Scribd
Upload
8 views

Speaker -B01 - 5511- Strengthening API Security in a network operator

TWNOG

Uploaded by

3362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

Speaker -B01 - 5511- Strengthening API Security in a network operator

TWNOG

Uploaded by

3362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

API Security – a

must have for


network operators

Chao Yin Loong

1 © 2024
Purpose of talk
● As network operators embrace NetOps there will be a
plethora of APIs available
● Network operators increasingly automating and using
APIs
● APIs by network operators need to be secure

2 © 2024
Example

● In this case it was via a password


● Imagine if this was via an leaked API key
● Need tools to detect anomaly in the way API is used

3 © 2024
The API Security Environment

Existing application
security solutions not
More APIs deployed built for APIs
every day

By 2024, API abuses


and related data
breaches will nearly
31%
of web traffic
double. 1 More API attacks More API traffic
is APIs
2

1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs
2 Akamai threat researchers have identified that 31% of all traffic protected by Akamai
is API traffic

4 © 2024
What is your API landscape?
Partner APIs | B2B

North-South
Authenticated
APIs you open to
the outside

East-West APIs
Inside your organization

App A App B
App C

Web app, Mobile APIs | B2C


Business Business
Unit A Unit B

Website

Mobile App
5 © 2024
API Abuse Can Happen Beyond WAAP

Account Takeover

Known Threat Protection DDoS Protection


(Bot Mitigation, WAF) (CDN)

Fraud / Business
Logic Abuse

Data
Harvesting
Authentication &
Authorization Cloud Security
(API Gateway) (CWPP, CSPM)
B2B / Partner
Integration
Authenticated Users &
Unauthorized
Data Access Partners are the Riskiest

User Access

6 © 2024
Real world examples : Large mobile network
operator Data Breach
1.API used during testing got exposed.
2.API had no Authentication or Authorization mechanisms.
3.API had no rate-limiting that allowed attackers to send a large
number of requests to retrieve data.
4.Customer IDs were stored in a weak format instead of the UUID
mechanism, which allowed attackers to easily guess and request
millions of records.

7 © 2024
Hypothetical example: Abusing RIR API

1. Various RIR provides API interface

2. API compromised by malicious users through various means

3. Without any system to immediately detect anomalous usage, hackers can


misconfigure BGP routing and RPKI configuration and cause havoc

8 © 2024
Real world examples : Uber: Account Takeover
• How I could Have hacked your Uber Account (Anand Prakash, 2019)
• Anand got from a phone number/email address to full account takeover
• The vulnerabilities were quickly fixed by Uber

(1) POST /addDriver

(1) Error message with UUID

(2) POST /getConsentScreenDetails

(2) PII and access token

9 © 2024
Real world examples : Uber: Account Takeover

10 © 2024
Real world examples : Uber: Account Takeover

11 © 2024
Real world examples : Uber: Account Takeover

12 © 2024
Real world examples : Scoolio: Data Exposure
• Scoolio – German student app
• API exposed PII and more for any user in the paltform

(1) GET /api/v3/Explorer

(1) Profile IDs

(2) GET /api/v2/Profile/{ProfileID}

(2) PII (email,DOB, GPS location)

13 © 2024
Real world examples : Scoolio Vulnerability

14 © 2024
Real world examples : Coinbase

15 © 2024
Real world examples : Coinbase

16 © 2024
Real world examples : Venmo

17 © 2024
Real world examples : Venmo
https://venmo.com/api/v5/public?since=14769216
00&until=1476921660&limit=1000000

Researches found there was 2 other undocumented


query params since and limit that can be added to
scrape much more data

18 © 2024
Why you need API Security even if u have WAF & API Gateway ?

WAAP API GATEWAY API Security


Focused on External Threats. Focused on gateway functions. Focused on all API traffic. Data
B2C only. AuthN l AuthZ l Rate limiting B2C & B2B l North-South l East-West
Detection: Signatures & ML Detection: None Detection: Behavioral Analytics Lake
API ACTIVITY DATA LAKE
API Security Problems

• Discovery of APIs in
any environment
DDOS • Determine risk posture
BAD BOT (OWASP API Top 10)
WAF
API
• Understanding API user
FIREWALL behavior
East-West
• Detect API abuse
GOOD
• Perform Investigations and
Shadow API threat hunting

East-West

Partner traffic on authentication APIs

Any API traffic that bypasses API gateway - (Whitelisted)

Shadow API

19 © 2024
Use case Network Orchestration (NetOps) by operators

● Networks vendors
using TMForum
Open APIs

● Open APIs can be


abuse through low
and slow logical
attacks

20 © 2024
Use case Network Orchestration (NetOps) by operators

Potential API abuses


based on the
tecniques described
above

21 © 2024
Use case Network Orchestration (NetOps) by operators

API SECURITY
ANALYTICS
DATA LAKE

API for data lake


Tokenized API
activity data

Behavior of users of
API is monitored for
any abuses

22 © 2024
Summary
● Network operators are increasingly using API across the
organization
● Security should be a main consideration
● This talk highlights the potential abuse that could happen
● A potential architecture for API Security has been proposed

23 © 2024
Q&A
24 © 2024

You might also like