Las preguntas con sus respuestas correctas siempre estarán dadas por Correct answer. justo arriba de eso.
Question 1
Why are APIs considered a popular target for attackers?
They are expensive to maintain.
They are often hidden and rarely monitored.
They expose data and logic flaws, and are often have over-permissioned.
Correct answer.
They are required for regulatory compliance.
Question 2
What is true of web/mobile application APIs?
They can be discovered even if they're not documented
Correct answer.
Are secure from abuse if applications encrypt communication
Are only used by developers
Web/mobile applications should never use APIs since they can be exploited
Question 3
What PCI DSS standard emphasizes API security, including identifying business logic abuse?
PCI DSS 3.5
PCI DSS 4.0
Correct answer.
PCI DSS 2023
PCI DSS 5.1
Question 4
What is one method attackers use to find APIs in applications?
Phishing campaigns
Using pre-configured malware
Hacking the backend database
Inspecting network traffic in the browser’s developer tools
Correct answer.
Question 5
What makes API security testing critical?
Cross-site scripting
Injection
Business logic flaws
Correct answer.
Lack of endpoint authentication
API2: Broken Authentication: un ejemplo de esta fue el ataque a Duolingo por una api fallida en su authentication.
API3: Broken Object Property Level Authorization: es Cuando podemos manipular los objects data de la API para lograr beneficios, por ejm manipular la API para ganar y pasar de ser USER Free a USER PREMIUM.
API4: Unrestricted Resource Consumption “consumo de resourc.. sin restricciones”: Los rate limits mal establecidos para que te hagas una idea felipe, hubo un massive data breach a TRELLO la compañia por una api mal expuesta la cual se podia consultar sobre un correo y devolvia la info de ese email, bueno buscaron millones de correos y los enviaron consecutivos a la api y pudieron extraer millones de datos de muchos users registrados a trello.
API5: Broken Function Level Authorization: Es parecido a API1 pero centrado a funciones, funcionalidades para explotar y escalar, cambiando metodos HTTP, actualizando esos valores, etc, asi paso con BUMBLE todo porque se expuso una funcionalidad de la API la cual estaba expuesta al user final.
API6: Unrestricted Access to Sensitive Business Flows: y va de la mano a Business Logic, pudiendo manipular el flujo logico del negocio de una forma inesperada con el fin de poder obtener un resultado certero, y pasa precisamente porque los desarrolladores, no tienen en cuenta a veces ciertos comportamientos necesarios en el despliegue de la app, api, etc.
API7: Server Side Request Forgery:
API8: Server Security Misconfiguration: lo de siempre buenas practicas, HTTPS, CSP, WAF, RATE LIMITS, CORST, NO Revelar Stack traces. etc..
API: Improper Inventory Management: no tener un control adecuado sobre los activos relacionados con la API. Esto incluye versiones, endpoints, entornos, y servicios externos conectados.
API10: Unsafe Consumption of APIs: Cuando una aplicación cliente consume APIs externas sin validar ni filtrar correctamente las respuestas, confiando ciegamente en que esas APIs externas son seguras, están bien configuradas y nunca se comportarán mal.
Quiz:
Question 1
What do "BOLA" attacks (OWASP #1. target?
Inadequate/missing data access controls
Authorization flaws
Correct answer.
Application denial of service
Undocumented API endpoints
Question 2
Which OWASP category addresses out-of-date API versions?
#1 - Broken Object Level Authorization
#3 - Broken Object Property Level Authorization
#7 - Security Misconfiguration
#9 - Improper Inventory Management
Correct answer.
Question 3
What real-world example illustrates BOLA in the OWASP Top 10?
Peloton’s API exposing user data
Correct answer.
Venmo providing excessive transaction details
Experian’s API exposing credit records
Instagram’s password reset flaw
Question 4
What does “Excessive Data Exposure” typically involve?
Returning unnecessary or sensitive data via APIs
Correct answer.
