Hackers of India

BinderAPI Scanner & BASS

By  Krishnaprasad Subramaniam  , Jeffrey Gaor  , Valen Sai  , Eric Tee Hock Nian  on 18 Apr 2024 @ Blackhat : Arsenal

This Tool Demo covers following tools where the speaker has contributed or authored
BASS

Abstract

BASS-Environment Synopsis Binderlabs API Security Simulator (BASS-Env) is an intentionally vulnerable API environment tailored to reflect the OWASP Top 10 API Security Risks of 2023. Its primary goal is to function as a practical training platform for cybersecurity professionals seeking to enhance their API hacking skills and deepen their understanding of API security testing. BASS-Env provides a hands-on experience by allowing users to interact directly with flawed APIs, highlighting the significance of API security within software development. The OpenAPI 3 Specifications and Postman Collections serve as the main interface, providing comprehensive documentation and enabling direct testing of API endpoints. At the core of BASS-Env lies its Laravel Backend/API Layer and MySQL Database, intentionally incorporating vulnerabilities across a variety of API endpoints. These components collaborate to simulate real-world scenarios, exposing vulnerabilities such as broken authentication, misconfigurations, and improper inventory management. Moreover, BASS-Env offers laboratory-based scenarios and challenges for participants, integrating manual and scanner testing methods. Scoring mechanisms, feedback loops, hints, and tutorials assist users in comprehending and resolving challenges. The environment prioritizes security and privacy considerations, accessible locally and supported through GitHub for community engagement. Future enhancements aim to broaden the spectrum of API flaws and facilitate effective updates for BASS-Env instances.

BASS-Scanner Synopsis The BASS-Scanner is a Python3-based tool designed to streamline API Security Testing, focusing on identifying vulnerabilities outlined in the OWASP Top 10 API Security Risks of 2023. It offers a quick and efficient scanning process with minimal installation requirements, making it particularly suitable for penetration testers seeking to expedite API Pentest engagements. The tool’s customization options, including the ability to tailor wordlists for specific test cases to enhance detection rates. Key features include detection of various vulnerabilities such as broken object-level authorization, broken authentication, unrestricted resource consumption, server-side request forgery, and more. Its architecture is straightforward, leveraging Python3 and supporting REST and JSON type APIs. Scanning methodology involves detailed scrutiny of individual API endpoints, employing techniques like fuzzing and header analysis to uncover security flaws. User customization is facilitated through options such as specifying scan types and adjusting scanning parameters. Security and privacy considerations ensure that the tool does not handle sensitive information or transmit data to external sources. Overall, BASS-Scanner offers a promising solution for efficient and comprehensive API security assessments, with ongoing improvements slated for the future.