Search Go hack yourself with Detectify
×

A web security blog from Detectify

Hacker School Reboot - insights from leading API hackers [VIDEO]

Jocelyn Chan / September 9, 2021

Detectify is on a mission to drive the future of Internet security with automated and crowdsourced web solutions. 

API security and hacking is a pretty hot topic today and we invite 3 experts to join us for the latest Detectify Hacker School Reboot to present lightning talks on their experience and interests in hacking APIs. 

Web applications and mobile applications become more common and single page applications in particular become more common… this also means that API is becoming more and more prevalent. These are increasingly a bigger part of everybody’s business. 2+2 = API security should be on everyone’s security radars. You can walk the talks on-demand with the video below. A summary of each talk follows below in this blog post:

 

AI opportunities and challenges for web security By Dr. Katie Paxton-Fear:

Automating your web security, particularly offensive web security, is favored nowadays. Dr. Katie Paxton-Fear is interested in exploring how we can move from automation towards using artificial intelligence to help with offensive web security. 

Dr. Katie argues that we don’t have enough data to effectively train machine learning (ML) to power offensive web security.

Many of the ML projects might focus on analyzing code and often from open sources like GitHub code. However, sources like Github Co-Pilot are controversial to train on because it’s not clear if one has the license to do that. 

Another problem is that there are few focused on web vulnerabilities or specific web technologies. For example, it’s a problem that ML is trained on PHP, but then developers are using frameworks like Symfony, like Laravel.

So, there’s quite a lot of fuzzing techniques where often it’s based on supervised machine learning. But this requires a lot of manual work that is time-consuming, making it difficult to build models. 

Dr. Katie says these challenges are also opportunities

She sees these are clear next steps in developing ML:

  • We need new, relevant, and quality data. We can’t just rely on GitHub or old code samples. We need ML expertise to join the security field to help solve these problems.
  • We need clear problem statements and an understanding of offensive security. 
  • We also need to keep in mind the ethics and legalities of what we’re doing here. 

Erwin Geirnaert – What’s happened throughout two decades of hacking:

Erwin Geirnaert is a veteran when it comes to web hacking. He has 20+ years of web security in his back pockets. Some highlights in his career include being a developer, security consultant, contributing to OWASP, starting a couple of companies, and teaching ethical hacking. 

Security testing back then was done with non-disclosure policies, and the scope and the tools which pentesters were allowed to use were bound to a signed contract. The status quo was scared of hacking and that you would be able to breach them and get access to data. Today we have companies offering hacker services and stating their responsible disclosure policies. A lot has changed in 20 years in Erwin’s opinion, in particular, the acceptance of hacking:

Twenty years ago, ethical hacking was considered illegal. You had no legal framework, and even a change of the website content from 123 to 124 was a big no-no! Today ethical hacking is widely accepted in the tech community to help make software safer, and we see a plethora of bug bounty programs.

“I wish that bug bounty programs including Crowdsource existed 20 years ago because I would have earned a lot of money.” Erwin reminisces with a chuckle, “At that time, we found vulnerabilities that nobody knew about it, but we had to keep silent about it because it was all on the non-disclosure.”

Today when a hacker finds a vulnerability, they can share the information with the security community and organizations in different ways. For example, when Erwin reports a vulnerability with a working proof-of-concept to Detectify Crowdsource, he sees his single finding impact more companies at once and it gives him recurring rewards over time! For Erwin, that’s a whole different ball game.

Get a free guide to the modern approach to web application security. Download the guide here.

Today vulnerabilities have a broader impact and hacking a code repository or software impacts more than a thousand companies worldwide. Solarwinds and Kaseya VSA attacks are examples of this threat. 

Erwin sees more and more critical software bugs, and it’s because software is getting more and more essential in every environment – e.g. healthcare and cars. Everything that’s running software nowadays has a web interface. Most exploits and attacks are against vulnerabilities and web interfaces from security software like firewall appliances, VPN appliances, big IP load balancers, all these kinds of things. So the near future is interesting for security.

Alissa Knight – How she (ethically) hacked healthcare APIs:

Alissa Knight recently hacked healthcare APIs, and in this assignment, there were four of the significant vulnerabilities detected: 

  • Broken object-level authorization (BOLA)
  • Broken user authentication
  • Excessive data exposure
  • Massive assignment 

In her lightning talk, she walked through the findings when she pentested the healthcare APIs and emphasized the importance of approaching API security testing like a hacker!

Alissa has a go-to four-step API kill chain, and these are the step you can follow when hacking APIs:

  1. Step one: reverse engineer the mobile app.
  2. Step two: Network traffic analysis. Capture that traffic, interdict that traffic. Decrypt it and then analyze it to understand how it works, especially if it’s not OpenAPI.
  3. Step three: Map API behaviors; it can be as simple as taking a spreadsheet, then clicking on all the buttons in the mobile app, and documenting the stimulus and response. 
  4. Step Four: Go fuzz yourself. Fuzzing is such a critical step in that penetration test against APS. Make sure that you’re modifying those API requests and attempting to find BOLA. Most of the OWASP API Top 10 can be uncovered with a fuzzing tool. 

Alissa and Detectify have also collaborated to bring her latest research into the efficacy of fuzzing as part of the API pentesting methodology. Go fuzz yourself!


Detectify puts hacker knowledge into the hands of defenders

Detectify is building web app security solutions that are automated and crowd-based. By collaborating with ethical hackers, business critical security research is put into the hands of those who need it most to bring safer web apps to market. Curious to see what we will find in your live web apps? Start a free 2-week trial today.