Mateusz Olejarka - REST API, pentester's perspective

Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: - how to find hidden API interfaces - ways to detect available methods and parameters - fuzzing and pentesting techniques for API calls - typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API https://www.hacktivity.com