Talk in English - US at CascadiaPHP 2024
Track Name:
Multnomah Falls
View Slides: https://slides.tim-bond.com/attackers-want-your-data-and-theyre-getting-it-from-your-api-cascadia-php/
Short URL: https://joind.in/talk/92bcf
(QR-Code (opens in new window))
APIs are everywhere. Some companies sell theirs for profit and publish documentation alongside it. Others expose just enough APIs to provide value to the end users, without ever intending them to be used for any other purpose. Your API is the purveyor to some valuable data, and attackers are eager to get at it. This session will cover some of the methods attackers use to reverse engineer your API and some steps you can take to thwart them.
The session will begin by demonstrating a few methodologies on how traffic to an API can be 'sniffed' and analyzed. We will then discuss authentication with API keys and OAuth2 and the differences and pitfalls of each. We'll touch on some low hanging fruit on hardening your API: TLS encryption, certificate pinning, and some less obvious techniques including HMAC request signing, obfuscation, compilation protection, and more.
At the end of the session you'll have a better understanding of the cat and mouse game that is API security, the knowhow of the tools and techniques attackers might be using to get at your data, and some steps you can implement to better your API's security.'
Comments
Please login to leave a comment
Lot's a great info. Perhaps showing an attack (rather than just telling) somehow help keep the audience engaged.
Great talk, very informative. One thing people always fail to mention re: API security is that hackers will send the WEIRDEST requests to try to get a response or info. You have to be ready for that. Also, I would recommend spending more time talking abott it OAuth 2 as we kind of zoomed through that.
I'd love to see some examples added for what some of the attacks look like and why they're dangerous. Security is a pretty wide topic, so I know it'd be difficult to dig into anything to give the talk more depth to build on its breadth.