Hacking APIs and Web Services withOWASP

Nicole Becher & Tanya Janca

&

About Us

• Nicole Becher: application security, red teaming, penetration testing, malware analysis, and computer forensics. OWASP Brooklyn Leader, Adjunct Instructor @ NYU, political junkie, marathoner, martial artist & animal lover. WASPY 2017 Winner!!!!!

• Tanya Janca: application security evangelist, web app penetration tester, trainer, public speaker, developer, OWASP Ottawa Leader, effective altruist, paid to be nerdy since the late 90’s. WASPY 2017 Nominee!

In short: Awesome-Sauce

What you are going to need to participate today:

• Laptop with wifi (connected) and admin privileges

• Web proxy like OWASP Zed Attack Proxy Zap or Burp Suite

• Modern web browser like Chrome or FireFox

• We are going to install Docker today

• Then we are going to hack some APIs!

Outline

• The Problem:

– The technical ecosystem is changing

– APIs and Web Services are often underprotected

• Introducing OWASP DevSlop: Pixi

• The Solution: Learn how to hack them using Pixi

• Setup and workshop

• Exercises

• Conclusion: What’s next for DevSlop?

The technical ecosystem is changing. Right now.

There is a paradigm shift, and and many believe that

this is the beginning of the end of monolithic

applications.

No more excessively long release cycles. Reduction

of manual efforts. No more Waterfall.

Security must keep pace.

This model is rapidly changing.

The Web is getting more and more complicated.

What are Microservices?

Netflix uses microservices architecture. It receives more than one BILLION calls everyday from more than 800 different types of devices to its streaming-video API. Each API call then prompts around 5 additional calls to the back end service.

Example microservices app:

1

PROS vs. CONS

• Microservice architecture gives developers the freedom to independently develop and deploy services

• A microservice can be developed by a fairly small team• Code for different services can be written in different

languages• Easy integration and automatic deployment (using open-

source continuous integration tools such as Jenkins, Hudson, etc.)

• The developers can make use of the latest technologies

2

PROS vs. CONS

• The code is organized around business capabilities• Starts the web container more quickly, so the deployment is

also faster• When change is required in a certain part of the application,

only the related service can be modified and redeployed—no need to modify and redeploy the entire application

• Better fault isolation: if one microservice fails, the other will continue to work Easy to scale and integrate with third-party services

• No long-term commitment to technology stack

PROS vs. CONS• Due to distributed deployment, testing can become

complicated and tediousIncreasing number of services can result in information barriers

• The architecture brings additional complexity as the developers have to mitigate fault tolerance, network latency, and deal with a variety of message formats as well as load balancing

• Being a distributed system, it can result in duplication of effort• When number of services increases, integration and managing

whole products can become complicated

2

PROS vs. CONS• In addition to several complexities of monolithic architecture,

the developers have to deal with the additional complexity of a distributed system

• Developers have to put additional effort into implementing the mechanism of communication between the services

• Handling use cases that span more than one service without using distributed transactions is not only tough but also requires communication and cooperation between different teams

• The architecture usually results in increased memory consumption

• Partitioning an application into microservices is very much an art

MASSIVE COMPLEXITY

The API Economy: Explosion of API/webservices

• Microservices

• Containerization

• Front-end frameworks

• SaaS platform/3rd Party API’s

• Open Data/Programmable Web

• Serverless Computing

• Cloud

• DevOps / Agile

• Automation

• Continuous Integration

• Continuous Delivery

What does The API Economy mean for Security?• Security needs:

–To move faster, by automating anything and everything

–Reproducible and accurate results

–Verify/examine/test in shorter cycles, more often

–More training and more tools than ever

–Reduce bottlenecks and stop being “a gate” to developers

• Developers need:

–Security training

–Security tools

–Accurate and quick guidance

–Agility and flexibility

–AppSec Support from Sec Team

Specific problems we are going to look at today

People are ignoring web services and APIs: just because they don’t have pretty GUIs doesn’t mean they can’t be hacked!

OWASP Top Ten 2017 *A10*

Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.

http://www.computerworld.com/article/3036964/car-

tech/hackers-can-access-the-nissan-leaf-via-insecure-

apis.html

https://www.stavros.io/posts/winning-candy-crush/

Solution:

Learn how to hack a web app and an API with Pixi, understand common vulnerabilities in web apps & services.

Introducing: &

• Pixi is part of OWASP’s newest project, DevSlop

• Pixi is a vulnerable webapp and vulnerable API.

Introducing:

• Allows users to create accounts, upload photos, send micropayments to others, like photos, etc.

• MEAN Stack: MongoDB, Angularjs, Node/Express

• Docker - containerized

• OpenAPI/Swagger, JSON, JSON web tokens ++

• This app is in highly vulnerable, and fun to break.

