Overview
Explore API security fundamentals in this 21-minute conference talk from LevelUp 0x03. Dive into primary domains of API security, examining notable examples of security flaws for each. Learn basic methodology for testing and fuzzing services by approaching with educated guesses about backend operations. Discover two major bugs, including their discovery methodology and impact. Gain insights into common API security issues, access controls, input validation, rate limiting, HTTP method restrictions, and third-party API abuse. Examine real-world case studies involving Panera Bread, German eld System, Discord, and Duda Mobile. Perfect for beginners with some intermediate concepts, this talk provides a comprehensive introduction to API security testing and vulnerability discovery.
Syllabus
Intro
Common API Security Issues
Access Controls
Access Control Bugs
Access Control Bug - Panera Bread
Input Validation Bugs
Input Validation Bug - German eld System
Input Validation - Fuzzing
Rate Limiting
Restricting HTTP Methods
3rd Party API Abuse
Discord Bug - Concepts
Discord Bug - Methodology
Example Request
Discord Bug - Impact
Duda Mobile - Concepts
Duda Mobile - Impact
Follow Up
Taught by
Bugcrowd