Abusing Web APIs Through Scripted Android Applications

Presented at Black Hat USA 2013, Aug. 1, 2013, 10:15 a.m. (60 minutes).

This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. Building on that, we'll show code building on the existing testing framework of Burp suite and its Ruby interface Buby to make requests to APIs using the functionality we've exposed through the scripting to find differing responses to similar requests, and identifying potential weak points. We'll conclude with several case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.


Presenters:

  • Daniel Peck - Barracuda Networks
    Peck is a research scientist and data junkie at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of Technology.

Links:

Similar Presentations: