Hackers of India

Automating API Penetration Testing using fuzzapi

By Abhijeth Dugginapeddi , Lalith Rallabhandi on 14 Oct 2016 @ Appsecusa
πŸ’» Source Code πŸ“Ή Video πŸ”— Link
#fuzzing #api-security #application-pentesting #security-development-lifecycle #secure-coding #security-tools #sast
Focus Areas: πŸ” Application Security , βš™οΈ DevSecOps , 🎯 Penetration Testing , 🌐 Web Application Security

Presentation Material

Abstract

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.

Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.

Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications.

As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

AI Generated Summary

The talk focused on API penetration testing, specifically on automating the process using a tool called Fapi. Fapi is a Ruby on Rails application that fuzzes REST API parameters, headers, and bodies to identify vulnerabilities such as access control violations, privilege escalations, and XML External Entity (XXE) attacks. The tool uses a simple architecture, with a Ruby gem and a web application, to process requests and store results in a MySQL database.

Key findings and techniques presented include:

  • Fapi’s ability to automate common API penetration testing tasks, such as fuzzing parameters and identifying vulnerabilities
  • The tool’s use of a sidekick to process requests and store results in a Redis queue
  • Fapi’s support for custom rules and regular expressions to flag specific vulnerabilities
  • The tool’s ability to identify XXE vulnerabilities and privilege escalations

Practical implications and takeaways include:

  • Fapi can be used to automate API penetration testing, saving time and effort for testers
  • The tool can be integrated with continuous integration pipelines to identify vulnerabilities early in the development process
  • Fapi’s custom rules and regular expressions can be used to tailor the tool to specific testing needs
  • The tool’s ability to identify XXE vulnerabilities and privilege escalations can help testers find critical vulnerabilities in APIs.
Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.