what do you mean my appsec tools don’t work on apis?!! · 2016-09-21 · what do you mean my...
TRANSCRIPT
![Page 1: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/1.jpg)
11
What do you mean my appsec tools don’t work on APIs?!!
Jeff Williams@planetlevelLASCON
![Page 2: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/2.jpg)
2
A HISTORY OF APPLICATION SECURITY AUTOMATION
DAST(Dynamic
AppSec Testing)
WAF(Web Application
Firewall)
SAST(Static
AppSec Testing)
IDS/IPS(Intrusion Detection/ Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST(Interactive
AppSec Testing)
RASP(Runtime Application
Self-Protection)
Unified AgentIAST and RASP
![Page 3: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/3.jpg)
3
*EVERYONE* USES APIS
How long has your organization been providing or developing APIs?
*SmartBear State of API 2016 Survey
n=1374
![Page 4: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/4.jpg)
44
UBER
![Page 5: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/5.jpg)
5
Business Capabilities
APIS ARE THE NEW “HIDDEN FIELD”
AutomatedAccess
mobile
desktop
thing
server
sql
nosql
files
APIs
code
actions
Injection
Denial of Service
Account Hijacking
Information Theft…
Corruption
Similar threats, similar vulnerabilities – testing is all different
Direct Object References
![Page 6: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/6.jpg)
6
WHAT TECHNIQUE SHOULD YOU USE TO TEST APIS?
Client(s) API(s)
Proxy
?
PentestDynamic (DAST)
JavaSnoop
Code ReviewStatic (SAST)
Instrumentation (IAST)
![Page 7: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/7.jpg)
7
VERIFYING API SECURITY - SIX PROBLEMS
1. Protocols
2. Data Parsers
3. API Specifications
4. Frameworks and Data Flow
5: AuthN and AuthZ
6: Futures and Promises
Why is automated verification of APIs different than plain old web applications?
![Page 8: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/8.jpg)
8
PROBLEM 1: PROTOCOLS
• Protocol could be multiple nested protocols, or even custom protocol– Websocket, XMPP, AMQP, MQTT– Without a lot of work, we can’t scan, intercept, or block custom protocols
• Intercepting is now really hard– Could spend your whole pentest just getting proxy– Especially difficult with SSL– IOS: Setup reverse proxy, modify trust store, reverse/recompile with
forward proxy, use iOS kill switch to avoid DNS pinning, etc…
![Page 9: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/9.jpg)
9
GWT TRAFFIC
5|0|12|http://192.168.0.1:9080/gwt_test/|5E2238F4BEC12E99ABC5F1B1D661286C|com.gwttest.client.GreetingService|greetServer|java.util.ArrayList/3821976829|com.gwttest.client.CustomObj/8395292932|com.gwttest.client.Person/748395744|PersonName|java.lang.Integer/374839484|CustomObjParam1|CustomObjParam2|CustomObjParam3|1|2|3|4|2|5|6|5|2|7|200|8|7|200|8|6|9|200|10|11|12|10|
![Page 10: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/10.jpg)
10
PROBLEM 2: DATA PARSERS
• Denial of Service (DOS) – entity expansion bombs– Billion laughs attack
• eXternal Entity (XXE)– DOCTYPE causes parser to include sensitive data
• Server Side Request Forgery (SSRF)– DOCTYPE causes parser to emit malicious HTTP requests
• Untrusted Deserialization– Deserializing arbitrary classes enables remote code execution (RCE)
• Standard: URL, JSON, GWT, serialized objects, etc…• Custom
![Page 11: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/11.jpg)
11
DYNAMICALLY SELECTED PARSERS
![Page 12: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/12.jpg)
12
PROBLEM 3: API SPECIFICATIONS
• Can your tool understand the API?– RMI, CORBA, IDL– WSDL, WADL, DTD, Slate– Swagger, Blueprint, RAML– Annotations– None?
• What do you send?– How do you make API run?
• Most specifications don’t tell you anything about security
Reverse Engineer
Specification? Generate Interface?
![Page 13: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/13.jpg)
13
SWAGGER
![Page 14: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/14.jpg)
14
PROBLEM 4: FRAMEWORKS OBSCURE DATA/CONTROL FLOW
ApacheWinkApacheTuscanyCuubezEverrestRESTXRestExpressrestSQLSparkjavaRetrofitSwaggerSpringWebMVCJoobyNinjaJoddJhipsterJavaliteRatpackVert.x
ApacheAxisApacheAxis2ApacheCXFJerseyWebServicesInteroperabilityTechnologyWebServicesInvocationFrameworkXFire becameApacheCXFXMLInterfaceforNetworkServicesJAX-RSJAX-WSSpringWSSunMetroRestfulieRestletDropwizard(Jetty,Jersey,Jackson)JacksonRESTEasyPlay
![Page 15: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/15.jpg)
15
AUTOBINDING
acct-balance: Long
?
