prevent malicious hacking attacks on your apis
Post on 11-May-2015
845 Views
Preview:
DESCRIPTION
TRANSCRIPT
Prevent Malicious Hacking attacks on your APIs
Michael Giller @GillerMichael
@GillerMichael
Security Scans Overview - Injection
SQL Injection: tries to exploit bad database integration coding
XPath Injection: tries to exploit bad XML processing inside your
target service
@GillerMichael
Security Scans Overview - Injection
Code Injection: Watch out for those eval() functions!
Log Injection Could be used to stir up false alarms
XML External Entity Injection Vulnerabilities in XML parsing
@GillerMichael
Security Scans Overview - XSS
Cross Site Scripting (XSS): enables attackers to inject client-side script into Web
pages viewed by other users.
Used to bypass same origin policy Could be used to plant a Trojan horse, get full access to
user cookies and history, etc
@GillerMichael
Security Scans Overview - DoS
Denial-of-Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users– E.g. CyberBunker launched an all-out assault, on a
spam-fighting company Spamhaus
@GillerMichael
Security Scans Overview
Check user permissions: Make sure that your users can only access the
information they need to access
Watch out for sequential IDs
@GillerMichael
Security Scans Overview (Cont.)
Malformed XML: tries to exploit bad handling of invalid XML on your
server or in your service
XML Bomb : tries to exploit bad handling of malicious XML
request (be careful)
Malicious Attachment: tries to exploit bad handling of attached files
@GillerMichael
Security Scans Overview (Cont.)
Fuzzing Scan: generates random input for specified request
parameters for a specified number of requests
Custom Script: allows you to use a script for generating custom
parameter fuzzing values
References:
@GillerMichael
• SoapUI team had a great informational “Better Safe Than Sony” webinar discussing security. You can watch it here:
http://www.soapui.org/soapUI-News/watch-yesterdays-webinar.html
• Open Web Application Security Project (OWASP) published top 10 most common types of attacks here:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
• Here’s the attacks particular to REST: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
top related