Henrique Dantas - API fuzzing using Swagger

6
Join the conversation #devseccon Henrique Dantas @hndantas API fuzzing using Swagger

Transcript of Henrique Dantas - API fuzzing using Swagger

Page 1: Henrique Dantas - API fuzzing using Swagger

Join the conversation #devseccon

Henrique Dantas

@hndantas

API fuzzingusing Swagger

Page 2: Henrique Dantas - API fuzzing using Swagger

Why API sec testing?

Public

Close to DB model

Ubiquitous

Business driver

Agilityhttps://flic.kr/p/5oTsVq

Page 3: Henrique Dantas - API fuzzing using Swagger

Solution

Automation

Reporting

Integration

https://flic.kr/p/bxwAxk

Page 4: Henrique Dantas - API fuzzing using Swagger

Python lib

Extensive and extendible

OSS

Popular

Contains all meta-data

Machine Readable

Swagger & Sulley

Page 5: Henrique Dantas - API fuzzing using Swagger

Join the conversation #devseccon

Now, your turn :)

/hdantas/fuzz

Page 6: Henrique Dantas - API fuzzing using Swagger

Join the conversation #devseccon

● APIs are good targets● Leverage existing specs for sec testing● Automate, Automate, Automate

@[email protected]