Allowing unauthorized API access
Lack of rate limiting
Authentication flaws
Question 5
Which best practice addresses Excessive Data Exposure
Rely on UI for security controls
Enable mass assignment
Remove CAPTCHA for simplicity
Use data minimization techniques
Correct answer.
Question 6
What vulnerability does rate limiting primarily help prevent?
Server-Side Request Forgery (SSRF)
Broken Object Level Authorization
Unrestricted Resource Consumption
Correct answer.
Broken Function Level Authorization
Question 7
What real-world example demonstrated Broken Function Level Authorization?
Instagram brute force password reset
Bumble allowing free-to-premium account upgrades
Correct answer.
Duolingo email query exposure
Trello’s email user lookup API
Question 8
How does SSRF typically exploit APIs?
By returning excessive data
Manipulating user input to access unauthorized resources
Correct answer.
Sending mass requests to APIs
Using brute force attacks
Question 9
What general best practice applies to all OWASP API vulnerabilities?
Rely solely on UI controls
Avoid using authentication
Use incremental IDs for simplicity
Test APIs continuously
Correct answer.
API Attack Analysis
A los atacantes les puede tomar meses exfiltrar millones de datos mientras que a la compañia le tomara una semana poder corregir el rate limit y parchearlo.
Why API Security?
Pero la pregunta real a hacerse es: How important is it?
De esta forma mediante este planteamiento empezamos a discernir sobre los factores claves e importantes que debemos tener en la API de la organizacion priorizando seguridad por encima de todo.
Threat Modeling:
Se puede empezar preguntandose, ¿what do you have that the Attackers want? vital y clave para poder seguir.
Con este modelo/tabla empezamos a poder definir de una forma tecnica y clara el que tan importante y que nivel de prioridad debamoso dar a la amenaza que tengamos presente y de esta forma lanzamos prioridades de las mas graves a las menos todo en pro a solucionar o sanitizar nuestra API.
Quiz:
Question 1
Why is rate limiting not a perfect defense against high-volume attacks?
Attackers will keep requests below the rate-limit threshold
Attackers will distribute attacks across thousands of IP addresses
Attackers will use residential proxies
All of the above
Correct answer.
Question 2
What percentage of API breaches are attributed to OWASP 1, 2, and 3 vulnerabilities?
60%
70%
80%
90%
Correct answer.
Question 3
During a threat modeling exercise, which question should you ask first?
What is the likelihood of an attack?
What do we have that attackers want?
Correct answer.
How many APIs are exposed to third parties?
How much data do our APIs process daily?
Question 4
Why do attackers often target APIs?
To improve the performance of their applications
To disrupt API rate-limiting mechanisms
To access sensitive data like PII or corporate information
Correct answer.
To gain insights into API design patterns
Question 5
Which defense mechanism is most associated with preventing high-volume attacks, but is not perfectly effective?
Rate limiting
Correct answer.
Encryption protocols
API gateways
Secure token validation
Question 6
In API security, why is “Broken Authorization” a critical issue?
It allows unauthorized users to access other users’ data
Correct answer.
It causes APIs to reject valid user requests
It results in exposing API keys publicly
It affects API performance and response time
The pillars of API Security:
Governence:
Incentivar a los ingerios darles buenas pautas para aprender a crear apis SEGURAS, LA SOLUCION A GOVERNENCE un API GATEWAY
Si la api será publica cuidar que info sera publica de la API, cuidar los endpoints de la API, teniendo siempre presente ¿que será lo que el atacante quiera obtener de nosotros?
Con guia se refiere a tener todos los minimos controles de autenticacion por ejm bien activos e implementados, buenos endoints nombrados, explicaciones de la doc bien redactadas, eso es como un guia de buena creacion de documentation para asi mismo evitar problemas de seguridad.
