. None

6. • The lack of proper authorization checks allows attackers to

   access the specified resource. • BOLA vulnerability can cause various attacks such as unauthorized access to sensitive resources, known as privilege escalation. A1: Broken Object Level Authorization (BOLA or IDOR)

7. Practical

8. 📖 Reports!

9. • Identify All Objects and Resources. • Focus on user_id

   and Object_id in the API. • Use automation techniques to examine user access on an API by utilizing diverse user credentials combinations • Manually test for Authorisation bypass Detection

10. • Implement a proper authorization mechanism that relies on the

    user policies and hierarchy. • Implement Role-Based Access Control (RBAC) • Apply the Principle of Least Privilege • Prefer to use random and unpredictable values as UUID for Object IDs. • Add Access Control Check in the unit test coverage Prevention

11. • Poor Implementation of Authentication methods • Sensitive Details like

    Auth token, API keys or password in the Request parameters • Misconfigured JWT {“Alg”:”none”} A2: Broken User Authentication

12. Practical

13. • Look for missing or ineffective authentication controls: • Check

    for user or password enumeration: • Test for broken session management: • Check for weak password policies Detection

14. • Protect all authentication endpoint with rate-limit having strict rate-limit

    policy. Also Implement lockout mechanism • Implement MFA where ever possible • Implement Captcha mechanism at your authentication endpoints. Prevention

15. • Allows unprivileged users to access other privileged users’ resources

    and functions • Different access control policies for different user personas • Incorrect implementation of Role-Based Access Controls (RBAC) • APIs relying on client to do the permission checks for different user roles A5: Broken Function level Authorisation

16. Practical

17. • Use Manual Testing to find misconfiguration in RBAC implementation.

    • Write an automated script to cover every possible permutation of Role Based Accessed on a function • Test for common attack techniques Detection

18. • Use Principle of Least privilege while designing Access Control

    Policy. • Use a centralized authorization mechanism • Validate and sanitize user input • Perform regular test on different group of APIs. • Add complete coverage of access control check in your unit tests. Prevention

19. • Poor configuration of the API servers allows attackers to

    exploit them. • Issues involved are: ◦ Missing CORS policy ◦ Misconfigured CSP policy ◦ leaving debug mode enabled ◦ misconfigured TLS ◦ Using default or weak password A7: Security misconfigurations

20. Practical

21. • CORS Misconfiguration Template • Security Header Template • Directory

    Traversal Template • CSP Evaluator Template • TLS Version Monitor • Open Redirect Checks Detection using Postman

22. • Correctly Configure CORS, CSP and Security Headers • Apply

    Principle of Least privilege, avoid using wildcards. • Use Latest version of TLS • Add security tests in your unit test to catch misconfiguration in preprod environment. Prevention

23. • Occurs when untrusted data is directly used to query

    database. • Easy to detect issue but can get tricky to craft payload to query database. A8: Injection

24. Practical

25. • SQL Injection Template • employ scanners or fuzzers to

    evaluate the validation of user input Detection using Postman

26. • Sanitise every untrusted input. • Special characters should be

    escaped • Prefer a safe API that provides a parameterized interface. • Validate the response. • Prefer a safe API that provides a parameterized interface Prevention

27. postman.com @getpostman OWASP API Security Top 10 API Security Testing

    in Postman Automation using Postman Wrapping Up Visit Postman Security Workspace

28. Reference • OWASP API Security Top 10 • OWASP Juice

    Shop • Postman Interceptor • Postman Security Workspace • OWASP API Security top 10 Workspace • Postman Flows