Calagator

Support Calagator on Patreon

Get Involved: Blog | Forum | Code
Something not right? File an issue

Change 38723

Time

Attribute with previous and current values

Change #38723

2016-04-20

08:54:31

create Calagator::Event 1250470152 OWASP: Scanning with swagger Roll back

description	nil	→	Scanning with swagger: Using the Open API specification to find first and second order vulnerabilities in RESTful APIs === APIs support the complex web of interconnected things that exist today, yet they have also created significant challenges for security teams. Nearly every interconnected application has an API-based approach. These APIs are inherently vulnerable to most of the same potential vulnerabilities that applications face. As security teams scramble to figure out ways to get their arms around the risks that exists in their organizations’ APIs, these APIs are going completely untested, leaving vulnerabilities undiscovered. Fortunately, several recent innovations, like the Open API Specification (formerly known as Swagger), are enabling effective API security testing at the largest attack surface. But how? Every user interface comes with known and unknown sets of local vulnerabilities because it communicates with local and remote service APIs. Similarly, every API is also potentially vulnerable to local and remote first order vulnerabilities. These can be observed via request and response; for example a crafted series of GET requests performing blind SQL Injection analysis can be considered a first order vulnerability. Additionally, services that support the function of the API, whether during the time of the request, or queued for latter computation, are considered a second order attack; an example of this could be a data collection endpoint that consumes JSON, passes this payload to a Kafka broker, which in turn is consumed by a cluster service in Hadoop or Spark. These payloads queue up into architecture that analyse and augment the data. Injection and serialization vulnerabilities introduced in this manner are considered second order blind vulnerabilities. The Open API Specification is a relative newcomer in the history of web service interface documentation. It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP. Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors. Join this presentation as Scott demonstrates novel approaches to using the Open API specification (formerly Swagger) to exhaustively scan API’s for first and second order vulnerabilities, and demonstrate the severity of findings left unfixed. Participants will learn: <ul> <li>Why APIs are serious challenges for security experts </li> <li>How first and second order vulnerabilities can be left hidden in your APIs and micro services </li> <li>How you can begin to understand, define and test your APIs in a structured manner </li> <li>The latest techniques in API security testing </li> </ul> Speaker === Scott Davis<br> Rapid7<br> Application Security Researcher <br> Portland, Oregon Area<br> Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent as many years focusing more on the security aspects of these technologies, and has leveraged this background to lead the engineering security team at Webtrends for several years. Currently, he serves as Application Security Research for Rapid7. <hr> The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland <br> Meetings are free and open to the public.
end_time	nil	→	2016-05-23 19:30:00 -0700
id	nil	→	1250470152
start_time	nil	→	2016-05-23 18:00:00 -0700
title	nil	→	OWASP: Scanning with swagger
url	nil	→	https://www.owasp.org/index.php/Portland
venue_details	nil	→	As usual, New Relic will be providing pizza and drinks for attendees.
venue_id	nil	→	202392091

calagator.org 1.1.0