Monitoring:
Y en runtime protection tenemos 2 approaches:
Aqui pareciera que la de verde fuer legitima sin embargo, ¿que pasa si el ID=123 le pertenece es al user ID:11 ? SE TRANSFORMA COMPLETAMENTE EN ILEGITIMA, y aqui en estos escenarios es donde se necesita el contexto, las herramientas no podrán detectarlo al 100% sino están bien construidas y tienen una base.
Testing:
Testear siempre en el desarrollo de la API en busca de Flaws “Si lo hay”, ¿fue la aplicacion creada como se queria? tiene bugs? se puede explotar? Pero debemos pensar en tono negativo, tipo: “La aplicacion API está haciendo algo que NO debería hacer?”
El testing se divide en 3: Security testing, data testing, Y Logic Testing.
¿Como se puede testear entonces la API?
Option 4: Api SEC AUTOMATION con el fin de poder automatizar el testeo, dentro del CI/CD
Quiz:
Question 1
What is the primary goal of API governance?
Detecting runtime threats
Enforcing consistent processes for API development and deployment
Correct answer.
Automating API testing
Monitoring API performance
Question 2
Which of the following is NOT a key component of API documentation?
Base URL and endpoints
Authentication requirements
Data types and methods
User activity logs
Correct answer.
Question 3
What is a limitation of API security monitoring tools?
They cannot detect bot attacks
They are incompatible with gateways and firewalls
They often lack context to distinguish malicious from legitimate requests
Correct answer.
They cannot generate traffic logs
Question 4
What is the most common API documentation format?
OpenAPI Specification (OAS)
Correct answer.
XML Schema
CSV files
YAML configuration
Question 5
Why should API testing be continuous and automated?
To comply with industry standards
To align with annual pen-testing schedules
To detect vulnerabilities before deployment
Correct answer.
To replace manual governance policies
Question 6
Which approach allows for comprehensive and frequent API testing?
Annual third-party penetration testing
Automated API security scanning
Correct answer.
Manual code reviews by the development team
Network traffic monitoring
Application security Technology Landscape:
Con la imagen a continuacion definimos el orden o principio que deberiamos seguir si tenemos una vulnerabilidad presente recopilada durante el testing:
Y asi vemos como si hay IP’s desconcidas poder definirlas en la api definition y probasrlas en el despliegue pero por ejm improper access es algo que. podemos mejorar ese access control durante el desarollo luego lo testeamos y ya en desplieuge está más que listo, me hago entender?
Quiz:
Question 1
Which of the following technologies is NOT commonly associated with application security?
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
API Gateways
Data Encryption technologies
Correct answer.
Question 2
Why are APIs less commonly exploited via vulnerabilities like SQL injection or cross-site scripting?
These vulnerabilities are not applicable to APIs
Attackers find them uninteresting
Such vulnerabilities are generally easily detected and fixed
Correct answer.
APIs are automatically secured by default
Question 3
When should security considerations begin during the API lifecycle?
During the testing phase
At the API definition phase
Correct answer.
After the deployment phase
During runtime
Question 4
Which of the following is most effective for finding API-specific vulnerabilities during the testing phase?
Manual code reviews
Static code analysis
Automated API-specific security testing
Correct answer.
Legacy DAST tools
Question 5
What is the recommended action when a new API version is published?
Update the version and keep older versions
Upgrade its security protocols
Update the version and retire older versions
Correct answer.
Repurpose it for a new application
Question 6
What tool is commonly used during runtime to detect and block API attacks?
Static code analyzer
Web application firewall
Correct answer.
Penetration testing tool
Software composition analysis
Final curso fundamentals, y a continuación quiz final:
Quiz Final:
Question 1
What percentage of respondents in a Nokia/RapidAPI survey perform security testing on their APIs?
4%
Correct answer.
10%
25%
50%
Question 2
What is a significant difference between traditional cyberattacks and API attacks?
API attacks require more technical expertise than traditional cyberattacks
API attacks involve fewer steps to reach a breach than traditional cyberattacks
Correct answer.