• We will be creating videos, workshops, training material and making Pixi available to the public.

The MEAN Stack: •MongoDB - Data Store, consists of collections where are

really just flat files in JSON.

•Angular.js - JavaScript framework. It can be added to an

HTML page with a < script> tag.

•Node - Open-source, cross-platform JavaScript run-time

environment for executing JavaScript code server-side

•Express - Fast, unopinionated, minimalist web framework

for Node.js

MongoDB • There are many non-relational databases

these days. Mongo is a data store that contains “collections” which are really just flat files in Javascript Object Notation (JSON).

• Mongo has its own security vulnerabilities that we will explore soon.

Angular.js• Developed by Google as a front end

framework that relies on API calls to the middle/back end.

• Generally pretty good about input sanitization, but we will see examples of bypassing validation.

Node.js• Server-side javascript framework.• Event-Driven & Asynchronous

Why use Node?• Fast!• Easy to write modules/packages.

Express.js• Web framework that sits on top of Node.js to

handle web requests.

Why use Express?• Lets you quickly create web routes/API calls

Docker - containerization

• Each specified service can be contained in separate docker containers.

• More containers can then be spawned if there is an increase in traffic/load

• One monolith vs Many Containers

• Unique Security Challenges

1

Docker Security Challenges• Always make sure to start Docker containers with the -u flag so

that they run as an ordinary user instead of root. • Remove SUID flags from your container images. This makes

privilege escalation attacks even harder.• Configure Docker control groups, which let you set limits on how

many resources each container can use. This can help prevent preventing container-based DoS attacks.

2

Docker Security Challenges• Use namespaces in Docker to isolate containers from one another.

Namespaces help assure that a user or process running inside one container can’t affect those in other containers.

• Don’t use images from repos you don’t trust. Avoid public repos if they’re not from an official source and you don’t know the maintainer.

• Consider using a tool to validate containers from your registries.

OpenAPI/Swagger•OpenAPI/Swagger is just an API definition service that allows you to define all the routes and methods of an API, and all the headers and parameters needed for consumption.•Meant to allow automated consumption by external services/applications.

JSON web tokens (JWT)•JWT are cryptographically signed tokens that assert claims to an authenticating service.•Very similar to session cookies, but much more universal. Any service can authenticate and decode the token as long as it has the key.•Can be signed symmetrically or asymmetrically.•Security risks related to key storage and overloaded data in JWT.

Introducing:

• OWASP’s Newest Project!

• A collection of ‘DevOps Disasters’, made as a learning & proving ground

• “The Hacker Jungle Gym”, for hackers and developers alike to learn and explore

• Pixi is the first of what will be several installments

• Modern and ‘different’ types of vulnerable web apps

• More vulnerable systems means more learning

Ummm, what is an OWASP Project?• An OWASP project is an open source project related to

Application Security, releases as part of OWASP.

• OWASP projects can be documentation, code or tools. DevSlop is a code project.

• OWASP currently has over 93 active projects!• Projects are popular because it’s a chance to

create anything that they think will help further the goal of OWASP; better AppSec for all.

• Basically, it’s a chance for you to share your awesome with the entire world, with a fantastic support network behind you.

OWASP Projects are divided into categories• Code (Java Encoder, Java HTML Sanitizer projects)• Tools (ZAP, Juice Shop, and DevSlop)• Documentation (Top 10, Testing Guide)Projects have maturity status• Flagship• Lab• Incubator (that’s us!)

Exercises!

Are you all on the Wifi?

Wifi name and password here, make sure everyone is online

Let’s start with installing Docker!

Let’s make sure your web proxies are working

Settings: 127.0.0.1Port: 8080

Not a hacker

Shall we go get Pixi?This needs to be official OWASP GitHubhttps://github.com/thedeadrobots/pixi

> git clone https://github.com/thedeadrobots/pixi.git> docker-compose up

Connection test (start and connect)

> docker-compose up

http://localhost:8000

What’s to come for DevSlop? (future)Pixi Roadmap:- Document all the vulnerabilities- Multi language support- Finish CTF mode

DevSlop Roadmap:- HTTP 2.0 app- More DevOps apps

Become a part of DevSlop!Nicole BecherBrooklyn Chapter Leader

@thedeadrobots

Nicole.Becher@OWASP.org

Tanya JancaOttawa Chapter Leader

@shehackspurple

Tanya.Janca@OWASP.org

Questions?Nicole BecherBrooklyn Chapter Leader

@thedeadrobots

Nicole.Becher@OWASP.org

Tanya JancaOttawa Chapter Leader

@shehackspurple

Tanya.Janca@OWASP.org