3.4.6.API Security - Functional Attack

• OSWAP (Open eWeb Application Security Project)

• Common functional attacks

  • 1.SQL Injection

    • Hacker understand the flow of application

    • Hack insert SQL or cord in form data

    • 如果SQL statement會依據form表單的內容形成, 那SQL statement將會被竄改

    • Hacker can:

      • Read sensitive data

      • Modify or delete data

      • Take admin action on DB

        • Xpath, JSON path, XSLT

    • e.g.,

      • 當使用者輸入name: admin' --, password: JUNK時, 會組成下面的SQL statement:

        SELECT * From users where name = 'admin' -- ' AND pass = 'JUNK'

      • -- is a comment start character in MySQL, everything after -- is simply ignored when SQL is executed.

    • Demo

      • SQL fiddle

      • source code from github

      • clone repository

        git clone https://github.com/acloudfan/API-security-simulation.git
        cd API-security-simulation/
        npm install

  • 2.Fuzzing

    • 對target不斷送出隨機值, 直到發現漏洞, 以DOS攻擊

  • 3.Cross Site Forgery

    • Hacker讓User執行自己的Script, 取得User權限

    • Use POST instead of GET

    • Break tranaction into step

    • Add custom headers

  • 4.Token Hijacking

    • Hacker讓User執行自己的Script, 將瀏覽器中的token發送給hacker

    • Ensure expiry token

    • Un-predictable token pattern

    • Additional security header

• Solution to functional attacks

  • Follow the best practice for coding and REST API

  • Create a process for code review (or adopt peer programming)

  • Test & Monitor continuously; Invest in tools

    • HTTPMaster

    • PARASOFFT

    • SOAPUI

  • Select an appropriate security model for API

  • Consider an API gateway or API management solution

  • Set aside budget for API testing