42
Automating API Pen Testing using Fuzzapi just another tool?

Automated API pentesting using fuzzapi

Embed Size (px)

Citation preview

Page 1: Automated API pentesting using fuzzapi

Automating API Pen Testing using Fuzzapi

just another tool?

Page 2: Automated API pentesting using fuzzapi

About us

Abhijeth Dugginapeddi@abhijethApplication Security Likes training, spreading awarenessGot some bugs in Google/FB/Yahoo/Microsoft etcAmong top 5 bug hunters on Synack

Srinivas Rao Kotipalli @srini0x00Security EngineerAuthor, Speaker, TrainerBlogs at androidpentesting.comAuthor of “Hacking Android”

Lalith Rallabhandi@lalithr95Developer InternBlogger, Coder, Security EnthusiastDoes bounties when free and found bugsWith Microsoft/Google/FB/Badoo etc

Page 3: Automated API pentesting using fuzzapi

Only @abhijeth @srini0x00 and @lalithr95 are responsible for whatever is on the slides

Nobody else is responsible for anything else we say

Page 4: Automated API pentesting using fuzzapi

Next 45 minutes

-Why-What-How

Page 5: Automated API pentesting using fuzzapi

Source giphy

Page 6: Automated API pentesting using fuzzapi

Source http://vignette2.wikia.nocookie.net/garfield/images/4/43/Garfield_the_Cat.png/revision/latest?cb=20150508141623

Page 7: Automated API pentesting using fuzzapi

Source reddit

Page 8: Automated API pentesting using fuzzapi

On a serious note• What is fuzzAPI• How to use fuzzAPI• Need for automating Pen Testing APIs• Developer vs Pen tester use cases• Continuous Integration• Spread the smile ☺

Page 9: Automated API pentesting using fuzzapi

#fuzzAPI

• Open Source REST API Fuzzer• Test for vulnerabilities while writing your code• Helps Pen testers to fasten their testing• Covers most top attacks on APIs• Built in Ruby on Rails

Page 10: Automated API pentesting using fuzzapi

Rest API Penetration Testing

Authorization Authentication

Input validations Others ☺

Common checks

Page 11: Automated API pentesting using fuzzapi

#welovebugs

Page 12: Automated API pentesting using fuzzapi

This is Twitter

Source: @wesecureapp

Page 13: Automated API pentesting using fuzzapi

Source: @wesecureappSource: @wesecureapp

Page 14: Automated API pentesting using fuzzapi

Facebook ☺

Credits: www.pranavhivarekar.in

Page 15: Automated API pentesting using fuzzapi

Interesting?

Page 16: Automated API pentesting using fuzzapi

Can you automate such attacks?

Page 17: Automated API pentesting using fuzzapi

May be!!

Page 18: Automated API pentesting using fuzzapi

But why do you want to automate?

Page 19: Automated API pentesting using fuzzapi

People don’t have time

Source: giphy

Page 20: Automated API pentesting using fuzzapi

• There are companies/teams who deploy code to production >10 times every day

• Developers can do basic testing• Penetration testers can save a lot of time• Penetration testers can work on logical stuff• Easier to fix vulnerabilities sooner than later

Continuous Integration

Page 21: Automated API pentesting using fuzzapi

Source memegenerator

Page 22: Automated API pentesting using fuzzapi

No

But a part of it can be automated.

Page 23: Automated API pentesting using fuzzapi

Cool stuff about Fuzzapi

Access Control Violation

XXE

Other regular vulns like XSS/SQLi.. etc

Privilege Escalation

Rate limiting

Page 24: Automated API pentesting using fuzzapi

Not so cool stuff!!

Page 25: Automated API pentesting using fuzzapi

Demo

Source memegenerator

Page 26: Automated API pentesting using fuzzapi

#if demo doesn’t work

Page 27: Automated API pentesting using fuzzapi

#if demo doesn’t work

Page 28: Automated API pentesting using fuzzapi

#if demo doesn’t work

Page 29: Automated API pentesting using fuzzapi

How stuff works

API_Fuzzer – Ruby gem Fuzzapi -- Rails application

Page 30: Automated API pentesting using fuzzapi

#fuzzapi API_fuzzer gem

Page 31: Automated API pentesting using fuzzapi

Code walk through

Page 32: Automated API pentesting using fuzzapi

Fuzzapi approach for XXE

• XxeCheck performs a call with payload to internal server

• If status: OK – fuzzapi confirms XXE

Page 33: Automated API pentesting using fuzzapi

Fuzzapi sample approach for Privilege Escalation

Page 34: Automated API pentesting using fuzzapi

Fuzzapi sample approach for Rate limiting

• Fuzzapi sends multiple sample requests and waits for timeout/error• Failure in limiting requests allows to perform this check

Page 35: Automated API pentesting using fuzzapi

Docker :D :D \m/

Page 36: Automated API pentesting using fuzzapi

Continuous integration --Rails !!!

• Identify test requests• Use API_Fuzzer module with

test request• Run scans

Page 37: Automated API pentesting using fuzzapi

Developer’s eye Security Engineer’s eye

Work with developers to help them configure stuff

Add more checks ☺

Use it while doing security testing

Train developers to understand/fix vulns

Having scrum meetings about findings/fixes

Customizing fuzzapi according to organization’s requirement

Add more checks ☺

Testing APIs while writing code

Page 38: Automated API pentesting using fuzzapi
Page 39: Automated API pentesting using fuzzapi

Roadmap for fuzzapi/usAdd more checks

Write more blogs

Make more tutorial videos

Write more tools

Repeat

Page 40: Automated API pentesting using fuzzapi

Oh yea btw :D Don’t you want links to download?

API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer

fuzzapi: https://github.com/lalithr95/Fuzzapi

For queries/concerns/feedback/rant:Twitter:@abhijeth@lalithr95@srini0x00

Page 41: Automated API pentesting using fuzzapi

It’s 2016 and if you still don’t know about bug bounties/responsible disclosures, you should say hi to these guys

@Bugcrowd @synack @Hacker0x01

Page 42: Automated API pentesting using fuzzapi

Thanks ☺

and all the security folks for contributing to the open source community