sfruttare
2/5/2020 - 8:56 PM
A basic overview of attacking APIs using mitmproxy by Daniel Neagaru at Ruby UnConf.
A basic overview of attacking APIs using mitmproxy by Daniel Neagaru at Ruby UnConf.
Daniel Neagaru @ Ruby UnConf 2019 - Attacking own APIs to find security bugs
Agenda
- Root/jailbreak device
- Install new CA
- Sniff traffic
- Script the API
- Sniff from the script
- Fuzz parameters
- Attack scenarios
Root devices
- Get privileged access to the device
- Necessary to install the new CA
- Get access to inaccessible data
- Devices need to trust the SSL connection
Sniffing traffic
- BurpSuite, ZAProxy, mitmproxy
- CLI, can be automated with Python
Automate API calls
- Filter out unnecessary requests
- Replicate the API calls with a script
- Make the code flexible and automate as much as possible
- Run the script, send requests to web proxy, look for interesting parameters
- Find the relevant security payloads
- Fuzz and check for unusual responses
Payloads
Payloads are really what you pay for when you purchase a webapp security scanner.
- https://github.com/minimaxir/big-list-of-naughty-strings
- https://github.com/fuzzdb-project/fuzzdb
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/danielmiessler/SecLists
Create attack scenarios
- Recheck findings and eliminate false positives
- Inform relevant teams and recheck after it gets fixed
- Use custom scripts to create attack flows
- Test the attacks in different environments