Zero Trust APIs with Python
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 131 | |
| Author | ||
| Contributors | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/69524 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Storage area networkAngle of attackGoodness of fitNumberAmerican Physical SocietyInformation securityBuildingContext awarenessEndliche ModelltheorieVulnerability (computing)Arithmetic progressionComputer animationLecture/ConferenceMeeting/Interview
00:57
CodeDiscounts and allowancesTwitterNewsletterEmail2 (number)Information securityRoute of administrationUniform resource nameVector graphicsServer (computing)Default (computer science)Product (business)Order (biology)Electronic mailing listWeb pageParameter (computer programming)Query languageDependent and independent variablesState of matterDataflowDiscounts and allowancesInformation securityFreewareDifferent (Kate Ryan album)Context awarenessOcean currentBitVulnerability (computing)DiagramTwitterProcess (computing)MereologyDatabaseEndliche ModelltheoriePresentation of a groupCodeStrategy gameHuman migrationMultiplication signForm (programming)Message passingWeb pageConnected spacePoint (geometry)Category of beingCodeLatent heatInterface (computing)Machine codeToken ringSequelSpacetimeFunctional (mathematics)QR codeThread (computing)Software developerEnterprise architectureForestEmailComputing platformPhysical systemExploit (computer security)FlagElectronic mailing listSoftwareRun time (program lifecycle phase)Dependent and independent variablesSensitivity analysisService (economics)Slide ruleParameter (computer programming)YouTubeView (database)Source codeCartesian coordinate systemArithmetic progressionMedical imagingComplex (psychology)Cursor (computers)InternetworkingGoodness of fitWebsiteRight angleMetropolitan area networkSoftware testingINTEGRALAuthorizationShape (magazine)Point cloudInjektivitätStatisticsUniform resource locatorBit rateSurfaceVector spaceComputer fileAmerican Physical SocietyLoginFeedbackComputer animation
10:30
Server (computing)Dependent and independent variablesCodeEmailAerodynamicsQuery languageWeb pageProduct (business)Error messageCone penetration testParameter (computer programming)Default (computer science)Electronic mailing listCausalityMultiplication signPressureDatabaseServer (computing)Axiom of choiceCASE <Informatik>Right angleFeedbackError messageOrder (biology)Service (economics)Game controllerComputer animation
11:29
Product (business)Electronic mailing listDependent and independent variablesQuery languageTouch typingSystems engineeringFAQDatabaseData modelCategory of beingEnumerated typeComputer animationLecture/Conference
11:57
Dependent and independent variablesServer (computing)CodeWeb pageQuery languagePseudodifferentialoperatorProduct (business)View (database)Row (database)Parameter (computer programming)Crash (computing)Open setProduct (business)MassStrategy gameRobotNumeral (linguistics)QuicksortParameter (computer programming)Physical systemCategory of beingSoftware frameworkPresentation of a groupType theoryConstraint (mathematics)Computer animation
12:52
Product (business)Query languageError messageSide channel attackDependent and independent variablesSet (mathematics)View (database)Row (database)File formatNumberType theoryTouch typingOrder (biology)FreewareParameter (computer programming)Web pageDescriptive statisticsConstraint (mathematics)CASE <Informatik>Numeral (linguistics)Maxima and minimaInjektivitätProduct (business)Dependent and independent variablesoutputDatabaseComputer configurationString (computer science)Right angleQuery languagePhysical systemSequelLevel (video gaming)Object (grammar)Enumerated typeAuthorizationComputer animation
13:50
EstimationView (database)Row (database)Dependent and independent variablesServer (computing)CodeError messageLink (knot theory)HypermediaOrder (biology)Parameter (computer programming)DisintegrationAuthorizationLevel (video gaming)Power (physics)Object (grammar)Order (biology)LaptopComputer animation
14:15
Decision tree learningDefault (computer science)Link (knot theory)Dependent and independent variablesDesign of experimentsElectronic mailing listOrder (biology)Parameter (computer programming)Query languageDot productHypermediaGUI widgetError messageUniform resource locatorServer (computing)CodeEmailCodierung <Programmierung>Token ringAuthorizationGoogolUser profileInformationProduct (business)Web pageComputer configurationMilitary operationOrder (biology)Token ringInjektivitätoutputRight angleInterpolationSequelString (computer science)Computer animation
14:57
Computer configurationMilitary operationServer (computing)OvalDependent and independent variablesQuery languageGamma functionComputer engineeringPlastikkarteQuery languageInterpolationString (computer science)Parameter (computer programming)Statement (computer science)InjektivitätEqualiser (mathematics)Order (biology)SequelPhysical systemComputer animationLecture/Conference
15:22
