Bas Dijkstra: Are you sure your APIs are secure?
pnsqc
52 views
33 slides
Aug 30, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Experienced test automation consultant Bas Dijkstra guides you through easy-to-follow methods for testing API security using popular tools like Postman and REST Assured.
Slide Content
Are you sure your APIs are secure? Bas Dijkstra [email protected] www.ontestautomation .com
Why API security testing?
But isn’t API security testing something best left to the experts?
You can do a lot with some basic tools and a healthy dose of curiosity and creativity
Let’s have a look at some examples
Vulnerability: injection
The OWASP API security top 10 https://owasp.org/API-Security/editions/2023/en/0x00-header/
Example
Vulnerability: Broken Object Level Authorization (BOLA) 2023 OWASP API security top 10: #1
Look out for … Predictable or findable resource IDs https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/ Insufficient or lack of rate limiting
Also covered: vulnerability: Unrestricted Resource Consumption 2023 OWASP API security top 10: #4
How about altering data?
Vulnerability: Broken Function Level Authorization (BFLA) 2023 OWASP API security top 10: #5
Also look out for … Access to admin endpoints by regular users https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/
BFLA is related to BOLA Where BOLA is about accessing data… … BFLA is about the ability to alter or delete data So, if you happen upon a BOLA vulnerability… … it might be a good idea to check for BFLA, too
Another example
Vulnerability: Unrestricted Access to Sensitive Business Flows 2023 OWASP API security top 10: #6
Prevention First identify sensitive business flows… https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/ … then take prevention measures
Yet another example
Vulnerability: Broken Authentication 2023 OWASP API security top 10: #2
Vulnerability: Improper Inventory Management 2023 OWASP API security top 10: #9
We covered many potential security issues today!
The 2023 OWASP API security top 10 entries we missed
#1 Broken Object Level Authorization #2 Broken Authentication #4 Unrestricted Resource Consumption #5 Broken Function Level Authorization #6 Unrestricted Access to Sensitive Business Flows #9 Improper Inventory Management #3 Broken Object Property Level Authorization #7 Server Side Request Forgery #8 Security Misconfiguration #10 Unsafe Consumption of APIs
Server Side Request Forgery: an example
That’s a lot you can do! (and there’s more…)
https://www.apisecuniversity.com
?
Contact Email: [email protected] Website: https://www.ontestautomation .com LinkedIn: https://www.linkedin.com/in /basdijkstra
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 52
- Slides 33
- Age 458 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views