Skip to main content

Posts

Bug Bounty vs. Security Scanner

  A lot of folks don't know the difference between a bug bounty program and automated security scans. Here is a cheat sheet to quickly learn the major differences. Security Scanner Bug Bounty Program Synonyms Web application scanner Security scanner DAST Penetration Testing Pen Testing Ethical Hacking Security Testing Bug Bounty Programs Definition DAST stands for Dynamic Application Security Testing.  Is the process of testing web, mobile, and API applications to find vulnerabilities and security bugs through automated tools Is the process of finding security bugs through human intelligence. A security tester might use and modify automated tools to find hard-to-find vulnerabilities. Code Access No code access is required. Most of the tools are language and technology agnostic No code access is required. Internal technology stack knowledge helps create tailored tests Live Traffic Access No access to live traffic is required No access to live traffic is required Supported Technologi
Recent posts

Learnings After 400 API Security Testing

  We recently launched EthicalCheck, a free and instant API security testing DAST (Dynamic Application Security Testing) web tool on GitHub.  Here is the GitHub URL for the tool: https://apisec-inc.github.io/pentest/ What kind of vulnerabilities does EthicalCheck find? Most automated scanners would find vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc.  EthicalCheck performs different checks, including OAuth 2.0, JWT, BasicAuth, OWASP API #2, and broken authentication defects in web, mobile, and public-facing APIs. How EthicalCheck work? It requires two inputs:  API (OpenAPI Spec/Swagger) documentation URL. Email address for receiving security testing report We only did a soft launch across a couple of developer forums in the past three months. We weren't hoping that we would get anywhere close to 400 tests. Here are the stats: Start Date: Feb 2022 - Apr 2022 ( 3 months ) Total APIs Tested: 400 Total APIs with Vulnerabilities: 164 Total APIs with 10+ Vulnerabilities:

What is DAST, and Why Should Developers Use It?

  DAST stands for Dynamic Application Security Testing. DAST is the process of testing web, mobile, and API applications to find vulnerabilities/security bugs through simulated attacks. DAST is the process of live testing an application either using an automated scanner or manual penetration testing practices. Most developers haven't heard about DAST scanners because they are primarily used by appsec and penetration testers. What kind of vulnerabilities does DAST find? Most automated scanners would find critical vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc.  The hard-to-find vulnerabilities like logic bugs, authentication, and authorization flaws are usually done by ethical hackers, penetration testers, and AppSec engineers. The preferred approach is to write automated test cases that can be executed as part of CI/CD. Should developers care about DAST?  Yes, they should, since having any of the above critical vulnerabilities can lead to data breaches and punitive

Running Basic Security Tests Against Twitter API

I tweet once in a while about product/organization updates. I've built a couple of Twitter integrations in the past.  As part of security research, I look for vulnerabilities in public APIs and mobile/web backend APIs. I often use the free API security testing tool to run basic tests. These tests are safe and non-intrusive; they detect OAuth 2.0/JWT/Authentication flaws in APIs. Twitter and similar organizations wouldn't mind or see these tests. https://apisec-inc.github.io/pentest/ I used this Twitter API OpenAPI Specification file URL for testing: https://api.twitter.com/labs/2/openapi.json Here is the simple process I followed. I pointed the tool to the Twitter OpenAPI Spec file and just ran the basic tests to see what it returns. The result came back with one endpoint being open to the public. I realized the endpoint was returning the API scheme upon further investigation, so it wasn't a big deal.  Conclusion:  All Twitter API endpoints are secure, and no issues were fo

How I scanned dev.to APIs for vulnerabilities

I recently saw the dev.to published REST APIs. https://developers.forem.com/api I'm a big fan of dev.to, I often publish and read articles on it, so it made me curious, and I thought of scanning the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for the job. https://apisec-inc.github.io/pentest/ I uploaded their OpenAPI Spec file here and submitted it: https://raw.githubusercontent.com/apisec-inc/pentest/main/OAS/plugin-redoc-0.yaml Here are the scan results Surprisingly it reported 8 issues. Here is the list: I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and authors public images. All other functionality like content engagement, likes, comments, follow, create/manage articles, etc., requires the user to be authenticated.

OAuth 2.0 vs JWT

JWT replaces the cookie and makes APIs / Web stateless JWT Token can easily be decoded JWT has No  true logout Always use: Authorization: Bearer <TOKEN> Bearer authentication scheme prevents CSRF attacks sample JWT token includes the following elements. Header : Algorithm and token type { “alg”: “HS256”, “typ”: “JWT” } Payload : data { “sub”: “1234567890”, “name”: “John Doe”, “admin”: true } Verify signature: HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) Final output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9 . TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Using  JWT.IO  we can easily decode, verify and generate JWT tokens. OAuth 2.0: Authorization Framework: Support APIs, Web, etc. OAuth 2.0 Key Components Authorization Server (Token Factory, e.g. GitHub) Resource Server (API / Microservice, e.g. GitHub API) Client  (UI / Mobile / API / Microservi