The calls to request.getParameter() and other untrusted sources are no longer in the source code anywhere!
![Page 16: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/16.jpg)
------INTERMISSION------
![Page 17: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/17.jpg)
17
A HISTORY OF APPLICATION SECURITY AUTOMATION
DAST(Dynamic
AppSec Testing)
WAF(Web Application
Firewall)
SAST(Static
AppSec Testing)
IDS/IPS(Intrusion Detection/ Prevention System)
Development (find vulnerabilities) Operations (block attacks)
IAST(Interactive
AppSec Testing)
RASP(Runtime Application
Self-Protection)
Unified AgentIAST and RASP
![Page 18: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/18.jpg)
18
HOW DO YOU KNOW? OWASP TO THE RESCUE…
OWASP Benchmark• Extensive test suite to
measure appsec tools• Same tests for SAST, DAST,
IAST, {WAF, RASP}• Scientifically test
capabilities of tools
Sponsored by DHS
![Page 19: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/19.jpg)
19
21,041 test casesTP and FP
Free and open
Totally reproducible
This is the easy easy stuff…
THE OWASP BENCHMARK PROJECTVulnerability
CategoryTrue
VulnerabilitiesFalse
Vulnerabilities1 Command Injection 1802 9062 Cross Site Scripting 1540 19093 Insecure Cookie 201 2154 LDAP Injection 521 2155 Path Traversal 1706 9246 SQL Injection 2297 12327 Trust Boundary Violation 505 220
8 Weak Encryption Algorithm 720 7209 Weak Hash Algorithm 714 70710 Weak Random Number 1612 202811 XPath Injection 217 130
Totals 11835 9206
https://www.owasp.org/index.php/Benchmark
![Page 20: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/20.jpg)
20
DAST
AppScan DynamicBurp Suite ProOWASP ZAPArachniAcunetixRapid7 AppSpiderHP WebInspectWhiteHatNetsparkerGoogle Skipfishw3af
IAST
ContrastSynopsys Seeker
FREE, OPEN, AND REPRODUCIBLE FOR ANYONE
SAST
FindbugsHP Fortify
PMDIBM AppScan Source
VeracodeCheckMarx
Synopsys CoverityParasoft
SonarQube
1. Test Suite
3. Benchmark Scorecard(s)
Report(s)
(Actual Results)
2. Scorecard Generator
ExpectedResults
Report(s)
(Actual Results)
Report(s)
(Actual Results)
Report(s)
(Actual Results)
ToolReports
with Actual
Results
Source Code Running App
![Page 21: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/21.jpg)
21
OWASP BENCHMARK SCORING
Every false alarm costs an organization the opportunity to
eliminate real vulnerabilities
It’s trivial to write a tool that reports nothing
It’s trivial to write a tool that reports everythingIdeal AppSec Tools
![Page 22: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/22.jpg)
22
THE OWASP BENCHMARK IS WORKING
• The results are fascinating…– Wildly varying results for different tools– Some tools are amazing at certain things– Some tools have inexplicable weaknesses
• Driving improvement…– Fortify, Checkmarx, Contrast, Arachni, ZAP, FindSecBugs, and SonarQube
have already made improvements to their tools
![Page 23: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/23.jpg)
23
VulnerabilityCategory
True Vulnerabilities
False Vulnerabilities
1 Command Injection 56 56
2 Insecure Cookie 16 16
3 LDAP Injection 16 16
4 Path Traversal 56 56
5 SQL Injection 116 116
6 Trust Boundary Violation 20 60
7 Weak Encryption Algorithm 64 64
8 Weak Hash Algorithm 64 64
9 Weak Random Number 160 128
10 XPath Injection 8 8
Totals 576 584
We are contributing over 1,100 new API test
cases to the OWASP
Benchmark Project
Total lines: 132,451
No XSS
ADDING API TEST CASES TO OWASP BENCHMARK
![Page 24: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/24.jpg)
2424
EXAMPLE API TEST CASE
![Page 25: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/25.jpg)
2525
PRELIMINARYRESULTS
STATIC TOOL 1
Total vulnerabilitiesreported:3,393
![Page 26: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/26.jpg)
2626
PRELIMINARYRESULTS
STATIC TOOL 2
Total vulnerabilitiesreported:560,000
![Page 27: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/27.jpg)
27
CONTRAST ANALYZES APIS FROM THE INSIDE
Contrast IAST/RASP Agent instruments your application with sensors that protect against bothvulnerabilities and attacks
Runtime
Frameworks
Libraries
Custom Code
All agents report to Contrast TeamServer to protect the entire application portfolio in parallel
Yourapplicationstack
ContrastAgent
![Page 28: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/28.jpg)
28
DETECTING AND BLOCKING BOTH ATTACKS AND VULNERABILITIES
DeveloperTesterUser
Attacker
Controller Validation Session BusinessLogic Data Layer SQL
API Database
HTTP Request
Validation Tags
Data Tracking
Data Parsing
Escaping Tags Query
Vulnerability?
