際際滷

際際滷Share a Scribd company logo

TYPES OF API & vulnerabilities (Muqaddas Bin Tahir) .pptx

Download as PPTX, PDF
ROOTs International , MIUC
ROOTs International , MIUC

a Comprehensive overview on types of APIs and Vulnerabilities designed by Muqaddas APIs (Application Programming Interfaces) have become an essential part of modern software development, enabling different systems to communicate and work together efficiently. In my presentation, "Types of APIs and Their Vulnerabilities," I, Muqaddas Bin Tahir, discuss the primary types of APIsOpen APIs, Internal APIs, Composite APIs, and Partner APIsalong with the vulnerabilities that come with them. Each type of API serves distinct purposes, with varying levels of access, making them critical components in different organizational structures. However, alongside their advantages, they also pose significant security risks if not properly managed. Open APIs, also known as public APIs, are accessible to external developers and users, typically with minimal restrictions. They provide a powerful way to extend the reach of services by enabling integration with third-party applications. Examples include APIs from social media platforms like Twitter or Facebook, or services like Google Maps. While open APIs drive innovation, they are also susceptible to security risks, including unauthorized access, data breaches, and Denial of Service (DoS) attacks due to their public nature. On the other hand, Internal APIs, or private APIs, are used exclusively within an organization. These APIs facilitate communication between internal systems, providing greater control over data sharing and service integrations. However, even though they are more secure than open APIs, they are still vulnerable to insider threats, weak authentication, and poor access control measures. If internal employees with malicious intent exploit internal APIs, they can potentially access sensitive information, posing a significant risk to organizations. Composite APIs, which aggregate multiple service requests into a single call, are commonly used in complex environments such as microservices architectures. These APIs reduce network latency and simplify interactions between services, providing a more efficient means of handling multiple requests. However, composite APIs introduce security risks due to their complexity. If one service within the composite is compromised, it can lead to a breach in the entire system, exposing multiple datasets to potential attackers. Additionally, securing multiple endpoints and mitigating the risk of DoS attacks becomes more challenging with composite APIs, as their failure could simultaneously impact multiple systems. Partner APIs are designed for specific external developers or business partners, typically for business-to-business (B2B) interactions. These APIs require stringent authentication and authorization processes to ensure that only trusted partners have access. Despite their restricted access, partner APIs can still be vulnerable to attacks stemming from credential theft or security flaws in partner organizations.

