Infosec In the City (IIC)
#IICSG2019 Training — Attacking & Securing APIs
by Mohammed Aldoub
With the increased, and eventually complete, reliance on APIs in modern systems, as well as the quick decline of the monolithic architecture for systems and applications; it is becoming increasingly necessary to tackle and understand the various security issues, weaknesses and gotchas in API designs. Many products, platforms and technologies now expose an API or two (or many more), sometimes in decentralised and autonomous fashion. Where does security come in this new world of rapid build-up and teardown of microservices and serverless (Functionality as a Service — FaaS) architectures?
How do web and mobile apps securely communicate with APIs through devices they can't trust, network paths they cannot predict, and on infrastructure they don't own?
All of that, and many more, will be studied, tried, tested and answered in this fast-paced, scenario-based hands-on training course.
This course will discuss various attacks and countermeasures for security issues typically found in API servers and clients such as authentication, injection attacks, credential handling, cryptography, authorisation, caching, secure file and resource management, and many more.
This training aims to engage students in design, analysis and breakdown of security in clientside and serverside components of modern APIs and application infrastructure, whilst combining both new and old attack vectors and pitfalls. This course doesn't reinvent the wheel in security, but it will help you not to reinvent the old bugs.
Date: 17-18 Jun 2019
Venue: Sands Expo & Convention Centre, Marina Bay Sands
Super Early Bird (Sign up by 31 Mar 2019): $3,000 SGD
Early Bird (Sign up by 30 Apr 2019): $3,300 SGD
Standard (Sign up by 31 May 2019): $3,600 SGD
Late: $3,900 SGD
KEY LEARNING OBJECTIVES
API and microservices security architecture.
How to create APIs that are easy to use securely and hard to use insecurely.
What are the techniques and tools to design, test and attack APIs and microservices.
Understanding the intricate and minute details of authentication and authorisation frameworks and technologies.
Learning how to effectively solve the problem of credential storage.
Attack and defend against injection vulnerabilities e.g. Template Injection, SQL injection, NoSQL injection (MongoDB, GraphQL, etc.).
Attack and defend against API and serverless oriented vulnerabilities e.g. serialisation, JSON injection, pickling, Edge Side Includes, Serverless Event Injection, etc.
Learn AJAX and REST security best practices.
Know when to use signing, when to use encryption, and when to use both.
Implement applied, battle-tested secure cryptography.
Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorisation.
Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.
Implement secure communication channels with API consumers e.g. web browsers and mobile apps.
Mitigate and defend against XSS, CSRF, JSONP and CORS security weakness in APIs.
Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.
Implement and attack multi-factor authentication for APIs.
Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.
Handle files securely by allowing only authorised downloads even in segmented microservice architectures.
Introduction to the Modern Web
Differences between modern and conventional web technologies.
Microservices and APIs.
Cloud-native apps and technologies.
Containers and orchestration.
Security in this new world.
Setting up local and cloud environments for the class.
Security Architecture for APIs
Security of API consumers (Web, Mobile, Microservices, other APIs).
Types of threats for APIs.
Serverside attacks against API implementations (injection attacks, data exposure attacks, etc.).
3rd-party attacks against APIs (authentication weaknesses, cache attacks, etc.).
Clientside attacks against API consumers (Confused Deputy attacks, data exposure, authorisation abuse, ID and token hijacking).
Attacks against API infrastructures.
Designing and implementing defensible APIs and infrastructures.
Logging and Monitoring for Serverless.
Data and File Attacks Against APIs and Clients
Attacking and Securing AWS S3 buckets.
Insecure Direct File or Object Access (IDOR) attacks.
Securing file downloads with AWS Signed URLs and Signed Cookies.
Securing file downloads using X-Sendfile and X-Accel-Redirect.
Securing file downloads using UUIDs and one-time tokens.
3rd-party threats against file downloads (caching, URL shorteners, CDNs).
File upload security (path traversal attacks, file inclusion, file type confusion, safe bucket uploads with Presigned URLs, etc.)
Injection Attacks Against APIs and Clients
SQL and NoSQL injection attacks.
Template injection attacks.
Object manipulation attacks (Serialisation, Pickling and Eval attacks).
Serverless Event Injection.
Edge Side Include Injection.
Serverside Request Forgery.
Cache security concerns and configurations in API.
Knowing what to cache and what not to cache.
Cache attacks: Edge Side Include Injection, Cache Poisoning.
Secure configuration of caching proxies.
Redis and Memcached security.
Same Origin Policy (SOP)
HTTP Security Headers
Web Socket Security
Using Tokens for Authentication and Authorisation
JSON Web Tokens (JWT) and JSON Web Signature (JWS) Security
Mapping Tokens to Users and Devices
Double Wrapping JWT
Stateful v. Stateless Authentication
Authentication and Authorisation in APIs
Session Management and Privileges
Multifactor Authentication (MFA)
Credential Handling and Storage
Credential storage in apps (Local Storage, Apple Keychain and Secure Enclave, Android KeyStore)
Credential storage for APIs
Checking for compromised credentials using HIBP
Secrets API in Kubernetes, Docker Swarm, Mesosphere
Secure SSL/TLS Configuration (Cipher suites, Pinning, PFS, Key and Certificate Management).
Applied cryptography for secret storage and transmission.
Securely applying digital signatures.
Secure password storage and handling.
Applied cryptography using Libsodium, BouncyCastle.
Rate Limiting and Bot Control
Implementing rate-limiting and bot control.
Catching and blocking bad bots.
Managing bot control and CAPTCHAs in APIs and mobile.
WHO SHOULD ATTEND
Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students and curious security professionals who would like to expand their skills.
Anyone interested in keeping relevant knowledge and skill in the world of cloud, API and app security.
Should be familiar with the concepts of Web, Linux, cloud services, security and APIs.
Should have basic programming skills.
Basic ability to use command-line interfaces.
Scripting experience recommended.
HARDWARE & SOFTWARE REQUIREMENTS
Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualisation enabled/available.
Students must have full control of the laptop (can install software, can disable antivirus, etc.).
VMware Workstation or VMware Fusion (even trial versions can be used).
Enough storage to host multiple copies of the class VM in case modifications and restores are needed.
Ability to connect to the Internet (the class requires going online).
An active AWS account for each student (free tier or otherwise) is required.
Note: VMware Player or VirtualBox is not recommended for this training.