{"id":7830,"date":"2019-11-22T18:49:34","date_gmt":"2019-11-22T18:49:34","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?p=7830"},"modified":"2023-07-26T10:21:51","modified_gmt":"2023-07-26T09:21:51","slug":"webinar-owasp-questions-answered","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/webinar-owasp-questions-answered\/","title":{"rendered":"Questions Answered: OWASP API Security Top 10 Webinar"},"content":{"rendered":"<div class=\"form-group horizontal\">\n<h2><strong>You had questions, and we&#8217;ve got answers!<\/strong><\/h2>\n<div>Thank you for all the questions submitted on the <strong><a href=\"https:\/\/42crunch.com\/webinar-owasp-api-security-top-10\/\" target=\"_blank\" rel=\"noopener\">OWASP API Security Top 10 webinar<\/a> on Nov 2019<\/strong>. We couldn&#8217;t get to all of them so we wanted to follow-up with a full list of all the Q&amp;A &#8211; and the slide deck as well!<\/div>\n<div><\/div>\n<\/div>\n<h5><strong>How do you find all the API endpoints in web applications?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">A few ways that you can do that include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Finding all OpenAPI files in your source code repositories (these would be JSON and YAML file with predefined OpenAPI schema)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Exporting API definitions from API gateways used by the company<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Looking at the deployments you have &#8211; for example, most likely each microservice in your Kubernetes is exposing an API<\/span><\/li>\n<li>Analyzing the client side (e.g. JavaScript) invoking the endpoints<\/li>\n<li>Using a proxy like ZAP, Burp, Fiddler, or Charles to see which endpoints are invoked<\/li>\n<\/ul>\n<h5><strong>What do you think the main reason XSS is no longer exploited that much?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">Cross-site scripting (XSS) attack happens when an attacker managers to get their Javascript code executed along with the main web application in client\u2019s browser.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These days, it is less common because clients (mobile applications, single-page web applications, and so on) are not just rendering HTML, but actually have rich user interfaces that simply use data from APIs.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">An XSS attack then becomes harder but is still potentially possible if the attacker managers to submit malicious script into an API and then have victim\u2019s browser extract that malicious content from an API and render it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Proper data validation on API inputs and outputs can mitigate this attack vector.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Could you please explain how to test the Mass Assignment in API&#8217;s?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">If you can review the API implementation, see the code and make sure that it is not just blindly converting incoming JSON payloads into objects and writing them to the database.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Make sure that you strictly define schemas of API call payloads. Any calls with payloads that do not match the schema should get rejected.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Hello and thank you for great explanation and schema. Do you have any stats for each attacks? What % for each? (Based on your experience, no precise % or study)<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">It is very hard to give percentages. API vulnerabilities are quite often not disclosed and even if the actual breach gets disclosed, details are often very scant.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You are welcome to look through the weekly API vulnerability reports at APIsecurity.io to get a sense of the vulnerabilities that are more frequent.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Security Automation Questions<\/strong><\/h5>\n<p><em>(1) What are the possibilities of having API security checks automated? Maybe in Pipeline? Some other way?<br \/>\n<\/em><em>(2) Any recommendations on automated tools to help detect these vulnerabilities? Manually verifying all the API code being developed at an enterprise can be nearly impossible. <\/em><br \/>\n<em>(3) Is there an automated tool which can scan our API and find out any possible vulnerability?<\/em><\/p>\n<p><span style=\"font-weight: 400;\">\u00a042Crunch has both static analysis of API definitions (Security Audit) and dynamic tests of conformance between API endpoint implementation and its definition (Conformance Scan).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Both can indeed be used in CI\/CD pipeline to automate the tests.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So far we have been helping our enterprise customers implement this. We have done such implementations for GitHub Actions, Azure Pipelines, GitLab, Bamboo.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We are currently working on productizing these extensions to have them as ready-to-use extensions in the corresponding marketplaces.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Sometimes you find security is tested at the very end of API development. How can we control this behavior?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">Effective security needs to be \u201cshifted left\u201d, that is: started early in the API design, implementation, and testing.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A good way to start would be to have developers perform security best practices checks on their API definitions using VS Code OpenAPI extension and online APISecurity.io Security Audit tool.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Then extend the automated tests (both static and dynamic) to your CI\/CD pipeline with 42Crunch platform.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Besides tools like Burp Suite\/OWASP Zap\/Postman do you use any other tools for API security testing?