api security
Im creating a graduation project related to api security, mainly focused on api discovery, sqli/jsoni also for the owasp top 10( BOLA, BA, BOPLA, etc)detector, anyone got any tips, anything, any info, anything helps
56 Replies
i already got several skeleton scripts made researching through stackoverflow reddit and claude
i can provide if needed
I wish I could help with this. I know enough of the basics to understand what you are referencing, but I don't know that I could be very helpful.
I would be interesting in seeing some of the skeleton outline you have prepared, if you care to share. Maybe it will give me some ideas to share as well.
i have uh currently a json and sqli detector that im refining
ye uh ignore the comments
got carried away
this is the discovery tool
i also got like 10 vulnerable flask server scripts that i can provide if needed aswell
haha, you just casually dropped over a thousand lines of code.
Sorry about the automod
ye its uhm quite funny
i do also have this broken authentication "detector"
Did you write all this yourself?
me and a friend
thats quite prolific
well all of these require a "not small" number of fixes and refining to do
but uh its a skeleton i'd say
I mean clearly thats not going to be a comprehensive scanner, but its still very impressive
the discovery tool is somewhat decent, well as of my testings on my friend's app and my school's website
hehe thanks, started with the research around a month ago, i do still got like a year or so to finish this
so not in a big rush i'd say
so uh what does this do, im curious
uh checks a server for vulnerabilities basically
well thats what its intended to do
cool
and this tries to scrap a website for most/all of the api endpoints it can find
I'm still reading through all the scripts, but I think you are doing good work
the discovery tool runs with several phases, including going through common endpoints like robots.txt, sitemap.xml etc, it also goes through js if i remember correctly
did u use any ai for this
thanks man, but uh i gotta get a nap its like 5am, got class at 10
ye some functions are
not sure about my friend's side
hes basically a genius
yeah, the api scanner seems like really nice work too
ah also, both the sql and the json detector, basically runs with the api scanner, the scanner exports a really ugly json report i'd say tbh, i got a converter for that tho, and what im saying is, both injection detectors read off the endpoint config
this is the before and after of the convertor
school's website so shouldnt be a problem to share this
the scanner do have some flaws tho, the amount of request sent into the server is a decently large number
this one was tested and resulted in around 11000 requests
result convertor if anyone is interested
yeah, it would be very noisy. Most tools are though
i do also have a automated api security report,
https://hackmd.io/@gHN2fcRCQOW5XRWLoFEHtw/SJTYYi51xg
its in mandarin tho
i got surprised with the BA detector that i sent above tho, my friend's website that we were testing on got only around 500 requests but reported around 8 issues, that is like 85% accurate
I'm checking it out. Translate works other than for the graphics
its uhm, not well written i'd say, just rough stuff, and info grabbed online that i havent checked much
haha, well it's formatted well
and its hard to say with a translation anyway, I wouldn't have known
ill rewrite one after im finished with the technical stuff, with more knowledge in my brain aha
also, just a quick question, if my goal is to research and try and detect the owasp top 10 api or top 5 as my graduation project, how would you rate this project like just off it's topic
these are the top 5
OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10
The Ten Most Critical API Security Risks
ive looked through paragraphs talking about bola and broken authentication, but i havent looked at the other three yet, im not quite sure whats the major difference between api1 and api3
broken object level authorization and broken object property level authorization, my understandings stop at they involve two user's individual credentials accessing another i believe, correct me if im wrong tho
I would need to really examine these closely, but my initial reaction is that you will detect the majority of flaws. The edge cases are going to be what becomes really difficult to detect and will require most of your effort.
yes thats what ive been doing for the past week, getting new vulnerable servers to test the functionalities of the scanners
That is a pretty good way to describe bola and bopl. One is access to the entire object by a user that shouldn't have authorization while one the other is access to specific properties of an object they should not have access to
also just a lil conversation beyond this topic, ive been wanting to get into the UCL london uni, ive heard several cyber sec certificates should help, im working on the google's cyber sec course right now almost finishing, im supposed to go for comptia correct?
I'm US based, I'm not entirely certain about UCL's requirements
yeah but in general certificates should help in getting into this field right?
I would say that is a fairly standard path here in the US
alr, ill work on the certificates on my free time
yeah, I would think it would help. You already seem to be building a portfolio which I think is a stronger indication of your understanding and skill
ill look through these two when i wake up ig
would any specific projects help with my portfolio or should i just keep on with my creativity
follow your interests. It will always be evident in your work
i currently only have a small github repository amount
https://github.com/xireno?tab=repositories
alright thanks alot for the tips
thats fine. You can also branch out into other forms like blogs, articles, or talks.
anything that "Shows" understanding rather than claiming understanding
you are welcome. I think you have a bright future ahead
yes im reaching out to communities within my school and outside, although the cs major in my school doesnt contain cyber sec, well theres only 1 professor and a dozen seniors, so most of my understandings come from online
ill surely note this
Apisec university