The document discusses API security from a hacker's perspective. It notes that exploiting APIs has become easier as infrastructure security has improved, but APIs themselves are often not properly secured. The main API vulnerabilities discussed are rate limiting issues, misconfigurations, injections, authentication and authorization bypassing, and flaws in business logic flows. Critical vulnerabilities that can give attackers control include authentication/authorization issues and business logic flows. The document emphasizes that penetration testing alone is not sufficient and continuous assessment of API security is needed to identify and address vulnerabilities.

1. API Security
By Pabitra Kumar Sahoo
A Hacker’s Point of view

2. Hello!
I am Pabitra Kumar Sahoo
Co-Founder & CTO at Qualysec Technologies
Ethical Hacker, Penetration Tester, Bounty
Hunter
2
You can reach me at LinkedIn:
https://www.linkedin.com/in/pabitra-kumar-sahoo-67677a1a8/

3. “ It’s Just One Small
Security Loophole V/S
Your Entire Business…
3
Think once again…….

4. “
What are the recent hack due to API issue

5. Why API Security?
The purpose of APIs is to connect services and transfer data. APIs that are exploited, or
hacked lead to critical data breaches. Personal and even financial data is exposed.
API security isn’t taken as seriously as it should be considering how damaging an API
security breach can be for a person or business.
1.Exploiting API is more easy now a day
2.Infrastructure is secure does not mean your API is secure
3.Hackers love API (Me too)
4.Detecting API data breach can take more than a year.
5.Post covid Hacking activity is increased by nearly 300%
5

6. 6
User App API
Data
Service
Hacker
Tools
API
Data
Service
 Client side rule bypass
 Easily abuse API scenarios
 Using Proxy tools (Burp Suite) hackers can easily modify parameters

7. API vulnerabilities Catagory
1. Business Logic flow Issue
2. Authentication and Authorization issue
3. Injection (SQLI, LDAP, OS command etc)
4. Misconfiguration issue
5. Rate limiting
7
Critical
Common

8. Most commen Vulnerabilities
We can simple say it’s a DDoS problem. A DDoS attack doesn't target
specific data, but instead seeks to make a website or API inaccessible. In
effect, DDoS attacks hold data “hostage” by making it unavailable to end
users.
8
Rate Limiting
Misconfiguration
Injection
This issue is a catch-all for a wide range of security misconfigurations that
often negatively impact API security as a whole and introduce vulnerabilities
inadvertently. Security misconfiguration is commonly a result of insecure
default configurations, open cloud storage, misconfigured HTTP headers,
unnecessary HTTP methods.
In an injection attack, a dangerous code is embedded into an unsecured
software program. This exposure could, in fact, be manipulated by
transferring untrusted data into the API as part of a query or command.

9. Most Critical Vulnerabilities
We can simple say it’s a These particular problems can make an attacker to
either bypass or take control of the authentication methods made use of by
a web program. The aim of the attack is usually to take charge of several
accounts, not to mention the attacker getting the equal privileges as the
attacked user.
9
Authentication and
Authorization
Business Logic
Flow
Finally, many API vulnerabilities are associated with flaws in business logic.
This allows hackers to use legitimate workflows in a malicious way, thereby
triggering some unintended action which really depends on the nature of the
workflow.
This might mean locking some users out, modify application data, such as
user credentials and permissions, price and quantity of products, etc.

10. Securing The API
1. A DAST/SAST security testing is not enough you have to perform a API
Security assessment.
2. Never perform traditional penetration testing which only aim to searching
vulnerabilities randomly, Perform scenario based testing.
3. Manual penetration testing is still the king.
4. Perform Continues penetration testing cycle.
5. Don’t collect/store unnecessary data from users.
10

11. 11
That’s why security is important
Resource: https://restofworld.org/2021/coders-in-india-are-hacking-vaccine-websites-to-get-appointments/

12. 12
Thanks!
Any questions?
You can reach me at:
Contact Number : +91 6363246093
Website: https://qualysec.com