automated api pentesting using fuzzapi
TRANSCRIPT
![Page 1: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/1.jpg)
Automating API Pen Testing using Fuzzapi
just another tool?
![Page 2: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/2.jpg)
About us
Abhijeth Dugginapeddi@abhijethApplication Security Likes training, spreading awarenessGot some bugs in Google/FB/Yahoo/Microsoft etcAmong top 5 bug hunters on Synack
Srinivas Rao Kotipalli @srini0x00Security EngineerAuthor, Speaker, TrainerBlogs at androidpentesting.comAuthor of “Hacking Android”
Lalith Rallabhandi@lalithr95Developer InternBlogger, Coder, Security EnthusiastDoes bounties when free and found bugsWith Microsoft/Google/FB/Badoo etc
![Page 3: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/3.jpg)
Only @abhijeth @srini0x00 and @lalithr95 are responsible for whatever is on the slides
Nobody else is responsible for anything else we say
![Page 4: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/4.jpg)
Next 45 minutes
-Why-What-How
![Page 5: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/5.jpg)
Source giphy
![Page 6: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/6.jpg)
Source http://vignette2.wikia.nocookie.net/garfield/images/4/43/Garfield_the_Cat.png/revision/latest?cb=20150508141623
![Page 7: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/7.jpg)
Source reddit
![Page 8: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/8.jpg)
On a serious note• What is fuzzAPI• How to use fuzzAPI• Need for automating Pen Testing APIs• Developer vs Pen tester use cases• Continuous Integration• Spread the smile ☺
![Page 9: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/9.jpg)
#fuzzAPI
• Open Source REST API Fuzzer• Test for vulnerabilities while writing your code• Helps Pen testers to fasten their testing• Covers most top attacks on APIs• Built in Ruby on Rails
![Page 10: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/10.jpg)
Rest API Penetration Testing
Authorization Authentication
Input validations Others ☺
Common checks
![Page 11: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/11.jpg)
#welovebugs
![Page 12: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/12.jpg)
This is Twitter
Source: @wesecureapp
![Page 13: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/13.jpg)
Source: @wesecureappSource: @wesecureapp
![Page 14: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/14.jpg)
Facebook ☺
Credits: www.pranavhivarekar.in
![Page 15: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/15.jpg)
Interesting?
![Page 16: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/16.jpg)
Can you automate such attacks?
![Page 17: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/17.jpg)
May be!!
![Page 18: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/18.jpg)
But why do you want to automate?
![Page 19: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/19.jpg)
People don’t have time
Source: giphy
![Page 20: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/20.jpg)
• There are companies/teams who deploy code to production >10 times every day
• Developers can do basic testing• Penetration testers can save a lot of time• Penetration testers can work on logical stuff• Easier to fix vulnerabilities sooner than later
Continuous Integration
![Page 21: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/21.jpg)
Source memegenerator
![Page 22: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/22.jpg)
No
But a part of it can be automated.
![Page 23: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/23.jpg)
Cool stuff about Fuzzapi
Access Control Violation
XXE
Other regular vulns like XSS/SQLi.. etc
Privilege Escalation
Rate limiting
![Page 24: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/24.jpg)
Not so cool stuff!!
![Page 25: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/25.jpg)
Demo
Source memegenerator
![Page 26: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/26.jpg)
#if demo doesn’t work
![Page 27: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/27.jpg)
#if demo doesn’t work
![Page 28: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/28.jpg)
#if demo doesn’t work
![Page 29: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/29.jpg)
How stuff works
API_Fuzzer – Ruby gem Fuzzapi -- Rails application
![Page 30: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/30.jpg)
#fuzzapi API_fuzzer gem
![Page 31: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/31.jpg)
Code walk through
![Page 32: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/32.jpg)
Fuzzapi approach for XXE
• XxeCheck performs a call with payload to internal server
• If status: OK – fuzzapi confirms XXE
![Page 33: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/33.jpg)
Fuzzapi sample approach for Privilege Escalation
![Page 34: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/34.jpg)
Fuzzapi sample approach for Rate limiting
• Fuzzapi sends multiple sample requests and waits for timeout/error• Failure in limiting requests allows to perform this check
![Page 35: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/35.jpg)
Docker :D :D \m/
![Page 36: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/36.jpg)
Continuous integration --Rails !!!
• Identify test requests• Use API_Fuzzer module with
test request• Run scans
![Page 37: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/37.jpg)
Developer’s eye Security Engineer’s eye
Work with developers to help them configure stuff
Add more checks ☺
Use it while doing security testing
Train developers to understand/fix vulns
Having scrum meetings about findings/fixes
Customizing fuzzapi according to organization’s requirement
Add more checks ☺
Testing APIs while writing code
![Page 38: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/38.jpg)
![Page 39: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/39.jpg)
Roadmap for fuzzapi/usAdd more checks
Write more blogs
Make more tutorial videos
Write more tools
Repeat
![Page 40: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/40.jpg)
Oh yea btw :D Don’t you want links to download?
API_Fuzzer gem: https://github.com/lalithr95/API-fuzzer
fuzzapi: https://github.com/lalithr95/Fuzzapi
For queries/concerns/feedback/rant:Twitter:@abhijeth@lalithr95@srini0x00
![Page 41: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/41.jpg)
It’s 2016 and if you still don’t know about bug bounties/responsible disclosures, you should say hi to these guys
@Bugcrowd @synack @Hacker0x01
![Page 42: Automated API pentesting using fuzzapi](https://reader031.vdocument.in/reader031/viewer/2022012306/587b5c091a28ab38258b4b11/html5/thumbnails/42.jpg)
Thanks ☺
and all the security folks for contributing to the open source community