Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In this presentation by Daniel Neagaru at Ruby Unconf 2019, the focus is on identifying security vulnerabilities in APIs through penetration testing. Daniel, an experienced penetration tester, outlines several techniques and tools that he employs to uncover these security issues, emphasizing the importance of approaching the process from the perspective of an external attacker. ### Key Points Discussed: - **Introduction to Penetration Testing**: Daniel highlights his background in IT security and his command-line proficiency, setting the stage for his technical discussion. - **Initial Steps**: He details the necessity of rooting or jailbreaking mobile devices to allow the installation of a certificate to intercept application traffic. - **Traffic Interception**: Using tools like Burp Suite and mitmproxy, he explains how to monitor connections between mobile applications and servers after establishing a trusted certificate. - **Script Automation**: Daniel emphasizes the need for automation by scripting, which simplifies the process of sending and filtering traffic requests for analysis. - **Fuzzing Techniques**: He discusses fuzzing requests by testing different payloads and parameters to uncover responses that indicate vulnerabilities, referencing external resources such as "Big List of Naughty Strings" and "PayloadsAllTheThings". - **Creating Attack Scenarios**: After discovering potential vulnerabilities, Daniel describes extending scripts to replicate issues in various environments to validate findings. - **Demonstration with OWASP Juice Shop**: Daniel conducts a live demo using the deliberately vulnerable OWASP Juice Shop application, illustrating how to exploit a login function and analyze network traffic through mitmproxy. - **Handling of Responses**: He describes analyzing the server responses, particularly noting HTTP response codes and indicators that could reveal security flaws. - **Business Logic Errors**: Towards the conclusion, he addresses the prevalence of business logic errors in applications which pose unique challenges and often require specialized penetration testing to identify. ### Conclusions and Takeaways: - The adoption of robust security measures like request signing and certificate pinning can mitigate risks, though many applications may still remain susceptible without these protections. - Continuous testing and tracking of responses are essential to uncover deeper insights into application vulnerabilities. - The presentation encourages developers to understand the importance of penetration testing as a proactive approach to securing APIs against attacks.
Suggest modifications
Cancel