Computer configurationServer (computing)Military operationParameter (computer programming)Dependent and independent variablesQuery languageOrder (biology)Uniform resource locatorPhysical systemDatabase2 (number)Type theoryMultiplication signStatement (computer science)Computer animation
15:56
Computer configurationServer (computing)Military operationParameter (computer programming)Dependent and independent variablesQuery languageCodeUniform resource locatorDatabaseConnected space2 (number)Physical systemTouchscreenComputer animationLecture/Conference
16:23
Stochastic differential equationDependent and independent variablesServer (computing)CodeMetreComputer configurationMilitary operationQuery languageAuthorizationParameter (computer programming)InjektivitätData typeRootComputer-assisted translationAlgebraRow (database)View (database)Order (biology)Electronic mailing listDemonInjektivitätDatabaseInterpolationCartesian coordinate systemVirtual machineRow (database)Physical systemSemiconductor memoryQuery languagePoint (geometry)Product (business)2 (number)String (computer science)Statement (computer science)SequelComputer clusterComputer animation
17:10
Value-added networkQuery languageInjektivitätOrder (biology)Error messageDependent and independent variablesDesign of experimentsView (database)File formatRow (database)CodecPersonal identification numberASCIIObject-relational mappingMultiplication signParametrische ErregungRight anglePhysical systemRow (database)CASE <Informatik>Compilation albumQuery languageSoftware developeroutputDependent and independent variablesInjektivitätMassEnumerated typeConstraint (mathematics)Computer animationLecture/Conference
18:17
Computer configurationServer (computing)Dependent and independent variablesQuery languageOrder (biology)Product (business)CodeEmailAerodynamicsGUI widgetLink (knot theory)Error messageHypermediaMassBuildingFunction (mathematics)outputLibrary (computing)Endliche ModelltheorieValidity (statistics)Plug-in (computing)Computer animationLecture/Conference
18:39
Parameter (computer programming)Order (biology)Spherical capDependent and independent variablesServer (computing)CodeLink (knot theory)Error messageHypermediaSoftware testingoutputMultiplication signEndliche ModelltheorieCategory of beingOrder (biology)Computer wormRandomizationProduct (business)Real numberRight angleComputer animation
19:05
Dependent and independent variablesUniform resource locatorServer (computing)CodeOrder (biology)GoogolString (computer science)Parameter (computer programming)LaceOrder (biology)State of matterIntrusion detection systemMathematicsProduct (business)outputOperator (mathematics)Real numberCASE <Informatik>Computer animation
19:30
Value-added networkDependent and independent variablesCodeLink (knot theory)VolumenvisualisierungServer (computing)Software testingGame theoryGoogolGUI widgetUniform resource locatorOrder (biology)Content (media)Codierung <Programmierung>Endliche ModelltheorieOrder (biology)Category of beingComputer wormDependent and independent variablesComputer animation
19:53
Rule of inferenceServer (computing)Dependent and independent variablesError messageServer (computing)Right angleComputer animation
20:16
Dependent and independent variablesServer (computing)CodeUniform resource locatorOrder (biology)Mountain pass19 (number)Vulnerability (computing)Similarity (geometry)Error messageOrder (biology)Computer animationLecture/Conference
20:41
HypermediaDependent and independent variablesLink (knot theory)CodeServer (computing)View (database)Row (database)Order (biology)Parameter (computer programming)Revision controlDefault (computer science)Endliche ModelltheorieCategory of beingDirection (geometry)Software developerAdditionoutputComputer wormDemosceneDifferent (Kate Ryan album)Computer animation
21:38
Router (computing)OvalArc (geometry)Row (database)Order (biology)View (database)String (computer science)Parameter (computer programming)LengthServer (computing)CurveGrass (card game)Error messageDependent and independent variablesWindowOrdinary differential equationCondition numberImplementationSoftware testingRun time (program lifecycle phase)Fuzzy logicInformation securitySteady state (chemistry)Functional (mathematics)Revision controlCategory of beingKey (cryptography)Software testingHypothesisRun time (program lifecycle phase)outputRow (database)Multiplication signBitLatent heatCombinational logicEndliche ModelltheorieComputer animationLecture/Conference
22:45
Software repositoryStaff (military)BEEPLatent heatImplementationView (database)Right angleType theoryPoint (geometry)Spektrum <Mathematik>Lecture/ConferenceComputer animation
23:15
WebsiteSuite (music)HTTP cookieRow (database)View (database)Spektrum <Mathematik>Information securitySoftware testingError messageBit ratePattern languageString (computer science)LengthSoftware developerIntegerFile formatFlagConfiguration spaceVulnerability (computing)Latent heatSoftware testingMathematicsSpektrum <Mathematik>Computer animation
23:52
