filmov
tv
Introduction to API Security | Postman Intergalactic
Показать описание
Join us for an informative one-hour webinar focused on API security, tailored for beginners. In this session, you will gain valuable insights into the OWASP API Security Top 10 risks and learn how to effectively detect vulnerabilities in GraphQL-powered APIs using Postman. Our webinar will explore key topics such as Server-Side Request Forgery, Broken Object property Level Authorization, and unsafe consumption of APIs that could expose sensitive business flows.
Whether you're a developer, security professional, or simply interested in API security, this beginner-friendly webinar is designed to equip you with the knowledge and skills to build secure and reliable APIs using Postman.
Links shared during the webinar:
The vulnerable version of GraphQL we used in the webinar:
The Postman collection we used to show these vulnerabilities
Other links we shared:
00:00 Introductions
01:55 Live poll about background and experience of attendees
04:32 Agenda and Learning Objectives
06:03 What is API Security
07:00 OWASP API Top Ten background and 2023 list of security concerns
08:00 Digging into 4 OWASP vulnerabilities:
08:01 - Broken Object Property Level Authorization (BOLA)
10:52 - Server-Side Request Forgery (SSRF)
11:53 - Unrestricted Access to Sensitive Business Flows
12:45 - Unsafe Consumption of APIs
14:05 Quick introduction to GraphQL
16:48 Common GraphQL attack vectors
20:30 Demonstration of a vulnerable version of GraphQL using Postman
22:17 - Introspection using GraphQL Voyager
24:45 - Information Disclosure using "field suggestion" using Clairvoyance
25:59 - Denial of Service attacks through overloading queries, and batch query attacks, circular fragments and more
29:02 - More DOS attacks using query recursion
31:20 - More DOS attacks using field duplication
32:44 - More DOS attacks with aliasing queries
33:50 - Looking at GraphQL client libraries and their vulnerabilities in the GraphQL Threat Matrix
34:46 - Last DOS attack with circular fragments
35:55 How to prevent exploits on GraphQL using the OWASP GraphQL Cheatsheet
37:40 Examining Server-side Request Forgery (SSRF) attacks
40:53 Using Postman to run a collection of endpoints with testing for compliance checks
45:15 Additional learning resources and upcoming Intergalactic Sessions
47:47 Q&A and wrap-up
#api #security #bola #ssrf #graphql
Whether you're a developer, security professional, or simply interested in API security, this beginner-friendly webinar is designed to equip you with the knowledge and skills to build secure and reliable APIs using Postman.
Links shared during the webinar:
The vulnerable version of GraphQL we used in the webinar:
The Postman collection we used to show these vulnerabilities
Other links we shared:
00:00 Introductions
01:55 Live poll about background and experience of attendees
04:32 Agenda and Learning Objectives
06:03 What is API Security
07:00 OWASP API Top Ten background and 2023 list of security concerns
08:00 Digging into 4 OWASP vulnerabilities:
08:01 - Broken Object Property Level Authorization (BOLA)
10:52 - Server-Side Request Forgery (SSRF)
11:53 - Unrestricted Access to Sensitive Business Flows
12:45 - Unsafe Consumption of APIs
14:05 Quick introduction to GraphQL
16:48 Common GraphQL attack vectors
20:30 Demonstration of a vulnerable version of GraphQL using Postman
22:17 - Introspection using GraphQL Voyager
24:45 - Information Disclosure using "field suggestion" using Clairvoyance
25:59 - Denial of Service attacks through overloading queries, and batch query attacks, circular fragments and more
29:02 - More DOS attacks using query recursion
31:20 - More DOS attacks using field duplication
32:44 - More DOS attacks with aliasing queries
33:50 - Looking at GraphQL client libraries and their vulnerabilities in the GraphQL Threat Matrix
34:46 - Last DOS attack with circular fragments
35:55 How to prevent exploits on GraphQL using the OWASP GraphQL Cheatsheet
37:40 Examining Server-side Request Forgery (SSRF) attacks
40:53 Using Postman to run a collection of endpoints with testing for compliance checks
45:15 Additional learning resources and upcoming Intergalactic Sessions
47:47 Q&A and wrap-up
#api #security #bola #ssrf #graphql
0:09:41
1:29:22
0:58:36
0:09:12
0:37:52
2:19:33
0:10:19
0:51:02
1:18:19
0:09:52
0:00:51
0:03:38
0:06:55
0:09:17
2:09:38
0:12:36
0:32:57
0:06:34
0:11:20
1:28:06
0:05:24
0:42:09
0:04:04
0:20:47