API and Web Service Hacking with

Nicole Becher & Tanya Janca

About Us

• Nicole Becher: application security, red teaming, penetration testing, malware analysis, and computer forensics. OWASP Brooklyn Leader, Adjunct Instructor @ NYU, political junkie, marathoner, martial artist & animal lover.

• Tanya Janca: application security evangelist, web app penetration tester, trainer, public speaker, developer, OWASP Ottawa Leader, effective altruist, paid to be nerdy since the late 90’s.

•Both members of WIA (Women in AppSec)

• Both WASPY 2017 Nominees (vote for us!)

Outline

• The Problem:

– APIs and Web Services are underprotected

– We need more places to learn!

• The Solution:

– Learn how to hack them using Zap and Pixi

• Introducing Pixi, a vulnerable web app & API

• Part of a new OWASP Project called DevSlop

• Demo/Workshop!

• Questions

The problem

People are ignoring web services and APIs: just because they don’t have pretty GUIs doesn’t mean they can’t be hacked!

The API Economy: Explosion of API/webservices• Paradigm shift?

• End of monolithic applications?

• Microservices

• Containerization

• Front-end frameworks

• SaaS platform/3rd Party API’s

• Open Data/Programmable Web

• Serverless Computing

• Cloud

• DevOps / Agile

• Automation

• Continuous Integration

• Continuous Delivery

OWASP Top Ten 2017 *A10*

Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.

Facts and Proof!

• IRS, Facebook, Twitter, Buffer and Snapchat have had their APIs attacked.

• CASED found 56 million sets of unprotected user data from Facebook’s Parse, Amazon, and other cloud data sources

http://www.computerworld.com/article/3036964/car-

tech/hackers-can-access-the-nissan-leaf-via-insecure-

apis.html

https://www.stavros.io/posts/winning-candy-crush/

It’s such a big deal that Zap has released a new module for testing them, and we plan to show it to you!

The solution:

Learn how to hack your own APIs with Pixi + Zap!

Get comfortable with common API vulnerabilities

*And other open source software.

Introducing:

• Soon to be part of OWASP’s newest project, DevSlop

• A vulnerable web app with a vulnerable API.

Introducing:

• Allows users to create accounts, upload photos, send micropayments to others, like photos, etc.

• MongoDB, Docker, JSON, OpenAPI/Swagger, Angularjs, Node/Express, JSON web tokens ++

• This app is in highly vulnerable, and fun to break.

• We will be creating videos, workshops, training material and making Pixi available to the public.

• DevSlop will include Pixi and eventually other vulnerable modern applications.

Ummm, what is an OWASP Project?• An OWASP project is a collection of related tasks that

have a defined roadmap and team members.

• OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

• OWASP currently has over 93 active projects!• Projects are popular because it gives members

an opportunity to freely test theories and ideas with the support of the OWASP community.

• Basically, it’s a chance for you to share your awesome.

OWASP Projects are divided into categories• Code (Pixi)• Tools (ZAP)• Documentation (Top 10)Projects have maturity status• Flagship• Lab• Incubator

Why use Zap?

• OWASP Zed Attack Proxy (Zap) is open-source/FREE

• Easy to use, built for beginners to advanced users

• OWASP (Open Web Application Security Project) is an international non-profit, and considered industry leaders in security

• Zap can become an automated part of your SDLC by adding it to your build server

• They just added WSDL and JSON support!

The Disclaimer - Be careful!

• OWASP Zed Attack Proxy (Zap) can be a hacking tool, it can cause serious damage. Never use Zap to attack websites unless you have consent. This tool and this lesson are to help you create better and more secure apps, not to help you become a 'script kiddie'.

• You *always* need permission.

• Using Zap or any other hacker tool on anything besides your own application can have very severe consequences, both legally and professionally.

Demonstration!

Not a hacker

Where can you find Pixi

https://github.com/thedeadrobots/pixi

> git clone https://github.com/thedeadrobots/pixi.git> docker-compose up

Become a part of DevSlop!Nicole BecherBrooklyn Chapter Leader

@thedeadrobots

Nicole.Becher@OWASP.org

Tanya JancaOttawa Chapter Leader

@shehackspurple

Tanya.Janca@OWASP.org

Questions?Nicole BecherBrooklyn Chapter Leader

@thedeadrobots

Nicole.Becher@OWASP.org

Tanya JancaOttawa Chapter Leader

@shehackspurple

Tanya.Janca@OWASP.org