1印度演讲.pdf

1、Hacking APIsRisks,Techniques,Real world examples and DefenseSecure The Backbone Of Modern Application2025/01/11Muthu DAbout MeMost Valuable Security Researcher at Microsoft in 2023 and 2024,recognized globally for contributions to improving security.Ranked 24th on the Microsoft Security Researcher L

2、eaderboard in 2023.Consistently recognized as a Top Security Researcher in Microsoft across multiple quarters(2023 Q1,Q2,Q3,Q4)(2024 Q1,Q2).Recognized and rewarded by Cloudflare,GitHub,and Coinbase for impactful security research.Multiple Hall of Fame recognitions and rewards from Apple,Google,and o

3、thers.Invited by Airtel to NullCon Goa 2023 for a live hacking event.Twitter XLinkedInAgenda1.What is an API?2.Why APIs are critical3.Common API vulnerabilities4.Real-world examples5.Securing APIs6.ConclusionWhat is an API?Definition:An API(Application Programming Interface)allows communication betw

4、een software applications.Examples:-REST-GraphQL-SOAPWhy APIs Are Critical-APIs power modern apps(e.g.,social media,payment gateways,IoT).-Connect systems and expose data to partners,developers,or customers.Fun Fact:APIs account for 83%of web traffic(source:Akamai).Common API Vulnerabilities1.Mass A

5、ssignment2.Excessive Data Exposure3.API Authentication Vulnerabilities4.API Authorization Vulnerabilities(BOLA&BFLA)5.Rate Limit Bypass6.Header Injection BypassMass AssignmentDefinition:Unauthorized parameter inclusion in requests to alter object properties or privileges.Example:Sending a parameter

6、like isAdmin:true,during account creation to elevate user privileges.admin:true,admin:1,isadmin:true,role:admin,role:administrator,MFA:True,Common places to discover:-Account registration-Unauthorized Access to Organization-Finding Variables in Documentation-Fuzzing unknown variables-Blind Mass Assi