SecAppDev 2022 Lecture Details

Fantastic API Vulnerabilities and where to find them

Abhay Bhargav
Schedule TBD
Short description

Learn about the unique nature of API compromises, nuanced SSRF attack patterns, webhook boomerang attacks, JWT implementation vulnerabilities, and authorization flaws

Abstract

APIs are web applications. However, the way attackers compromise APIs are remarkably different from browser-accessed web applications. API compromises tend to be focused on nuanced business logic flaws, protocol abuses and serialization issues.

In this demo-filled session, we explore some unique API security flaws. The showcases include original security research that was used to compromise massive API implementations like Docker and major cloud-based services.

Key takeaway

Web application security and API security are fundamentally different, as illustrated by attacks against webhooks, different types of SSRF attacks, and various access control flaws.

Content level

Advanced

Target audience

AppSec professionals, pentesters/offensive security professionals, product security professionals

Prerequisites

Working knowledge of APIs and basic knowledge of AppSec issues


SecAppDev is the most immersive application security course you have ever seen

Book your seat now

Abhay Bhargav

Abhay Bhargav

CEO, AppSecEngineer

Abhay Bhargav is the Founder of we45 and AppSecEngineer. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, AppSecDay Melbourne, CodeBlue, BlackHat and so on.

Full speaker profile


Related web and api security sessions

Getting API authorization right

One-day workshop by Philippe De Ryck

Building secure APIs and microservices is hard, really hard. This workshop provides API developers with the necessary knowledge to assess and improve the security of their APIs. This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs.

In this workshop, we explore common authorization failures in APIs and various defensive strategies, along with their trade-offs and pitfalls. We dive deep into API-specific topics, such as handling JSON Web Tokens (JWTs) and dealing with OAuth 2.0 access tokens. You will walk away with an actionable set of best practices.

Web and API security Thursday June 16, 09:00 - 17:00

Purple team AWS - Discoverer edition

One-day workshop by Abhay Bhargav

With companies moving and operating extensively on the AWS Cloud, security remains a key challenge.

This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges.

The aim of this training is to take the participant through a journey of highly practical, scalable and granular knowledge of AWS offense, defense and security automation.

Web and API security Friday June 17, 09:00 - 17:00

Building secure web applications

One-day workshop by Jim Manico

This highly intensive and interactive workshop provides essential application security training for every web developer. The class is a combination of lectures, security testing demonstrations, code review, and interactive threat modeling discussions. Students will learn the most common threats against applications. More importantly, students will learn how to code secure software via a variety of techniques such as secure design practices, defense-based coding, the use of security libraries and services, and the use of a variety of web security standards.

Web and API security Friday June 17, 09:00 - 17:00

Security of WebAssembly Applications

Lecture by Quentin Stiévenart

WebAssembly enables near-native performance for web applications. We will dive deep into the world of WebAssembly, with a focus on the security concerns that need to be addressed when developing WebAssembly applications.

Web and API security Schedule TBD

The OWASP Top Ten 2021-2022 release

Lecture by Jim Manico

The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. In this session, we explore how developers can mitigate these threats in modern web applications.

Web and API security Schedule TBD

Request Forgery on the Web - SSRF, CSRF and Clickjacking

Lecture by Jim Manico

he web is full of request forgery attacks, such as CSRF, SSRF, and Clickjacking. In this session, we provide actionable guidance on mitigating these issues in modern applications.

Web and API security Schedule TBD