Musical ensembleRow (database)State of matterComponent-based software engineeringContent (media)Computer wormPersonal digital assistantPermianString (computer science)LengthFile formatComputer iconPattern languageIntegerMaxima and minimaTelephone number mappingRing (mathematics)Suite (music)View (database)Euclidean vectorPressureHTTP cookieChaos (cosmogony)Condition numberComputing platformComputer programParameter (computer programming)Hacker (term)Web pageUser profileComputer-generated imageryControl flowCodeDiscounts and allowancesSystems engineeringBit rateSpectrum (functional analysis)Vulnerability (computing)Shape (magazine)Arithmetic progressionGoodness of fitSpektrum <Mathematik>CodeInformation securitySimilitude (model)WebsiteSource codeHacker (term)Web-DesignerDiscounts and allowancesMultiplication signBitComputing platformInformationWeb 2.0Socket-SchnittstelleLecture/ConferenceComputer animation
25:17
Web 2.0State of matterMultiplication signConnected spaceSocket-SchnittstelleNetwork socketMathematicsDifferent (Kate Ryan album)Lecture/Conference
25:49
outputConnected spaceRoundness (object)Category of beingEndliche ModelltheorieComputer wormCommunications protocolCodeCASE <Informatik>InjektivitätValidity (statistics)Multiplication signServer (computing)Dependent and independent variablesProjective planeQuery languageSoftware developerCartesian coordinate systemDemosceneBuffer solutionOnline helpRight angleVirtual machineLecture/ConferenceMeeting/InterviewComputer animation
Transcript: English(auto-generated)
00:04
So thank you everyone for being here it's after lunch I hope you had a good lunch, and I was worried you know people would be stuck in lunch And maybe wouldn't be coming here, but we have a good number of people here, so thank you for for making it Very excited to talk about this Zero-trust API, so I've been working with a lot of companies recently doing a lot of work designing building APIs and securing them
00:24
And and I get to realize we we are not really good at we haven't cracked API security yet Really, and so a lot of APS. I get to work on the there are surprising vulnerabilities in there that Shouldn't really happen so what I'm trying to do in the past couple of years I'm trying to raise more awareness about API security vulnerabilities
00:43
And how they happen and what we can do to prevent them and so here I'm going to present this zero trust model for Zero trust security model for API's see what it means for API's and what we can do to make them more secure Before jumping into the details let me introduce myself a little bit
01:00
My name is Jose I'm the author of two books microservice API's was published in December 22 and secure API's is Coming up soon some as we speak. I'm finishing chapter 5 It's available on early access in on manning.com And if you want to get a copy of any of these books you can use this discount code to get a 45% Discount but also the best part is my I was able to get my publisher to give me 15 access codes to the books
01:26
So 10 access codes for secure API's and 5 access codes for microservice API's I'm gonna do a giveaway if you want to participate on on the giveaway connect with me sending a message on Linking in or by me email or something Let me know the it is because of your Python and you want to participate in the giveaway
01:42
And I'll announce the the winners in a few days I also publish courses on in the process of building them on API security and development So learn that micro PSS that I always put I'm gonna put the courses and I also have a YouTube channel where I put tutorials on API security and development as well
02:01
If you want to connect with me any of these platforms So the best way I think it's all linked in you can do by mail as well or Twitter if you want to Have any questions about API's or security? Now API threads is something I've been working on for a few for a while now I'm hoping to launch in a few weeks. So there the idea is to help to raise awareness about the API security
02:22
So it's completely free. You can register for free and every two weeks. We're gonna have challenges So every two weeks or so, we're gonna have a new API We have to discover vulnerabilities by interacting with the API and then the following week We we have to find each the the vulnerability in the code and and find find out how to fix the vulnerability
02:42
And so I'm on participants I'll try to run also giveaways of books and whatever I can raffle So alright, so the agenda for today, I want to give you first on a little bit of introduction What's the current state of API security and why it is important to focus on this a lot more now and then what I'm gonna present this model of zero trust security and how it applies to see to API's and
03:06
Then we're gonna see examples. I think this is the best part of the presentation for me We're gonna see I put together a vulnerable API where we can showcase some of these vulnerabilities and see how they work and how we fix Them and then importantly we're gonna see how we can discover some of these vulnerabilities ahead of time