1 of 19
Download to read offline
MUQADDAS BIN TAHIR VULNERABILITIES AND TYPES OF APIS MUQADDAS BIN TAHIR
MUQADDAS BIN TAHIR Types of APIs Open APIs Open-source application programming interfaces Also known as Public API, there are no restrictions to access these types of APIs because they are publicly available. Open APIs can been can been access by any developer.
Types of APIs Partner APIs This API exposed to a particular person. A developer needs specific rights or licenses in order to access this type of API because they are not publicly available. Partner APIs can been access by only authorized developers. MUQADDAS BIN TAHIR
Types of APIs Internal APIs Also known as Private APIs, This type of apis will remain hidden from external users. Internal APIs are implemented for internal use within a company. Many orginasation uses this type of API among the different internal teams to improve its products and services. Internal APIs can been access by only internal teams. MUQADDAS BIN TAHIR
MUQADDAS BIN TAHIR Types of APIs Composite APIs This type of API uses to combines different data and service APIs. By using this services developers can access several endpoints in a single call. Its main uses are to speed up the process of execution and improve the performance of the end user at the web interfaces. Composite APIs are used to combine multiple APIs.
MUQADDAS BIN TAHIR VULNERABILITIE S IN AN API
MUQADDAS BIN TAHIR Vulnerabilit y Vulnerability A vulnerability is a loophole or error in a system or devices code. It is exploited to compromise the CIA (confidentiality, integrity and availability) of data stored in the system through unauthorized access to cause denial of service or to theft the data.
MUQADDAS BIN TAHIR Vulnerabilit y Vulnerability A vulnerability is a loophole or error in a system or devices code. It is exploited to compromise the CIA (confidentiality, integrity and availability) of data stored in the system through unauthorized access to cause denial of service or to theft the data.
MUQADDAS BIN TAHIR owasp top 10 api of vulnerabilities
MUQADDAS BIN TAHIR Vulnerabilit y Broken Object Level Authorization Broken object-level authorizations (BOLA) is also known as insecure direct object reference (IDOR). This issue occurs when the server does not properly verify if the currently authorized user or an unauthorized user is accessing data to read, update or delete an object to which they are not having the rights.
MUQADDAS BIN TAHIR Vulnerabilit y Broken User Authentication Poor implementation of API authentication allows attackers to predict other users identities. In more general terms, broken user authentication occurs when an API having an authentication system but does not in working, or that the implemented authentication system fails in some cases, allowing attackers to project himself as an authenticated user.
MUQADDAS BIN TAHIR Vulnerabilit y Excessive Data Exposure API should be limited to provide access for the data to the front-end clients but sometimes developers will make a mistake or take the some easy shortcut and develop the APIs that provide access for all data to the client. When these API's provide access too more data then the user needs, we call it as a Excessive Data Exposure.
MUQADDAS BIN TAHIR Vulnerabilit y Lack of Resources & Rate Limiting If the API is not protected against an excessive amount of requests or payload sizes. There will be a possiblility for an attackers to use this for Denial of Service (DoS) and authentication flaws like brute force attacks.
MUQADDAS BIN TAHIR Vulnerabilit y Broken Function Level Authorization If the API provide access to the client to use user level or admin level APIs as appropriate. If attackers figure out the hidden admin API methods of admin access and access them directly.
MUQADDAS BIN TAHIR Vulnerabilit y Mass Assignment If the API takes data from the client and stores it without proper filtering for whitelisted properties or guidelines. There is a possibility that attackers can try to predict object properties or add additional object parameters in their requests, to read the documentation, or check out weather the API endpoints for clues where to find the openings to modify parameter that they are not supposed to impact the data objects stored in the backend.
MUQADDAS BIN TAHIR Vulnerabilit y Security Misconfiguration Lack of security configuration and providing access of the API servers to clients, which allows attackers to exploit the vulnerabilities to gain access into the server.
MUQADDAS BIN TAHIR Vulnerabilit y Injection Attackers will been able to construct API calls that include SQL, NoSQL, LDAP, OS, or other commands on that the API request and the backend behind it blindly executes that api request leads to the injection.
MUQADDAS BIN TAHIR Vulnerabilit y Improper Assets Management Attackers find an un-updated versions of the API (for example, staging, testing, beta, or earlier versions) that are not well protected or secured as the production of API, and attacker use those to launch their attacks.
MUQADDAS BIN TAHIR Vulnerabilit y Insufficient Logging & Monitoring Lack of proper monitoring of data and traffic of the network passing into the server and logging activities and alerting incase case of unauthorized access or activity will open doors for an attacker.

