Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, June 30 • 14:10 - 14:55
Scanning with swagger: Using the Open API specification to find first and second order vulnerabilities in RESTful APIs

Sign up or log in to save this to your schedule and see who's attending!

APIs support the complex web of interconnected things that exist today, yet they have also created significant challenges for security teams. Nearly every interconnected application has an API-based approach. These APIs are inherently vulnerable to most of the same potential vulnerabilities that applications face. As security teams scramble to figure out ways to get their arms around the risks that exists in their organizations’ APIs, these APIs are going completely untested, leaving vulnerabilities undiscovered.  Fortunately, several recent innovations, like the Open API Specification (formerly known as Swagger), are enabling effective API security testing at the largest attack surface. 

But how? Every user interface comes with known and unknown sets of local vulnerabilities because it communicates with local and remote service APIs. Similarly, every API is also potentially vulnerable to local and remote first order vulnerabilities. These can be observed via request and response; for example a crafted series of GET requests performing blind SQL Injection analysis can be considered a first order vulnerability. Additionally, services that support the function of the API, whether during the time of the request, or queued for latter computation, are considered a second order attack; an example of this could be  a data collection endpoint that consumes JSON, passes this payload to a Kafka broker, which in turn is consumed by a cluster service in Hadoop or Spark.  These payloads queue up into architecture that analyse and augment the data.  Injection and serialization vulnerabilities introduced in this manner are considered second order blind vulnerabilities. 

The Open API Specification is a relative newcomer in the history of  web service interface documentation.  It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP.  Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors. 
Join this presentation as Scott demonstrates novel approaches to using the Open API specification (formerly Swagger) to exhaustively scan API’s for first and second order vulnerabilities, and demonstrate the severity of findings left unfixed. 
Participants will learn: 
• Why APIs are serious challenges for security experts 
• How first and second order vulnerabilities can be left hidden in your APIs and micro services 
• How you can begin to understand, define and test your APIs in a structured manner 
• The latest techniques in API security testing 

Speakers
avatar for Scott Davis

Scott Davis

Application Security Researcher , Rapid7
Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent as many years focusing more on the security aspects of these technologies, and has leveraged this background to lead the engineering security team at Webtrends... Read More →


Thursday June 30, 2016 14:10 - 14:55
Room C (Tiziano Ballroom Sec. 2)

Attendees (61)