Webhooks Hookups Abusing API Developers TOMER ZAIT & MAXIM ZAVODCHIK
Text to Speech
OWASP Global AppSec Tel Aviv
https://telaviv.appsecglobal.org/
The concept of a Webhook is quite simple: an HTTP callback that occurs when something happens. However, Webhook's powerful nature of open ended integration with arbitrary web services, makes it very easy for API developers to pipe data in and out of its CISO defined boundaries, and might even end up in a network compromise.
We will share our research on the tool-chains used by API developers to develop and test Webhooks and show why those could be disastrous. We will provide examples of real life exposed applications and present our war stories on the vulnerabilities we have discovered and responsibly disclosed. We will talk how Webhooks tools are already being abused in the wild. Attendees will walk away with a better sense of understanding Webhook development threats and the feasible preventive controls. Finally we will be releasing a toolkit to assist in auditing the exposure of organizations using Webhooks.
Tomer Zait
Principal Security Researcher, F5
Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.).
Maxim Zavodchik
Security Research Manager, F5 Networks
The speaker has more than 10 years of offensive security and web vulnerabilities research experience. In his current role as Head of Security Research, Maxim is building and growing the threat research at F5 Networks.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
source
Gloss