Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoine Carossio, Escape

APIdays_official 82 views 56 slides May 23, 2024
Slide 1
Slide 1 of 56
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56

About This Presentation

API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains
Tristan Kalos, Co-founder and CEO at Escape
Antoine Carossio, Co-Founder & CTO at Escape

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apida...

Size: 7.77 MB
Language: en
Added: May 23, 2024
Slides: 56 pages

Slide Content

/56
API Secret Tokens Exposed
in Frontends
Insights from Analyzing 1 Million Domains Reveal
Critical Risks of the Modern Web
1

/56
Why looking for API Secrets in the wild?


Detecting hard-coded secrets in frontends



Critical findings… and millions of $

Recommendations for mitigating risks


On today’s agenda
2
1.
2.
3.
4.

/563
Tristan Kalos
linkedin.com/in/tkalos

•Co-founder & CEO of Escape
•Graduate from UC Berkeley
•Ex-Researcher in Artificial Intelligence applied to Cybersecurity
•Got hacked, built a cybersecurity startup
Antoine Carossio
linkedin.com/in/acarossio

•Co-founder & CTO of Escape
•Graduate from UC Berkeley
•Passionate open-source contributor, co-author of GraphQL Armor
•Huge Apple fan

/564

/56
Escape - the API Security Platform
We help security teams discover and secure all their exposed APIs using AI, without an agent

/56
Past research
6
escape.tech/resources/

/567
Past research
escape.tech/resources/

/568
https://escape.tech/the-api-secret-sprawl-2024

/56 9
Why is an API Secret leak
a problem?
1

/56
The significant rise of secret sprawl
10
●Tech is booming: every company has
resources on the web
●DevOps teams struggle to deploy
assets effectively and security

/56
The significant rise of secret sprawl
11
●Tech is booming: every company has
resources on the web
●DevOps teams struggle to deploy
assets effectively and security
●Companies of all sizes are affected

> Attack vector: Exposed APIs and exposed
secrets

/5612
SAST DAST RASP
Why does this still happen?
Threat
Modeling
SCA

/5613
What about secrets?

/5614
What about secrets in… repos?

/5615
What about secrets in… APIs?

/56
What about secrets in… frontends???
16
?

/56
Detecting Hard-Coded Secrets
in Frontends
The algorithmic  "Tour de Force"
17
2

/56
Frontend architecture
18

/56
Frontend architecture
19

/56
Frontend architecture
20

/56
Zoom on Javascript assets
21

/56
How to detect hard-coded secrets in frontends?
22
Documented Secrets

/56
How to detect hard-coded secrets in frontends?
23
Documented Secrets
⇒ use the good old regex!

/56
Filtering scoped tokens and public keys
24
Does not
Protect Assets
Filtered Out

/56
What about proprietary & undocumented secrets?
25
Proprietary &
undocumented
secrets?

/56
What about proprietary & undocumented secrets?
26
Entropy!
Proprietary &
undocumented
secrets?

/56
What about proprietary & undocumented secrets?
27
Entropy!
Javascript bundle
randomness
Proprietary &
undocumented
secrets?
?????? False positives

/5628
Only true positive
counts as we cannot
emit confidence
Unauthorized to test
the tokens
Entropy!
Proprietary &
undocumented
secrets?
?????? False positives
What about proprietary & undocumented secrets?
Javascript bundle
randomness

/5629
Only true positive
counts as we cannot
emit confidence
Unauthorized to test
the tokens
Entropy!
Javascript bundle
randomness
Proprietary &
undocumented
secrets?
?????? False positives
What about proprietary & undocumented secrets?
Leveraging AST for
high confidence
signal

/56
Secret Sauce: Leveraging Abstract Syntax Tree (AST)
30
Goal: Restructure the code to
understand the context where
variables are declared and used

/56
Dead-simple and scalable architecture
31
150
Concurrent Pods

/5632
956K
Input Domains

/5633
4
Domain per second
956K
Input Domains

/5634
4
Domain per second
69 hours
Total scanning time
956K
Input Domains

/56
Millions of requests later …
189.5M
URLs scanned
35
4
Domain per second
69 hours
Total scanning time
956K
Input Domains

/56
Millions of requests later …
189.5M
URLs scanned
36
4
Domain per second
69 hours
Total scanning time
956K
Input Domains
??????
$100
Computing cost

/56
Analyzing 1 Million Domains
or how we traded $100 for $ 20M…
37
3

/56
Nature of the findings
38
18,458
Total secrets found

/56
World-Wide exposure
39
#1 ??????
with 6.26% of total
exposed domains
#1 EU ??????
with 5.89% of total
exposed domains

/56
When it rains…??????
40

/56
When it rains, it pours… ??????
41
28
biggest number of
secrets exposed per
domain
1.7
average exposed
secrets per “vulnerable“
domain

/56
Frontend development bad practices are still prevalent
42

/56
Some development trends: Javascript Single Build
43
CI/CD tokens and environment secrets
leaks in Javascript assets
+
.env

/56
Critical findings
44
1/3
could lead to an entire
business shutdown

/56
Hard-coded private Keys, including Private RSA Keys (25%)
45

/56
Million $$ findings
46

/56
20 Million $$ findings (0.9%)
47
$17M
on a single token

/56
How to secure API Secrets from being exposed?
Our recommendations
48
4

/56
The secrets should not be accessed by the frontend…
49
Frontend
OpenAI Key

/56
The secrets should not be accessed by the frontend… but the backend
50
Frontend
OpenAI Key
Frontend Backend
OpenAI Key

/56
Leveraging Type Prefixes
51
jetpack-io/typeid

/56
Leveraging Type Prefixes
52
jetpack-io/typeid
The Perfect Example: Stripe

/56
Store your Secrets in Vaults, not .env files!
53
Hashicorp VaultAWS Secret Manager

/56
Automation as a Service: Rotating and Scoped Tokens
54
Vault Key Rotation
Vault Dynamic Secret

/5655
API Discovery & API Security
55
Thank you!
Any questions?
Antoine Carossio
linkedin.com/in/acarossio
Tristan Kalos
linkedin.com/in/tkalos
Try it yourself in 1 minute!
app.escape.tech
Tags
apidays apidays new york apisecure api tokens rsa keys
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 82
  • Slides 56
  • Age 559 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category