Traditional attacks are always more severe than API attacks
API attacks never target user interfaces
Question 3
What is the top API vulnerability in the OWASP API Security Top 10?
Broken Authentication
Broken Object Level Authorization
Correct answer.
Security Misconfiguration
Excessive Data Exposure
Question 4
Which principle is emphasized to mitigate BOLA risks?
Enforce least privilege
Correct answer.
Use incremental IDs
Avoid CAPTCHAs
Allow mass assignment
Question 5
Which vulnerability involves modifying or escalating privileges improperly?
Broken Object Level Authorization
Server Side Request Forgery
Broken Function Level Authorization
Correct answer.
Data Mismanagement
Question 6
What is an example of Security Misconfiguration?
Providing overly detailed error messages
Misusing encryption keys
Failing to validate inputs
All of the above
Correct answer.
Question 7
What risk does Unsafe API Consumption address?
Assuming 3rd party APIs are secure
Correct answer.
Relying on incremental IDs
Rate limiting failures
Poor encryption practices
Question 8
Why is it important to train developers on API security issues?
Developers are responsible for monitoring API endpoints
Developers can minimize the impact of brute-force attacks
Developers enforce organizational compliance requirements
Developers can create more secure and resilient APIs
Correct answer.
Question 9
What is a common tactic attackers use to bypass rate-limiting defenses?
Encrypting their traffic
Using brute force on firewalls
Distributing attacks across many IP addresses
Correct answer.
Mimicking user behavior
Question 10
What is the first step in a threat modeling process?
Mitigate identified risks
Identify the API attack surface and vulnerabilities
Correct answer.
Evaluate likelihood and impact
Assess compliance with industry standards
Question 11
What are the three pillars of API security?
Design, Development, Deployment
Governance, Monitoring, Testing
Correct answer.
Authentication, Authorization, Validation
Integration, Inspection, Evaluation
Question 12
Which tool is helpful for enforcing API governance?
API Gateway
Correct answer.
Load Balancer
Database Firewall
Traffic Analyzer
Question 13
What is an example of a logic vulnerability in APIs?
SQL injection
Cross-Site Scripting
Cross-account access
Correct answer.
Improper input validation
Question 14
What is a best practice for using 3rd party APIs?
Always validate the data being returned
Correct answer.
API keys can be shared as long as traffic is encrypted
3rd Party APIs should never be used
Data returned by trusted 3rd parties is always valid
Question 15
What is a strategy for mitigating risks associated with unknown APIs?
Leverage the WAF to discover APIs in use
Correct answer.
Implement stricter firewall rules
Perform manual testing regularly
Allow APIs to be discovered organically
Question 16
Why is it important to incorporate security “as far left” as possible in the application lifecycle?
To avoid runtime errors
To prevent vulnerabilities before deployment
Correct answer.
To reduce the cost of security tools
To ensure quicker deployment
Question 17
What is the primary focus of attackers when targeting APIs?
SQL injection vulnerabilities
Cross-site scripting flaws
Logic flaws and authorization gaps
Correct answer.
Outdated encryption methods
Question 18
How can you prevent Server-Side Request Forgery?
Only follow user input URLS from trusted parties
Only process URLs that pass validity checks
Correct answer.
Accept all input URLs that have https encryption
Trust input URLs if submitted by authenticated users
Question 19
What is one major benefit of maintaining up-to-date API documentation?
Faster application performance
Enhanced security and usability
Correct answer.
Reduced development time
Avoiding the need for continuous testing
Question 20
How should you handle user inputs?
Accept all inputs from properly authenticated users
Process all data results from trusted 3rd party APIs
Reject any inputs that do not meet expectations
Correct answer.
Ignore special characters as they may cause system issues
🌍
Owasp API 1,2,3 SON LAS RESPONSABLES del 90% de las API Breaches ⚠️
