API's are not just the 21st century developers mullet, they're also how you are getting PWND

Presented at ToorCon San Diego TwentyOne (2019), Nov. 8, 2019, 5:30 p.m. (10 minutes).

A look at all the ways API's are used in the attack process, from ATO (account takeover) and credential abuse automation, to BOT operations for inventory sniping and checkout procedures. This can all be automated and abused thanks to the speed, ease of use, and extensibility of API's.

If you were to talk to a WAF admin in 2006 about the logged HTTP/S traffic they observed that was NOT HTML, but instead JSON and XML, they probably would have responded: "That's just developers making calls between their applications, nothing to worry about!"

Flash forward to 2007. Now the world has a new toy, the iPhone, and the Internet is about to change. Since then, Google Analytics has tracked the sharp decrease in web technologies such as SOAP and WSDL, as well as the massive increase in JSON and XML, as the formats win the fight for an efficient method of dealing out low packet size, but highly effective message requests in order to support the mobile explosion.

With everything in today's world having "An App for That" how are attackers using API technologies to target, exploit, and profit off of a service that would be dirt cheap if only it weren't run by profiteering gluttons? In this talk, I'll give examples of exploit code used in DOS attacks against API services, application exploits against an API's application logic, as well as defensive methodologies for dealing with these attacks.

Attendees will walk away with a better understanding of how APIs can be abused, and some basic ideas of how to better protect these essential functions.

Presenters:

• Tony Lauro
  Tony is currently Director of Security Strategy for Akamai Technologies. He's been involved with Information Security since the late 90's when he worked for a large US based telecom provider. Since then Tony has worked with Akamai’s top global clients to provide cyber security guidance, architectural analysis, web application and network security expertise. With over 20 years of Information Security operations experience Tony has worked and consulted in many verticals including finance, automotive, medical/healthcare, enterprise, and mobile applications. He is currently responsible for Akamai’s North / Central / South American clients as well the training of an internal group whose focus is on Web Application Security / and adversarial resiliency disciplines. Tony’s previous responsibilities include consulting with public sector/government clients at Akamai, managing security operations and pen testing for a mobile payments company, and overseeing security and compliance responsibilities for a global financial software services organization. Tony enjoys skateboarding, competitive grappling, Brazillian Jiu Jitsu, and spending time with his wife and kids in Dallas, TX.

Links:

• https://talks.toorcon.net/toorcon21/talk/FKJ8BP/

Similar Presentations:

• AppSec USA 2017 / An Overview of API Underprotection
• Black Hat Asia 2019 / Automated REST API Endpoint Identification for Security Testing at Scale: How Machine Learning Accelerates Security Testing
• May Contain Hackers (MCH2022) / Reverse engineering the Albert Heijn app for fun and profit