More Related Content

TYPES OF API & vulnerabilities (Muqaddas Bin Tahir) .pptx

  • 1. MUQADDAS BIN TAHIR VULNERABILITIES AND TYPES OF APIS MUQADDAS BIN TAHIR
  • 2. MUQADDAS BIN TAHIR Types of APIs Open APIs Open-source application programming interfaces Also known as Public API, there are no restrictions to access these types of APIs because they are publicly available. Open APIs can been can been access by any developer.
  • 3. Types of APIs Partner APIs This API exposed to a particular person. A developer needs specific rights or licenses in order to access this type of API because they are not publicly available. Partner APIs can been access by only authorized developers. MUQADDAS BIN TAHIR
  • 4. Types of APIs Internal APIs Also known as Private APIs, This type of apis will remain hidden from external users. Internal APIs are implemented for internal use within a company. Many orginasation uses this type of API among the different internal teams to improve its products and services. Internal APIs can been access by only internal teams. MUQADDAS BIN TAHIR
  • 5. MUQADDAS BIN TAHIR Types of APIs Composite APIs This type of API uses to combines different data and service APIs. By using this services developers can access several endpoints in a single call. Its main uses are to speed up the process of execution and improve the performance of the end user at the web interfaces. Composite APIs are used to combine multiple APIs.
  • 7. MUQADDAS BIN TAHIR Vulnerabilit y Vulnerability A vulnerability is a loophole or error in a system or devices code. It is exploited to compromise the CIA (confidentiality, integrity and availability) of data stored in the system through unauthorized access to cause denial of service or to theft the data.
  • 8. MUQADDAS BIN TAHIR Vulnerabilit y Vulnerability A vulnerability is a loophole or error in a system or devices code. It is exploited to compromise the CIA (confidentiality, integrity and availability) of data stored in the system through unauthorized access to cause denial of service or to theft the data.
  • 9. MUQADDAS BIN TAHIR owasp top 10 api of vulnerabilities
  • 10. MUQADDAS BIN TAHIR Vulnerabilit y Broken Object Level Authorization Broken object-level authorizations (BOLA) is also known as insecure direct object reference (IDOR). This issue occurs when the server does not properly verify if the currently authorized user or an unauthorized user is accessing data to read, update or delete an object to which they are not having the rights.
  • 11. MUQADDAS BIN TAHIR Vulnerabilit y Broken User Authentication Poor implementation of API authentication allows attackers to predict other users identities. In more general terms, broken user authentication occurs when an API having an authentication system but does not in working, or that the implemented authentication system fails in some cases, allowing attackers to project himself as an authenticated user.
  • 12. MUQADDAS BIN TAHIR Vulnerabilit y Excessive Data Exposure API should be limited to provide access for the data to the front-end clients but sometimes developers will make a mistake or take the some easy shortcut and develop the APIs that provide access for all data to the client. When these API's provide access too more data then the user needs, we call it as a Excessive Data Exposure.
  • 13. MUQADDAS BIN TAHIR Vulnerabilit y Lack of Resources & Rate Limiting If the API is not protected against an excessive amount of requests or payload sizes. There will be a possiblility for an attackers to use this for Denial of Service (DoS) and authentication flaws like brute force attacks.
  • 14. MUQADDAS BIN TAHIR Vulnerabilit y Broken Function Level Authorization If the API provide access to the client to use user level or admin level APIs as appropriate. If attackers figure out the hidden admin API methods of admin access and access them directly.
  • 15. MUQADDAS BIN TAHIR Vulnerabilit y Mass Assignment If the API takes data from the client and stores it without proper filtering for whitelisted properties or guidelines. There is a possibility that attackers can try to predict object properties or add additional object parameters in their requests, to read the documentation, or check out weather the API endpoints for clues where to find the openings to modify parameter that they are not supposed to impact the data objects stored in the backend.
  • 16. MUQADDAS BIN TAHIR Vulnerabilit y Security Misconfiguration Lack of security configuration and providing access of the API servers to clients, which allows attackers to exploit the vulnerabilities to gain access into the server.
  • 17. MUQADDAS BIN TAHIR Vulnerabilit y Injection Attackers will been able to construct API calls that include SQL, NoSQL, LDAP, OS, or other commands on that the API request and the backend behind it blindly executes that api request leads to the injection.
  • 18. MUQADDAS BIN TAHIR Vulnerabilit y Improper Assets Management Attackers find an un-updated versions of the API (for example, staging, testing, beta, or earlier versions) that are not well protected or secured as the production of API, and attacker use those to launch their attacks.
  • 19. MUQADDAS BIN TAHIR Vulnerabilit y Insufficient Logging & Monitoring Lack of proper monitoring of data and traffic of the network passing into the server and logging activities and alerting incase case of unauthorized access or activity will open doors for an attacker.