Attack?
✓✓
✘
Sensorswovenintorunningapplication
SecuritycontextassembledwithinContrastAgent
![Page 29: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/29.jpg)
29
Software is a black box.
ACCURACY: IAST/RASP HAS AN UNFAIR ADVANTAGE
HTTPTraffic
Code
Frameworks
Libraries Runtime Data Flow
Runtime Control Flow
Backend Connections
Configuration Data
Server Configuration
Etc…Platform Runtime
Software Architecture
SAST
DAST
WAF
IAST/RASP
IAST/RASP provide full visibility into running application
![Page 30: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/30.jpg)
3030
PRELIMINARYRESULTS
CONTRAST
Total vulnerabilitiesreported:576
![Page 31: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/31.jpg)
31
KEY TAKEAWAYS
• APIs are a large and increasing part of your attack surface– Legacy SAST and DAST tools don’t work on APIs– Manual penetration testing and code review don’t work on APIs
• Are you sure your APIs are protected?
• Contrast’s instrumentation-based approach is effective– Both traditional web applications and APIs
• Use the OWASP Benchmark Project when choosing tools
![Page 33: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/33.jpg)
3333
![Page 34: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/34.jpg)
34
SOFTWARE TRENDS CHALLENGING SAST/DAST/WAF
Explosive growth in libraries and frameworks
Libraries
Microservices, APIs, REST/XML services
Services
Rapidly growing use of cloud and containers
Cloud
High speed software development
Agile
SAST can’t handle scale and complexity of supply chain
SAST and DAST can’t handle API and web service complexity
WAF can’t handle infrastructure deployment pace and complexity
SAST, DAST, and WAF all require experts in the critical path
![Page 35: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/35.jpg)
35
PROBLEM 4: DATA FLOW
• Data flow is critical!– Primary cause of missed vulnerabilities and false positives– JSON -> parser -> binding -> bean -> query -> SQL Injection– Websocket -> byte[] -> custom parser -> filename -> Path Traversal
• Complex data flow is hard to track– Sources, sinks, and propagators are now deep in libraries– Every framework works differently
• Tools– Instrumentation (IAST) has highly accurate data flow, regardless of
frameworks
![Page 36: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/36.jpg)
36
ABUSING URLS
• Authentication http://user:[email protected]/foo/bar• HTTP Parameter Pollution (HPP)• Faking the method with _method parameter• NoSQL REST APIs follow their schema• Every service has its own approach
* http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3
![Page 37: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/37.jpg)
37
DIFFERENCE 5: AUTHENTICATION AND AUTHORIZATION
• Many techniques…– HTTP BASIC authentication over HTTPS– Cookies and session management– Token in HTTP headers (e.g. OAuth 2.0)– Query Authentication with additional signature parameters
• Often custom implementation
• Tools– All tools require custom auth’n and auth’z rules
![Page 38: What do you mean my appsec tools don’t work on APIs?!! · 2016-09-21 · What do you mean my appsec tools don’t work on APIs?!! Jeff Williams LASCON @planetlevel. 2 ... THE OWASP](https://reader033.vdocuments.us/reader033/viewer/2022042203/5ea4d475a137483da2093b88/html5/thumbnails/38.jpg)
38
DIFFERENCE 6: FUTURES AND PROMISES
• APIs are far more likely to take advantage of concurrency– Netty, Play, Grizzly are all
heavily multithreaded– Adds complexity to control
and data flows
• Tools– Dynamic (DAST) and
Interactive (IAST) tools avoid these problems