03:20
With two different testing strategies at the same time and at runtime and I'm gonna show you the tools all right, so The brand we have these days is a psi everywhere. It's just the way we build applications. So the The you know, we have a PS to run integrations between microservices To expose functionality for an it for an SPA or for a mobile application and
03:43
And so it's just the way we build applications these days and depending on what you look at Cloud Flair and Agama have different statistics for this But it's anywhere between 60 and 90 90 percent of full internet traffic is going through API's and those are is a huge attack surface Those are interfaces that expose sensitive data sensitive functionality and we really have to do a good job of protecting them
04:07
Otherwise we have major holes in our systems And so unsurprisingly according to various analysts the API's are really the main attack vector on the internet today With these I just want to give you an idea of how complex API security is
04:21
So salt security is one of the main vendors in the API security space The published research every year on the state of API security One thing to find here is that around 80% of all the attacks against API's are authenticated And so it's like for all intents and purposes threat actors look like normal users when they are interacting with the API and really threat actors don't want to be
04:45
Don't want to be found out as a threat actor. They know there's valuable data and functionality behind the API so they are very interested in not hitting the rate limiting policies we have in place or throwing some kind of Specific attack that is going to flag them as a threat actor very quickly
05:02
So they're just going to try and interact with the API As you know as normal as possible but exploiting vulnerabilities that are there by design And so what we have to do really to protect ourselves against these situations is to try and design API's in such a way That we mitigate as much as possible by design the risk of exploits
05:20
And so part of that is what we're gonna see today If we if you search online API security by design together with my name You're gonna find also some talks and webinars. I've done around this topic from a more specification point of view Right, so how does zero trust help us here? So first of all, zero trust security is a concept that goes back to the early
05:43
2010s so John kindevac was working at the forest our research when he coined the concept back then the idea for Enterprise companies was to do security with the concept of segmentation So imagine we have applications or data sources that are very sensitive. And so we put them in in isolated networks We still do these things today, right? We put a database in a private network, for example
06:03
So that so that nobody can access that data source, but what he what he realizes is this isn't enough, you know We still have interfaces to those data sources in form of Websites or things like that if those if those interfaces are vulnerable to sequel injection and other forms of attacks
06:21
You know the point of segmentation is pointless because we are still able to break into the database And so what he what he brings up is that you have zero trust security So don't trust anything don't trust any data that any Request come to your system regardless of the region and always validate everything and so we can apply these two to API's This is a diagram from my upcoming book secure API's if you have feedback on this, please let me know and so
06:46
What I'm trying to highlight here is we have different data flows in an API So we have a request flow data coming from a user to the API We have a response flow data coming from the API to the user. We have third-party API flow So we are connecting constantly to external API's like geolocation API's emailing API's payment API's
07:05
Those API's are as vulnerable to data corruption and other forms of attacks as our API And so when we're connecting to those API's we have to make sure we're validating and in sanitizing that data as much as we can We have a data flow with our own database and we often don't think of it
07:22
But there are so many ways things can go wrong in a database even with a simple migration We can corrupt poison or get data in a bad shape that is going to compromise the integrity of our systems So we have to make sure those things are also looking right and we have a data flow also with all the systems with it with other Other services within our system. So an example here with our user service could be a payment service or something else
07:44
Those service those services are as vulnerable as our own service and we have to make sure we are validating everything in there So we have all these data flows. The question is now how do we how do we protect them? And so this is a List of all the kind of the security principles we can have for our API's from a zero trust point of view
