API Abuse – The Anatomy of An Attack
iSpeech
A talk given by David Stewart from CriticalBlue at the 2019 Platform Summit in Stockholm.
Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like?
At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why.
The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.
Remembering that API abuse attacks are often carried out at low frequency and with valid user credentials and API keys, the audience will be challenged to consider how their API defense mechanisms would cope against bad actors behaving as described.
Attendees may feel the need to contact their home offices after this presentation, just to check a few things…
source
Gloss