Blog

OWASP AppSec Training Day: API Attacks Beyond the OWASP API Top 10

July 2, 2020 | 3 MIN READ

by Matt Keil

OWASP API Top 10

There still time to register for the upcoming OWASP Training Day: API Attacks Beyond the OWASP API Top 10 led by hacker-in-residence Jason Kent. This class is ideally suited for those who are faced with protecting APIs from attacks as well as those developers looking to learn how their APIs can be compromised and used to steal data or commit fraud.

Register for OWASP Training Day: API Attacks Beyond the OWASP API Top 10.

Summary of the Class

Let’s face it; APIs are running the world. Third-party integrations are everywhere, from social media communication to integrations allowing services to share platforms and data. As developers race to create platforms with greater connectivity and functionality, shortcuts are taken, errors are made, specifications ignored – resulting in the release of insecure APIs. No longer are front end services and frameworks enough to protect the APIs from new world, high-speed attacks.

Over the last 20 years as a hacker, researcher, and educator, I have worked with many organizations to help them stop high-speed attacks as well as sophisticated fraudsters that are constantly on the lookout for the next venue to ply their trade. In addition to case studies derived from actual attacks, I will show how I was able to attack a garage door opener API and via responsible disclosure create a much safer platform for Chamberlain customers/users to control entry into their homes.

In this 8-hour class, we will talk about API attacks my company has seen against different types of platforms and compare common real-world attack types to the API Top 10.

We will look at taking apart Android API calls, utilizing an open-source APK disassembly tool, for mobile applications, and understand the attack surface available. This tool will be distributed via a docker container so students should have the ability to run a docker.

From a web application standpoint we will learn how to analyze API calls, API parameters and how to utilize simple tools like cURL or your favorite intercept proxy, to make calls against APIs and understand the workflow to test against a range of use cases such as account take over, information disclosure, inventory take over, etc.

Attackers often have tools at their disposal that target specific organizations, and we will highlight these tools and how they work. Finally, we will look at some case studies from various places that we have seen attacks occur and current attack campaigns that have thwarted the efforts of many security practitioners and development staff. During OWASP Training Day: OWASP API Top 10, we will have a cloud environment built allowing for newly minted API security enthusiasts to try techniques and view their attacks and fingerprints in real-time.

Don’t wait – register today.

Matt Keil

Author

Matt Keil

Director of Product Marketing

Matt Keil focuses on product marketing and content creation. Previously, he spent nearly two decades in enterprise network security, including roles at Palo Alto Networks where he was instrumental in launching the company.

Related Articles