08:03
We don't have a lot of time here. So I think the best thing is they're kind of self-explanatory So when you get the slides, they are uploaded already on on the website and they are available in discord So read through these and then check out this image this diagram has been a few minutes here This contains illustrations of each of those principles and how they they can be vulnerable
08:21
In an API but let's jump into into the examples now, I think that's exciting part so if you scan the QR codes or go to the short URL, you're gonna be Prompted with you're gonna go to a readme file here It contains the vulnerable API that I put together for this presentation and you can access it tells you how to clone the API
08:41
The code how to run it You can access the API as well on the clouds API threads calm example a one and that's what we're gonna work today here, so We're gonna see the the short URL is in every slide. So don't worry if you can catch it now so we're gonna see the examples now the main point here is sometimes we design a PS in a way that is not obvious how they can be exploited and we put parameters and and
09:06
Properties in in the models that are not sufficiently constrained or not sufficiently Protected to to prevent a different kinds of exploits. So we're gonna see illustrations of that here So we're gonna begin with pagination attacks So this represents a kind of e-commerce API to interact with it, we're gonna have to authorize our request
09:24
So if you go to API threads dot-com login, you're gonna have to login and you're gonna get an access token and so if you grab these and Then click on authorize here you put the your threat Oh, all right, okay
09:45
Sorry, can we fix how do we fix that? Okay. All right So here we are pagination endpoint. So like any good collection endpoint in an API. We have pagination parameters here So we there are different ways of doing pagination, right? We can do page based cursor based token based
10:01
This is just with pages and so we can select which page we want to look at How many items per page we want to see and how we want to sort the items. So if we try this out We send a request and we get the list of items I don't have a huge amount of items in the database It's only two but we're gonna be able to illustrate things nonetheless Right. So these are the pagination parameters just as it just as it is
10:23
And there are so many APS that are just like this. I can do something like this. I can come and say give me 100 million items per page. I only have two It doesn't really showcase a we wouldn't have time to wait for the for the loading and everything But in a normal API with a lot of data These this would go through and one of these requests is not a lot of problem
10:42
But two three hundred a thousand maybe a million of those requests against the database is gonna cause substantial pressure on On the database, right? So that's one thing we can do now something interesting Also, let's say we do zero or minus hundred and that's gonna cause a server error now These are interesting ways to create unexpected behaviors in the service in this case
11:01
It's gonna cause a server error in some of the cases It's gonna cause different behavior and these are ways also to disrupt the experience of the service for the users There's something interesting we can do also with order by so here is price I UI is gonna control these choices for the user right we can put name and we sort the items by name We can do also something as they say asdf, you know threat actor is gonna go directly to the API
11:24
It's gonna try different things and this is very important feedback if the server has crushed So it means it's checking on any value here on the order by and it's trying to sort things by that now We know here. This is going to be correlated to the columns on the database So we can try and discover Properties that are hidden that are supposed to be private to the to the data model
11:43
So something that I know exists here is is this is exclusive for example Yeah, I'm waiting before hitting right so it's exclusive and we hit execute and it works Alright, so now I know with this I can do what we call a schema enumeration So I can discover internal properties of a system that are not supposed to be publicly available
12:04
And with this I can put together a mass assignment strategy or I can Do the things like for example? There may be some private property that is in an e-commerce The date of launch for example, and I can sort items by date of launch If I have a scalper pot something that is gonna buy out the whole stock of a product and then sell it at
12:24
Higher price this happens commonly, right? so I can monitor the for example the dates of launch and and that might my bot to To buy out the products when they're going to be released so I can do things like that Why is this happening? So if we go to the To the presentation here. These are the examples you can try them on your own
