Hackers of India

Fuzzapi

By  Abhijeth Dugginapeddi   Lalith Rallabhandi   Srinivas Rao  on 29 Jul 2017 @ Defcon : DemoLabs

This Tool Demo covers following tools where the speaker has contributed or authored
FUZZAPI

Presentation Material

Abstract

Fuzzapi is a REST API pen testing tool that automatically does a bunch of checks for vulnerabilities on your APIs. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. After seeing the benefits of Automating REST API pen testing using a basic Fuzzapi tool, the authors have decided to come up with a better version which can automatically look into vulnerabilities in APIs from the time they are written. REST APIs are often one of the main sources of vulnerabilities in most web/mobile applications. Developers quite commonly make mistakes in defining permissions on various cross-platform APIs. This gives a chance for the attackers to abuse these APIs for vulnerabilities. Fuzzapi is a tool written in Ruby on Rails which helps to quickly identify such commonly found vulnerabilities in APIs which helps developers to fix them earlier in SDLC life cycle. The first released version of the tool only has limited functionalities however, the authors are currently working on releasing the next version which will completely automate the process which saves a lot of time and resources.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker is wrapping up their 40-minute talk and thanking the audience for listening. They acknowledge that they didn’t provide URLs to download the tools discussed, but mention that they have made their reports public and hope to improve their Google index ranking soon.

They then open up the floor for questions and feedback, providing Twitter IDs for audience members to reach out to them. They also invite contributions to the tool and encourage people to report any issues.

The Q&A session begins, with questions about integrating the tool with Burp/ZAP extenders (which is a possibility), running tasks asynchronously (which they already do), and supporting APIs with complex authorization schemes (which they are still working on).

Other questions touch on using workers for different checks, integrating with Swagger (which they plan to do), and supporting various HTTP methods (currently only headers are supported). The speaker also mentions that they check access tokens in APIs.

The session concludes with applause and thanks from the speaker.