A presentation given by Katie Paxton-Fear, API Security Educator, Traceable AI, at our 2024 Austin API Summit, March 12-13.
Session Description: Have you ever wanted to be the villain or anti-hero? In this talk, we'll cover how to hack APIs, with permission, of course. First, we'll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I'll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.
SQL Database Design For Developers at php[tek] 2024
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie Paxton-Fear, Traceable AI
1. I’m An API Hacker, Here’s How
To Go From Making APIs To
Breaking Them
Katie Paxton-Fear
API Security Researcher
Traceable
2. About
Katie AKA InsiderPhD
● PhD in Cyber Security / AI
● Occasional hacker and content creator
● Found vulnerabilities in software you probably
use every day
● Work at Traceable doing API security education
4. API Hacking
● A lot of people will tell you that API hacking is a
specific skill
○ Myself included
● It’s really just thinking through how to abuse the
business logic or permissions of an API
● Everything else is just tricks to do it faster
10. Why?
● These vulnerabilities are hard to run a scan
to find
○ They need the context of what an API does and
how they work!
● Frameworks have dramatically reduced
injection-type vulnerabilities
○ They’re still bad just less common
● Usually caused by simple mistakes
○ Even sometimes a single line of code
11. What am I actually doing when I am hacking?
Identifying endpoints I think might be vulnerable
Making small changes to the requests to add a malicious element
Okay this endpoint
lets me input a review
– I should look for
injection vulns
I’ll start by testing
XSS
12. What am I actually doing when I am hacking?
Seeing if it worked
Going back to the API and trying something else…
Until it works!
The review
endpoint definitely
isn’t vulnerable to
XSS
But the basket
endpoint has a
pretty clear BOLA!
17. ● Everyone in this room eats, sleeps and breathes
APIs in one form or another
● YOU know far more about APIs than the
average API hacker
● You don’t need to buy a fancy course
● I promise these are vulnerabilities you can find
● Let’s talk about some of my 1337 Hax0r findings
If you know APIs you can do API hacking
Have you ever wanted to be the villain or anti-hero? In this talk, we’ll cover how to hack APIs, with permission, of course. First, we’ll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I’ll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.
- I started my career at 7 years old making neopets homepages, was really interested in web dev and wanted to build my own neopets
Eventually did a degree in Computer Science, had the opportunity to study cyber security, didn’t take it at this point I knew a lot about websites and my grade was on the line
After my degree I worked as a general developer doing full stack PHP development in Laravel, you might be wondering why as a developer I was roped into fixing the mess of cables in the server room on this slide, and so am I
Eventually decided to do a PhD in cyber security and AI, and I really saw security as just a thing
Have you ever wanted to be the villain or anti-hero? In this talk, we’ll cover how to hack APIs, with permission, of course. First, we’ll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I’ll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.