12:44
So the problem is this is fast API is going to work the same in any other framework So I have two parameters. They are optional. They have a type but you don't have any kind of constraint So what we want to do but hopefully you can see right the So what we want to please constrains everybody every parameter has to have a minimum and a maximum value and with the strings
13:04
What we can do is something like enumerations. This is a great way of constraining user input on those parameters So in some cases it won't be possible We may want to have something like a filter parameter that allows us to do a free Filter on description and such in those cases. We want to have
13:20
parameterized queries on the database to prevent sequel injection But we want to make sure we constrain as much as possible use our input in the case of page Even we want to have a maximum number of pages We don't want users to come around and scrape the whole database of products in our system So once we do that, we have a response like this For example for the for this order by we do a SDF and it's gonna tell us no
13:41
No only two options here. So you're not gonna do any weird thing here Right, that's pagination attack. Let's move on to the next case sequel injection plus Bola Bola stands for broken object level authorizations So if you go to a wasp the top 10 or wasp our API is one of the first is broken object level Authorization that is when you can access data from all the uses data that you shouldn't be able to see
14:03
so we have an order standpoint here and If you're on a laptop and you authorize your request and such you can place orders through the API here We will be able to see them as we are typing so What I can go is to the orders API and I can list my own orders, right?
14:21
So with this, it's not authenticator. So let's go and paste the token that's that's when I stopped before so authorized and close and Now I send the request and I have access only to my own data But here we have a status of the other right can see if I can filter
14:40
basically orders by the status but I can do some interesting things also I can say what happens if I sort by The status is 10. All right, that's telling me it's accepting any kind of input now Let's see if we can put a sequel injection attack here So we could if you think about sequelist injection how it would happen is we are doing string interpolation in our queries, right? So we're going to put the the value of the parameter. We want to insert in quote marks
15:05
So if we are smart here what we're going to do is close that quote mark and we're gonna say or One equals one. This is the most basic sequel injection attack and we close the rest of the statement So if I do this now have access to all the orders in the system from everyone else
15:21
and and so This is interesting, right? But we couldn't do even more things I can say and 3 1 3 3 equals So that it looks very weird I'm just gonna send a sleep a statement to the database Select 3 1 3 3 from PG is a postgres database every database will have its own So this is something we can help it helps us also discover the type of database we have in the system
15:44
So PG sleep a sleep for four seconds. We don't have a lot of time We close the rest of the statement We send this another database is going to sleep for four seconds before returning now This looks completely harmless but if we do this across Hundreds of requests we're gonna run out of the pool of connections with the database if we put it to sleeping for 30 seconds
16:04
Or more we're just going to prevent all the users from engaging with the system and we can do even something more interesting Here we can say if the screen comes back or 101 we can combine with the previous Attack and this so we send this is going to wait for four seconds and it's going to return all the data
16:22
Now what what's going to happen here is if we have a system, you know If this is any production e-commerce API and we have millions of records here It's going to it's going to load them all of them in memory in the database It's going to wait for a few seconds before returning So at some point the database may even run out of resources and make just collapse And so this is very interesting kind of things we can do with the with sequel injection
16:46
So you have the illustrations here. You can play around with them as well. Now. Why is this happening? So we have these Roles equal a statement here with the string interpolation. We're building the query as we go depending on the value of the status and And you may come and say about Jose. This doesn't happen in reality. You would be surprised
17:04
Especially with you know Data science machine learning applications the that's why I see a lot of these and sometimes for you know I love this time. We are gonna use all RMS right with Django or SQL alchemy to to do the parametrization I'm really sorry about this. I don't control the system
17:23