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">\u00a0Definitely. See some links to tutorials on using Burp and Postman for API Security testing in: <\/span><a href=\"https:\/\/apisecurity.io\/issue-34-owasp-launches-api-security-top-10-project\/\"><span style=\"font-weight: 400;\">https:\/\/apisecurity.io\/issue-34-owasp-launches-api-security-top-10-project\/<\/span><\/a><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>General OWASP Questions<br \/>\n<\/strong><\/h5>\n<p><em>(1) How is the OWASP API security related to OWASP? I don\u2019t see this information on owasp.org ?<\/em><br \/>\n<em>(2) How can I contribute to the OWASP API Security Project? Which are the areas in which the contributions are expected as per the current project status.<\/em><br \/>\n<em>(3) Which OWASP top 10 version are you referring to? Is it 2017?<\/em><\/p>\n<p><span style=\"font-weight: 400;\">OWASP API Security project only launched this year and as of right now is still in Release Candidate phase. When the project gets released later this year it will be <a href=\"https:\/\/42crunch.com\/owasp-api-security-top-10\/\">OWASP API Security Top 10 2019<\/a>.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Do you recommend following standard secure sdlc? requirements analysis\/threat model\/static\/dynamic testing for APIs? and if so, how do you scale that with companies having 100s of APIs?\u00a0<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">These days, companies frequently have hundreds or even thousands of APIs that keep constantly changing. The only way to control their security levels is to adopt sound DevSecOps tools and processes that would automatically perform security checks on each introduced or modified API.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Just as with the OWASP Top 10, it seems the API Top 10 is not an exhaustive list. If I as a developer use this as a checklist, I could still find myself vulnerable. Is there an initiative to educate API developers on the fundamental principles behind the Top 10?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">API Security Checklist is on the roadmap of the OWASP API Security Top 10 project. However, that part of the work has not started yet &#8211; stay tuned.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Meanwhile, weekly newsletter at <a href=\"http:\/\/APISecurity.io\">APISecurity.io<\/a> does mention various community resources and alternative checklists when they get published.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>What is the best source to know what is the state of the art authentication protocol and how to keep up with new ones?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">IETF OAuth 2.0 Security Best Practices would be a good place to start: <\/span><a href=\"https:\/\/apisecurity.io\/issue-42-http-security-headers\/\"><span style=\"font-weight: 400;\">https:\/\/apisecurity.io\/issue-42-http-security-headers\/<\/span><\/a><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Does GraphQL make an API more or less vulnerable to Excessive Data Exposure? Or does it just change the way that a developer has to protect the API?<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">Just like with REST, the key is to treat GraphQL APIs as products and ensure that only the data supposed to be accessible to users gets sent in responses.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>A4 \u2013 Lack of resources and rate limiting &#8211; how to do rate limiting properly? by IP ? by username? by what condition?<\/strong><\/h5>\n<p>I<span style=\"font-weight: 400;\">mplement a limit on how often a client can call the API within a defined timeframe. <\/span><span style=\"font-weight: 400;\">For sensitive operations such as login or password reset, consider rate limits by API method (e.g., <\/span><span style=\"font-weight: 400;\">authentication), client (e.g., IP address), property (e.g., username).<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Are all the vulnerabilities presented fixed by now?\u00a0<\/strong><\/h5>\n<div><span style=\"font-weight: 400;\">Yes, to the best of our knowledge. Although, unfortunately (mostly in the smart-devices space) every now and then we see brands that do not care about their reputation and ignore researchers\u2019 attempts to get in touch and disclose the problems.<\/span><\/div>\n<div class=\"form-group horizontal\">\n<p>&nbsp;<\/p>\n<p>Try our <a href=\"https:\/\/42crunch.com\/tools\/free-audit\/\">security audit<\/a> for free. If you want to see the whole platform in action, <a href=\"https:\/\/42crunch.com\/request-demo\/\">request a demo now<\/a>!<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>You had questions, and we&#8217;ve got answers! Thank you for all the questions submitted on the OWASP API Security Top 10 webinar on Nov 2019. We couldn&#8217;t get to all of them so we wanted to follow-up with a full list of all the Q&amp;A &#8211; and the slide deck as well! How do you [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":11334,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"OWASP API Security Top 10 - Webinar Q&amp;A","_seopress_titles_desc":"Questions &amp; Answers from our API Security Webinar:  OWASP API Security Top 10,  plus useful links and advice.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[14,16,17],"class_list":["post-7830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security","tag-api-security-training","tag-owasp-api-security-top-10"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/7830"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=7830"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/7830\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11334"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=7830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=7830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=7830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}