»API's are not just the 21st century developers mullet, they're also how you are getting PWND«
2019-11-08, 11:00–11:10, Blue Day
A look at all the ways API's are used in the attack process, from ATO (account takeover) and credential abuse automation, to BOT operations for inventory sniping and checkout procedures. This can all be automated and abused thanks to the speed, ease of use, and extensibility of API's.
If you were to talk to a WAF admin in 2006 about the logged HTTP/S traffic they observed that was NOT HTML, but instead JSON and XML, they probably would have responded: "That's just developers making calls between their applications, nothing to worry about!"
Flash forward to 2007. Now the world has a new toy, the iPhone, and the Internet is about to change. Since then, Google Analytics has tracked the sharp decrease in web technologies such as SOAP and WSDL, as well as the massive increase in JSON and XML, as the formats win the fight for an efficient method of dealing out low packet size, but highly effective message requests in order to support the mobile explosion.
With everything in today's world having "An App for That" how are attackers using API technologies to target, exploit, and profit off of a service that would be dirt cheap if only it weren't run by profiteering gluttons? In this talk, I'll give examples of exploit code used in DOS attacks against API services, application exploits against an API's application logic, as well as defensive methodologies for dealing with these attacks.
Attendees will walk away with a better understanding of how APIs can be abused, and some basic ideas of how to better protect these essential functions.