But sometimes we don't want to use the ORM the comp the query is so complex We want to have a row query and sometimes we just forget to parameterize the query And so we expose the system to this kind of thing. It's perfectly possible. It happens in knowing many cases, but quite a few cases And there's also, you know a debate this
17:41
Continuously whether we should use ORMs or not. And the problem is in in the hands of more junior developers They may forget to parameterize the queries. So that's the risk. I want to highlight here with with those things and and of course the the other thing we want to do here is We want so we want to parameterize the queries in this case with it with the ORM
18:00
But we want to constrain use our input by design So by design we put an enumeration here Nobody can come here and start playing with SQL injection attacks is by design is not prevent It's not possible. So we're gonna get this kind of response. It's not possible right Ten minutes left. Let's see how far we can get. I want to show you an example of mass assignment
18:23
In in something that actually happens a lot more than than it should So, you know when we're building a PS with Python with fast API or flask or Django We have plugins or libraries that allow us to define data validation models and that's how we should be defining the input and the output of the API a
18:40
Lot of the time I see a PS that don't have clear models for input and output. And so anyone can send a random payload and And get the properties to pass through so let me show you an example of that here So if we put if we place an order we grab a real product ID from here and so we're gonna place an order and
19:04
Right, so that's the order placed and then we can grab the idea of the order And I can go to the update the state Update operation now the idea of the update is going to be controlled by a UI in real cases, right? So it's gonna control how yours how we in send input to the API
19:20
We're gonna change only the product or the amount but we're gonna do interesting things here. We're gonna say When it comes back Right Okay, so I'm gonna copy this I Don't want to change that data, but what I want to change is
19:40
Hopefully you can see these Well, so I'm gonna change all the properties in the model because I notice, you know I I place the order and I noticed that the response payload is different from the request payload There's a status property here. So I'm gonna try to overwrite that status And I'm gonna say status
20:02
Is paid and so I send this to the server Right, I need the I need to remove this. All right also Thank you Okay, so I sent this and the request goes through and I set the status to paid
20:21
now you're gonna find I Should have sent me this error maybe but you know, the almost it has a vulnerable API called crappy You can play around with the API. It has similar vulnerabilities It's implemented in Django actually so you can look into the internals of the API how it is implemented And so you can do similar thing in the API You can override the status of the of the order and you get cash back without having to do anything else
20:44
So these are ways I've seen payments API's where we are exposing the same Payload to the input and output. So the status of the payment is exposed to the user So that means unless we have a very smart developer who says all right status is not something that should be coming through a post or a put request by design that API is vulnerable to
21:06
manipulations like this and so what's happening behind the scenes is we have I had to change the the pedantic model. So in version 2 of pedantic, they're doing things very well to help us so The model is
21:21
Strict so we can't you define your model and you can't put additional properties in the payload But that's different of how open API actually works So open API is based on JSON schema the way JSON schema works is you define your model You can put additional properties by default You have to use special directives to prevent that but I don't think it's going to help us here in version 2 but also what we're doing in the body of the function is
21:44
We're iterating over the keys and values of the properties in the payload and binding them directly to the To the database records. So if we use something like the same model for input and output Even if pedantic is going to help us by design the API is not helping us So we are going to be able to override those properties in the request what we want to do
22:04
We want to have a strict model in combination with explicit access to the properties that we expect in the request So if we are not expecting a status that doesn't show up here and we are explicitly explicitly accessing the properties that we want Right with few minutes left very few minutes left. I'm just going to show you there are some more examples
22:23
