Automated REST API Endpoint Identification for Security Testing at Scale: How Machine Learning Accelerates Security Testing

Presented at Black Hat Asia 2019, March 29, 2019, 11:45 a.m. (60 minutes)

Unlike traditional web applications where a web crawler is used to discover various urls, REST API endpoints can be exposed in various formats and many REST services do not provide specifications. Attackers can tamper with any part of an API request, including the url or query string to try to bypass the backend security mechanisms. Thus, it is difficult for web application scanners to identify and test APIs for vulnerabilities. Moreover, current API endpoints and parameters are identified mainly from the API documentation.

In this talk, we present our approach to automatically discover and assess the security posture of APIs by leveraging machine learning, fuzzy matching, and natural language processing (NLP) techniques. We show how to automatically identify undocumented or hidden API endpoints that attackers can exploit. Our approach significantly reduces the number of probing and test times regardless of the specification of API description languages. Our tool can identify API endpoints without requiring the API documents.

We will demonstrate how machine learning techniques can be used to accelerate API endpoint identification. Our approach is able to reduce the search space in terms of the number of uris. The results and open source machine learning tools we used will also be presented.

Presenters:

• Jay Chien-An Chen - Security Researcher, Accenture Labs, Security R&D   as Jay Chien An Chen Chen
  Dr. Chien-An Chen is a researcher in Accenture Cyber Tech Lab based in Washington, DC. His current research focuses on container attack surface reduction. He is also experienced in the Blockchain technology and its applications in cyber security. Before joining Accenture, his research focused on designing secure distributed data storage and data processing system for mobile devices. Chien-An received his Ph.D. degree from Texas A&M University in 2015 and his Masters degree from University of California, Los Angeles in 2010.
• Steve Pham - Digital Solution Architect Principal, Accenture
  Steve Pham is a Digital Solution Architect and a key member in Accenture API Enablement practice in APAC . He has more than 12 years of experience in architecting and delivering large, complex SI system, specializing in API, Mobility and Digital Architecture. He is passionate about technology, and applying technology to solve real-life problems effectively.
• Jeffrey Jacob - Student Researcher, Accenture Labs, Security R&D
  Jeffrey Jacob is a third year undergraduate student at the Georgia Institute of Technology majoring in Computer Science with concentrations in Devices and Intelligence. Over the summer of 2018, Jeffrey interned with the Accenture Labs in Washington D.C. as a Summer Security Consulting Analyst. Jeffrey comes from a technical background and has 6 years of programming and technical project experience in an academic and internship setting. Jeffrey is interested in the opportunities that arise from combining Artificial Intelligence and Machine Learning techniques to security problems. The ability to ingest data and leverage predictive capabilities to protect and drive business success excites Jeffrey and he hopes to pursue a career in this area. Outside of academics, Jeffrey enjoys watching movies, working-out, and exploring cities with friends.
• Azzedine Benameur - Security Researcher, Accenture Labs, Security R&D
  Dr. Azzedine Benameur is an experienced researcher in Security & Privacy with a strong industrial focus and is currently a Cyber Security Research & Development manager with Accenture Technology Labs in Washington D.C.. He previously lead the mobile security Research & Development at Kryptowire. He has over 10 years experience working on Security, Privacy, Cloud Security and Mobile. He has a proven track record of delivering industrial focused research with prototypes and patents while pushing the state of the art with academic publications. In his past role at Symantec, he was in charge of enhancing the detection of rooted devices and pushed a novel patented solution in both enterprise and consumer versions of Norton used by millions of users. He also focused on Cloud security and low-level binary security issues though DARPA and IARPA funded projects (MEERKATS and MINESTRONE). Prior to Symantec he was a Researcher in the Cloud and Security Lab of HP Labs Bristol, UK where he worked on privacy as part of the European Union's EnCoRe project, investigating fine-grained consent and revocation in user-centric applications. Prior to this he worked on SERENITY, another European Union security research project, at the Security & Trust Lab of SAP Research.
• Lei Ding - Security Researcher, Accenture Labs, Security R&D
  Dr. Lei Ding is a cybersecurity researcher with Accenture Labs in Washington, D.C., where she focuses on developing, evaluating, and deploying novel data mining approaches and machine learning models in support of endpoint and network security solutions. Before joining Accenture, she was a principal investigator on several federal funded projects, including "Enabling intelligent security assessment for HPC systems via automated learning and data analytics" and "Secure computing environment for High Performance Computing systems" funded by DoE, "Digital forensic tool kit for machinery control systems" funded by Navy, and "Cognitive engine enabled mission-aware intelligent communication system for space networking" funded by NASA.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#automated-rest-api-endpoint-identification-for-security-testing-at-scale-how-machine-learning-accelerates-security-testing-13740

Similar Presentations:

• DEF CON 31 (2023) / OWASP crAPI: Completely Ridiculous API Demo
• AppSec USA 2017 / An Overview of API Underprotection
• AppSec USA 2016 / Automating API Penetration Testing using fuzzapi