AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 14:10 - 14:55
Scanning with swagger: Using the Open API specification to find first and second order vulnerabilities in RESTful APIs

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

APIs support the complex web of interconnected things that exist today, yet they have also created significant challenges for security teams. Nearly every interconnected application has an API-based approach. These APIs are inherently vulnerable to most of the same potential vulnerabilities that applications face. As security teams scramble to figure out ways to get their arms around the risks that exists in their organizations’ APIs, these APIs are going completely untested, leaving vulnerabilities undiscovered.  Fortunately, several recent innovations, like the Open API Specification (formerly known as Swagger), are enabling effective API security testing at the largest attack surface. 

But how? Every user interface comes with known and unknown sets of local vulnerabilities because it communicates with local and remote service APIs. Similarly, every API is also potentially vulnerable to local and remote first order vulnerabilities. These can be observed via request and response; for example a crafted series of GET requests performing blind SQL Injection analysis can be considered a first order vulnerability. Additionally, services that support the function of the API, whether during the time of the request, or queued for latter computation, are considered a second order attack; an example of this could be  a data collection endpoint that consumes JSON, passes this payload to a Kafka broker, which in turn is consumed by a cluster service in Hadoop or Spark.  These payloads queue up into architecture that analyse and augment the data.  Injection and serialization vulnerabilities introduced in this manner are considered second order blind vulnerabilities. 

The Open API Specification is a relative newcomer in the history of  web service interface documentation.  It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP.  Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors. 
Join this presentation as Scott demonstrates novel approaches to using the Open API specification (formerly Swagger) to exhaustively scan API’s for first and second order vulnerabilities, and demonstrate the severity of findings left unfixed. 
Participants will learn: 
• Why APIs are serious challenges for security experts 
• How first and second order vulnerabilities can be left hidden in your APIs and micro services 
• How you can begin to understand, define and test your APIs in a structured manner 
• The latest techniques in API security testing 

avatar for Scott Davis

Scott Davis

Application Security Researcher , Rapid7
Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent... Read More →

Thursday June 30, 2016 14:10 - 14:55 CEST
Room C (Tiziano Ballroom Sec. 2)