You can go through them and I'm going to put more explanations on the readme But very quickly to tell you a little bit about testing So testing at design time in a runtime a runtime is interacting with the API at design time is by looking only at the API Specification so at runtime, I want to show you schema thesis is one of the tools I like to do to use for this it's a Python package and you just run schema thesis with a simple
22:46
Command against your API you give it the API specification and it's gonna do something like this So it's gonna go end point by end point by checking if the API is Accepting the right payloads and and rejecting the back the right payloads and if it is returning the right type of data
23:03
This is super helpful to make sure that the API compliance with the implementation compliance with the specification Now once we've done this and the API is absolutely correct from the implementation point of view We can also go to the specification and we can test with something called spectral. So it's an NPM package
23:21
So we do the installation like we do here the configuration and then we run it directly against the spec and it's gonna flag Every vulnerability we have by design in the API and this is the kind of thing we're gonna find So these are tests that I've run against public API is banking banking API since you're an API's GitHub as well as here So we're gonna find anywhere from hundreds to thousands of design problems in in the API
23:45
And what we have to do to make the API secure is just apply these changes, you know And then by design it is not gonna flag everything There are so many vulnerabilities that are not captured by spectral but it's gonna highlight at least 50 or 60 percent of those design vulnerabilities and You know, it's a great way to get to get our API is in a good shape
24:03
These are just examples of running the spectral against a specific API's like that West GitHub plate and the kind of outcomes you get And there's some sources if you want to learn more about data breaches So firetail you're gonna find the the major data breaches in this website
24:21
a hacker one is a great source of information about vulnerabilities in API's and across web development in general and With a little bit of pain and effort we made it through so I hope was it was possible to follow through again the discount code for the books connect with me and tell me you're coming from your Python to Include you in the giveaway and feel free to connect with me in any of these platforms. Thank you for listening
24:49
Thanks all for listening it's now time for questions you can line up behind the microphone right there so
25:07
You talked about API securities and everything Do similar principles apply to like web sockets or or because as long as I know in fast API You just accept the web socket and then the requests are like, you know, they flow freely
25:24
So we used to web sockets in different situations, right? So we use it in GraphQL to connect to changes to to the state of of something we or in gRPC to establish the web socket and Streamline the so we don't have to open a new connection every time
25:41
In that sense. It is still applies. We are still exchanging data So the the socket is just different way of making the connection the data is still flowing through that connection We want to make sure that data is correctly validated and manipulated in all cases Okay, so like every time I request you accept like some data from the Yeah, gRPC is gonna help you right because we have protocol buffers
26:03
So by design we we have you're gonna take care of a lot of validation We only think we want to make sure in in gRPCs that we are designing those payloads securely That's what we want to do in that case Thank you, really interesting talk. Thank you Not a question but comment you put a lot of sadness in my heart
26:23
Because when I saw this kind of scenes in the code I was expecting them to be like specific an experienced developer and you show that it's actually common practice It's a lot more common than we that we think yeah the Depending on the application like I say in the signal injection is not it shouldn't be as widespread nowadays
26:43
But a lot of data science and machine it's all just because the we write the road queries and we forget to parameterize It's happened a few a few times seen in previous projects, but what it's also, you know, like Like I was mentioning fast API gives us pydantic to do the data validation and everything
27:00
I still see a lot of API's we don't have the response model We don't have the input model Supposedly the UI is going to send us the right data But we are giving up all these data validation layer that is going to come for free and it's going to help us So much in in securing our API's and of course if we have the right models make sure we are not exposing server-side properties through the
27:22
Input payload and things like that. We're gonna we're gonna be able to so much to protect the API's there There are so many of these things out there in the wild Thank you, thank you If there are no more questions, let's give one more round of applause. Thank you